topic Redirect traffic through FTD in Network Security

Redirect traffic through FTD

muath1987 — Fri, 21 Feb 2020 16:37:59 GMT

Hello,

I have a couple of web server in my network which accessible from outside also from inside, I am trying to force on vlan to access this servers from outside, but whenever the request from this vlan hit the FTD it resolve the egress interface and use the private ip of the server (Inside-Zone), is there anyway to force this vlan to access the server from outside only ?

here is the packet tracer

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xff0623af40, priority=13, domain=capture, deny=false
   hits=195571, user_data=0xff65d31360, cs_id=0x0, l3_type=0x0
   src mac=0000.0000.0000, mask=0000.0000.0000
   dst mac=0000.0000.0000, mask=0000.0000.0000
   input_ifc=Wireless, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xff0610be40, priority=1, domain=permit, deny=false
   hits=71899, user_data=0x0, cs_id=0x0, l3_type=0x8
   src mac=0000.0000.0000, mask=0000.0000.0000
   dst mac=0000.0000.0000, mask=0100.0000.0000
   input_ifc=Wireless, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.80 using egress ifc Inside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip ifc Wireless any ifc Inside any rule-id 268435721 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268435721: ACCESS POLICY: NISR-Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435721: L4 RULE: Block access to sales
Additional Information:
Forward Flow based lookup yields rule:
in id=0xff0ed2ffe0, priority=12, domain=permit, deny=true
   hits=6344, user_data=0xffa8552300, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=Wireless
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=Inside, vlan=0, dscp=0x0
   input_ifc=any, output_ifc=any

Result:
input-interface: Wireless
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Redirect traffic through FTD

Marvin Rhoads — Sat, 05 Jan 2019 12:50:32 GMT

As long as they FTD is running routed interfaces, the system will always use the best known route for egress. You cannot force the traffic to go through the appliance to the outside interface and then "turn around" and re-enter the appliance.

Re: Redirect traffic through FTD

muath1987 — Sat, 05 Jan 2019 13:42:56 GMT

Thank you Marvin, is there any work around can help here ?

Re: Redirect traffic through FTD

Marvin Rhoads — Sat, 05 Jan 2019 14:17:46 GMT

There's often some way we can "hack" a technical solution.

What's the underlying functional requirement that you're trying to achieve?

Re: Redirect traffic through FTD

muath1987 — Sat, 05 Jan 2019 14:23:16 GMT

I am only looking to allow web browsing for those servers from outside just to keep this VLAN totally isolated from internal network.

Re: Redirect traffic through FTD

Marvin Rhoads — Sat, 05 Jan 2019 14:28:10 GMT

Since you are going to allow access to those servers why not just put in ACP rules to permit that specific access and block all other access?

That would be a standard way of handling it and not incur the technical debt of a more complex solution.