topic Re: FirePower publish internal webserver in Network Security

FirePower publish internal webserver

Roy Lee — Tue, 12 Mar 2019 13:50:33 GMT

Hi all,

I am new to FirePower, and now migrating ASA 5520 to FirePower 2110 (FTD 6.2.2).

I have finished initial setup of FirePower 2110 by FirePower Device Manager (FDM), specified the outside interface with 113.x.x.2/24, inside interface with 192.168.1.2 for example.

We have 64 public IP addresses.

I am going to publish internal webserver to internet by FDM.

Followed the cisco document to create Providing Access to an Inside Web Server (Static Auto NAT).

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/fdm/fptd-fdm-config-guide-622/fptd-fdm-nat.html#task_3FA99245557D4DA4860FE90BCEF771A1

Where HKCitrixIT01Internal is the internal address 192.168.1.5 for example. And HKCitrixIT01Ext is the public address 113.x.x.5 for example.

I can't find reference about the Access Control rule for the web server publishing, so simply create a Access Control rule to allow any service.

However it's failed.

I can ping the outside interface publish IP 113.x.x.2 from internet, but ping to the 113.x.x.5 is failed.

And I check the Policies hit from Monitoring page, hit is zero .....

Any advise?

Thanks.

Notmen

Re: FirePower publish internal webserver

Rahul Govindan — Tue, 24 Jul 2018 23:15:49 GMT

Change the Access rule destination network to HKCitrixIT01Internal. The Firepower (and ASA) Access rules should reference the internal server ip address.

https://www.cisco.com/c/en/us/td/docs/security/firepower/610/fdm/fptd-fdm-config-guide-610/fptd-fdm-access.html#ID-2124-00000055

Access rules always use the real IP addresses when determining an access rule match, even if you configure NAT. For example, if you configure NAT for an inside server, 10.1.1.5, so that it has a publicly routable IP address on the outside, 209.165.201.5, then the access rule to allow the outside traffic to access the inside server needs to reference the server’s real IP address (10.1.1.5), and not the mapped address (209.165.201.5).

Re: FirePower publish internal webserver

Roy Lee — Wed, 25 Jul 2018 08:10:52 GMT

Dear Rahul,

Tried the destination network to HKCitrixIT01Internal but no luck.

Also changed the destination zone to inside_zone, no luck.

The Policy hit still keep zero. Seems no packet arrive the outside interface?
Is ping allowed by default? I can ping the outside internet IP 113.x.x.2 only.

Thanks,

Notmen

Re: FirePower publish internal webserver

aaron.hackney — Wed, 25 Jul 2018 14:45:44 GMT

Hello Roy,

I ran into a similar issue when I was first using FDM. I think the issue that I ran into is that if you accept the default NAT policies configured when you first load FDM, the (any,outside) PAT statement has precedence over the other policies.

Edit this policy and change the source interface to inside (Or whatever the nameif of your segment is).

Try a packet tracer to your internal server from an internet address before and after your change and you should see a change in the behavior of your NAT processing in the packet-tracer output.

Hope that helps!

-A

Re: FirePower publish internal webserver

Roy Lee — Thu, 26 Jul 2018 00:43:01 GMT

Dear Aaron,

Thank You very much!! You save my days!

It should be very helpful for other newbies to FirePower device.

BTW, your FDM interface is more advanced to mine. What is your FTD version?

Regards,

Roy

Re: FirePower publish internal webserver

aaron.hackney — Thu, 26 Jul 2018 13:39:18 GMT

Whoops, sorry I think that screen shot was from the 6.3 beta.

Re: FirePower publish internal webserver

Netplace Support — Mon, 29 Jul 2019 08:46:21 GMT

Hi Roy Lee,

Can you share the Nat configuration you have done on FTD.

Thanks in advance