topic Re: NAT and Access control not Working but everything seems correct in Network Security

NAT and Access control not Working but everything seems correct

david-ibanga — Fri, 17 May 2024 22:24:21 GMT

I have configured NAT and access control on firepower ftd but it doesn't seen to work. I have a draytek router that connects to ISP via PPPOE and my firepower connects to the draytek, on intf1, intf3-8 is a vlan which connects 3 webservers and they all need to be NAT to a public IP address, i can access web pages but none of the servers are accessible via the public ip's on the internet, please i need help to check what is wrong. see screenshot attached

Re: NAT and Access control not Working but everything seems correct

MHM Cisco World — Sat, 18 May 2024 11:28:43 GMT

Hi Friend
sorry can you draw the topology
also PPPoE how you use static public IP?

MHM

Re: NAT and Access control not Working but everything seems correct

david-ibanga — Sat, 18 May 2024 18:22:49 GMT

Here is the NW topology

Re: NAT and Access control not Working but everything seems correct

MHM Cisco World — Sun, 19 May 2024 00:15:13 GMT

Re: NAT and Access control not Working but everything seems correct

Marius Gunnerud — Sun, 19 May 2024 18:59:52 GMT

Have you confirmed that port forwarding on the Draytek is correct...and why are you doing NAT on both the Draytek and Firepower? NATing on both the Draytek and Firepower just adds extra complexity. To verify the connectivity though the Firepower device, run packet-tracer and verify that traffic is NATed and allowed through the firewall if all is good there then focus your efforts on the Draytek device.

Re: NAT and Access control not Working but everything seems correct

david-ibanga — Mon, 20 May 2024 09:39:13 GMT

There is a NAT policy already on Draytek router which works without the firepower FTD, I have configured PPPOE on FP Interface with all the settings used in the Draytek but it doesn't seem to allow internet through hence why am using both.

Re: NAT and Access control not Working but everything seems correct

david-ibanga — Mon, 20 May 2024 10:15:35 GMT

Thank you for your reply, I will implement this and get back to you. Also are other ACL correct or need changing?

Re: NAT and Access control not Working but everything seems correct

adrian_iovita — Mon, 20 May 2024 14:46:31 GMT

Why are you configuring the NAT rules using Source Ports? if you want to use those NAT rules you can leave the source port as any since you will filter the access on the ACL.

Re: NAT and Access control not Working but everything seems correct

Marius Gunnerud — Mon, 20 May 2024 20:21:03 GMT

On the Draytek device, is it NATing to the real IP of the server you are having issues with? Or to an intermediary IP which is then again NATed to the real IP of the server?

Also, source ports are usually random high ports so I suggest removing the source port from the access rules.

Re: NAT and Access control not Working but everything seems correct

MHM Cisco World — Wed, 22 May 2024 19:28:35 GMT

Any update about this issue

MHM

Re: NAT and Access control not Working but everything seems correct

david-ibanga — Wed, 22 May 2024 19:32:50 GMT

Yes so static Nat from 192.168.20.x to 192.168.2.x shows and overlap to 192.168.2.x which is the outside, same with PPOE to outside hence the deployment failed.

Re: NAT and Access control not Working but everything seems correct

Marius Gunnerud — Wed, 22 May 2024 21:37:36 GMT

If a post helped you reach your solution or it provided the solution please select it as a correct answer and / or rate the post.

Re: NAT and Access control not Working but everything seems correct

MHM Cisco World — Thu, 23 May 2024 06:39:01 GMT

Re: NAT and Access control not Working but everything seems correct

david-ibanga — Thu, 23 May 2024 08:10:13 GMT

On the Draytek Port redirection is what is implemented, the source IP is the server's and dest IP is the the static from ISP. I have remove the ports from NAT in FP FTD and only use ACL to filter the destination ports