topic Re: Firepower 2140 additional external IP range in Network Security

Firepower 2140 additional external IP range

m.santangelo — Wed, 22 Mar 2023 15:55:43 GMT

Hello all, happy Wednesday.

We have a Firepower 2140 on 7.0.1.1 build 11, and prior to yesterday, our outside IP range was limited to a single /27 network. Yesterday as part of a HSRP installation, we got assigned an additional outside range, a /28. I'm not 100% certain where I need to look in the FMC to define this network as it's completely different from our existing range. It isn't contiguous, and is in fact a completely separate range, so I'm not sure if I need to add a whole extra physical interface with that range assigned to it or not. When I try to edit the existing Outside interface, 1/13, I don't see the ability to add a second range, nor does it seem to be OK with a comma separated list.

Happy to provide any other information, just not sure what all would be needed.

Thanks!

Re: Firepower 2140 additional external IP range

Octavian Szolga — Wed, 22 Mar 2023 16:50:35 GMT

Hi,

The fact that you got a new subnet to you does not necessary means that you have to configure it on an interface.

The ISP will route that new subnet towards your existing Outside IP.

It's up to you what to do with it:

1. further subnet the network into a new DMZ and use an IP from that new subnet on FTD (gateway for hosts beloning to that new subnet)

2. leave everything as is and just use NAT (static/dynamic, your call) and use IPs from that new subnet

BTW - on FTD you don't have the option to add secondary IPs on an existing interface like on a router/switch SVI

BR,

Octavian

Re: Firepower 2140 additional external IP range

balaji.bandi — Thu, 23 Mar 2023 06:42:24 GMT

The routing part is good as long as the ISP is Routed to your network.

What you like to use for a new Subnet, it's purely your requirement, You can use a Pool of IP in Dynamic NAT or Static NAT for incoming traffic and so on.

You don't need any Interface to configure, you can make utilization of new subnets as Objects or object groups for your usage intention.

below configuration guide for reference :

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html#anc12

Re: Firepower 2140 additional external IP range

m.santangelo — Thu, 23 Mar 2023 13:50:48 GMT

As part of option 2, for testing, I did the following:

NAT Rule mapping TestVM-IN (10.1.1.67, a vm on our internal network) to TestVM-EXT (63.247.x.y; one of our new external ips).

ACL Rule saying ports 80 and 443 are allowed to TestVM-IN.

When I try to access the site on http or https, I get a slow, very slow timeout page.

When I change the TestVM-EXT to one of our existing IPs 24.157.a.b, the site comes up properly, so I am pretty sure I have the NAT and the Port configuration properly. I must be missing something else because I'm not even seeing packets hitting either IP in the logging.

Maybe they're not properly routing our new IP space to us yet. I am very unsure at this point and will need to reach out to them.

Thank you anyway!