https://community.cisco.com/t5/network-security/firepower-1010-nat-configuration-for-isp-router-wan-static-ip/m-p/4913569#M1103869 <P>Hello,</P><P>I share screenshots of my 1010 conf:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Conf1.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/195553i92AE6BD5A3828D70/image-size/medium?v=v2&amp;px=400" role="button" title="Conf1.png" alt="Conf1.png" /></span></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Conf2.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/195554i7F848C49B5D9A191/image-size/medium?v=v2&amp;px=400" role="button" title="Conf2.png" alt="Conf2.png" /></span></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Conf6.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/195555i2A8B2BA18B9BD5C3/image-size/medium?v=v2&amp;px=400" role="button" title="Conf6.png" alt="Conf6.png" /></span></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Conf3.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/195556i89162932011F7FAD/image-size/medium?v=v2&amp;px=400" role="button" title="Conf3.png" alt="Conf3.png" /></span></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Conf4.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/195557i58B524A04E5CB011/image-size/medium?v=v2&amp;px=400" role="button" title="Conf4.png" alt="Conf4.png" /></span></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Conf5.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/195558iB7F272B3D3A78B42/image-size/medium?v=v2&amp;px=400" role="button" title="Conf5.png" alt="Conf5.png" /></span></P><P> Thnak you</P><P>Best</P><P>Antonio</P><P>&nbsp;</P> Tue, 29 Aug 2023 07:58:14 GMT reinventy 2023-08-29T07:58:14Z https://community.cisco.com/t5/network-security/firepower-1010-nat-configuration-for-isp-router-wan-static-ip/m-p/4913482#M1103863 <P>Hello to all&nbsp;</P><P>and thank you very much in advance for help and suggestion.</P><P>I have to configure my Firepower 1010 to allow external users (internet) to reach my internal server where the website and cpanel services reside.</P><P>My static ip is managed by the ISP router, the router is a TIM HUB+.</P><P>My network is set up like this:</P><P>&nbsp;</P><P>ISP router (WAN IP 80.104.xxx.xxx reachable from the internet) and&nbsp; IP 192.168.0.10 (net 255.255.255.0)</P><P>The ISP router forwards all incoming calls to the DMZ 192.168.0.11 which is the outside interface of the Cisco Firepower 1010.</P><P>The internal server is connected to inside_3 interface of the Firepower 1010 and has a static IP 192.168.2.25.</P><P>I created following objects:<BR />4 WebserverPrivate HOST 192.168.2.25<BR />5 WebserverPublic HOST 80.104.xxx.xxx</P><P>I added a new NAT policy along the lines of:</P><P>Original Packet<BR />Interface = outside<BR />Source IP = any-ipv4<BR />Destination IP = &lt;WebServerPublic&gt;<BR />Source Port = Any<BR />Destination Port = HTTPS (or ANY or 2087 for cpanel)</P><P>Destination Packet<BR />Interface = inside_3<BR />Source IP = any-ipv4<BR />Destination IP = &lt;WebServerPrivate&gt;<BR />Source Port = Any<BR />Destination Port = HTTPS (or ANY or 2087 for cpanel)</P><P>Then I added&nbsp; a Access Rule as follow:</P><P>Source<BR />Zones = outside_zone<BR />Networks = ANY<BR />Ports = ANY<BR />Destination<BR />Zone = inside_zone<BR />Networks = &lt;WebServerPrivate&gt;<BR />Ports = HTTPS (or ANY or 2087 for cpanel)</P><P>Unfortunately this configuration do not work, the server remain unreachable and unpingable.....</P><P>I tried a lot of configurations as NAT but the result is always the same...... external connections are blocked and the server cannot be reachable.</P><P>I also tried to change ISP router configuration trying before to forward to DMZ &gt;192.168.0.11 and also trying to use port forwarding to specifics port to Firepower (outside interface192.168.0.11) but nothing.....</P><P>Thank you very much for suggestion....</P><P>Antonio</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 29 Aug 2023 06:38:47 GMT https://community.cisco.com/t5/network-security/firepower-1010-nat-configuration-for-isp-router-wan-static-ip/m-p/4913482#M1103863 reinventy 2023-08-29T06:38:47Z https://community.cisco.com/t5/network-security/firepower-1010-nat-configuration-for-isp-router-wan-static-ip/m-p/4913487#M1103865 <LI-CODE lang="markup">ISP router (WAN IP 80.104.xxx.xxx reachable from the internet) and IP 192.168.0.10 (net 255.255.255.0)</LI-CODE> <P>I assume below assumption your setup ?</P> <P>Internet (ISP) --Router---FW 1010 - Inside</P> <P>So your Router Doing NAT ? then you need to have routing in Place to reach Local Web Server</P> <P>Either you need to do Double NAT on Firepower or you need to Configure on Router do to NAT</P> <P>see example of NAT works :</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html</A></P> <P>what Router and what options you have on the Router ?</P> <P>&nbsp;</P> Tue, 29 Aug 2023 06:49:45 GMT https://community.cisco.com/t5/network-security/firepower-1010-nat-configuration-for-isp-router-wan-static-ip/m-p/4913487#M1103865 balaji.bandi 2023-08-29T06:49:45Z https://community.cisco.com/t5/network-security/firepower-1010-nat-configuration-for-isp-router-wan-static-ip/m-p/4913518#M1103866 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1581771">@reinventy</a> You need to translate behind the outside interface (not the public IP address of&nbsp;WebServerPublic thats configured on the ISP router that FTD knows nothing about).</P> <P>Assuming the ISP router is natting the required ports to the FTD outside interface, the example below should work. Just define the correct ports and source address object (WebServerPrivate).</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="020820_1405_ftdconfigur17.png" style="width: 555px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/195550i88E1F5BD7BD39056/image-dimensions/555x442?v=v2" width="555" height="442" role="button" title="020820_1405_ftdconfigur17.png" alt="020820_1405_ftdconfigur17.png" /></span></P> Tue, 29 Aug 2023 07:08:07 GMT https://community.cisco.com/t5/network-security/firepower-1010-nat-configuration-for-isp-router-wan-static-ip/m-p/4913518#M1103866 Rob Ingram 2023-08-29T07:08:07Z https://community.cisco.com/t5/network-security/firepower-1010-nat-configuration-for-isp-router-wan-static-ip/m-p/4913520#M1103867 <P>Good morning BB and thank you very much for your help.</P><P>Yes my configuration is Internet ISP Router (NAT activated, IPV4 80.104.xxx.xxx (static IP), Gateway 192.168.100.1, Server DNS&nbsp;<SPAN>85.38.28.5,85.38.28.4 &gt; Firepower 1010 &gt; Inside. Router is a TIM HUB+ (Technicolor AGMY2020 Serial CP2050RAJ62 Software Version 19.4) with following configuration:</SPAN></P><P><SPAN>DHCP activated</SPAN></P><P><SPAN>Network Addresses 192.168.0.0</SPAN></P><P><SPAN>DNS Server 192.168.0.10</SPAN></P><P><SPAN>IP Router address 192.168.0.10</SPAN></P><P><SPAN>DMZ activated &gt; 192.168.2.10 (Firepower)</SPAN></P><P><SPAN>But no option to setup or modify NAT.</SPAN></P><P><SPAN>Best</SPAN></P><P><SPAN>Antonio</SPAN></P><P>&nbsp;</P> Tue, 29 Aug 2023 07:09:24 GMT https://community.cisco.com/t5/network-security/firepower-1010-nat-configuration-for-isp-router-wan-static-ip/m-p/4913520#M1103867 reinventy 2023-08-29T07:09:24Z https://community.cisco.com/t5/network-security/firepower-1010-nat-configuration-for-isp-router-wan-static-ip/m-p/4913532#M1103868 <P>Thank you very much Rob,</P><P>I tried also this NAT configuration but server still remain unreachable.....</P><P>Best</P><P>Antonio</P> Tue, 29 Aug 2023 07:36:44 GMT https://community.cisco.com/t5/network-security/firepower-1010-nat-configuration-for-isp-router-wan-static-ip/m-p/4913532#M1103868 reinventy 2023-08-29T07:36:44Z https://community.cisco.com/t5/network-security/firepower-1010-nat-configuration-for-isp-router-wan-static-ip/m-p/4913569#M1103869 <P>Hello,</P><P>I share screenshots of my 1010 conf:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Conf1.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/195553i92AE6BD5A3828D70/image-size/medium?v=v2&amp;px=400" role="button" title="Conf1.png" alt="Conf1.png" /></span></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Conf2.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/195554i7F848C49B5D9A191/image-size/medium?v=v2&amp;px=400" role="button" title="Conf2.png" alt="Conf2.png" /></span></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Conf6.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/195555i2A8B2BA18B9BD5C3/image-size/medium?v=v2&amp;px=400" role="button" title="Conf6.png" alt="Conf6.png" /></span></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Conf3.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/195556i89162932011F7FAD/image-size/medium?v=v2&amp;px=400" role="button" title="Conf3.png" alt="Conf3.png" /></span></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Conf4.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/195557i58B524A04E5CB011/image-size/medium?v=v2&amp;px=400" role="button" title="Conf4.png" alt="Conf4.png" /></span></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Conf5.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/195558iB7F272B3D3A78B42/image-size/medium?v=v2&amp;px=400" role="button" title="Conf5.png" alt="Conf5.png" /></span></P><P> Thnak you</P><P>Best</P><P>Antonio</P><P>&nbsp;</P> Tue, 29 Aug 2023 07:58:14 GMT https://community.cisco.com/t5/network-security/firepower-1010-nat-configuration-for-isp-router-wan-static-ip/m-p/4913569#M1103869 reinventy 2023-08-29T07:58:14Z https://community.cisco.com/t5/network-security/firepower-1010-nat-configuration-for-isp-router-wan-static-ip/m-p/4913603#M1103870 <P>And router cnf:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RouterCnf.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/195559iACD139EEE4A760DF/image-size/medium?v=v2&amp;px=400" role="button" title="RouterCnf.png" alt="RouterCnf.png" /></span></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RouterCnf2.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/195560i84CBBB271D0776B9/image-size/medium?v=v2&amp;px=400" role="button" title="RouterCnf2.png" alt="RouterCnf2.png" /></span></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RouterCnf3.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/195561i8EDA50EBBADF2AFB/image-size/medium?v=v2&amp;px=400" role="button" title="RouterCnf3.png" alt="RouterCnf3.png" /></span></P><P> </P> Tue, 29 Aug 2023 07:54:12 GMT https://community.cisco.com/t5/network-security/firepower-1010-nat-configuration-for-isp-router-wan-static-ip/m-p/4913603#M1103870 reinventy 2023-08-29T07:54:12Z https://community.cisco.com/t5/network-security/firepower-1010-nat-configuration-for-isp-router-wan-static-ip/m-p/4913651#M1103872 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1581771">@reinventy</a> run packet-tracer from the CLI and confirm what NAT rule is being matched, provide the output. Example:</P> <P>packet-tracer input outside tcp 5.5.5.5 3000 80.104.xxx.xxx 443</P> Tue, 29 Aug 2023 08:56:07 GMT https://community.cisco.com/t5/network-security/firepower-1010-nat-configuration-for-isp-router-wan-static-ip/m-p/4913651#M1103872 Rob Ingram 2023-08-29T08:56:07Z