topic Re: Cisco Firewall FPR 1120 Not allowing outside traffic to Exchange & Web Servers in Network Security

Cisco Firewall FPR 1120 Not allowing outside traffic to Exchange & Web Servers

easydee — Fri, 21 Feb 2020 17:49:10 GMT

Hello Cisco Community

I have configured the above firewall using Firepower Device Manager , i am a bit new to this GUI interface, and i am having issues with the access control. I have set up all my objects with their appropriate IP addresses and have also configured NAT.

The initial configuration just allowed may inside client machines to access internet , but connections from the outside can't reach my web server and exchange server (hence i can't get emails and access to the web). even though the site ,object ,ports were properly set up. I only got some hits on the rules when i added the https://www.mywebsite.com and Https://webmail.mysite.com (for the mail) under the URL tab.

My problem now is that even though i can send emails from inside , receiving emails is still a challenge.

Now

Re: Cisco Firewall FPR 1120 Not allowing outside traffic to Exchange & Web Servers

Rob Ingram — Tue, 07 Jan 2020 22:25:11 GMT

Hi,
Please can you provide a screenshot of your nat rules (either from the GUI or from the CLI). Can you also run packet-tracer and upload the output for review.

Re: Cisco Firewall FPR 1120 Not allowing outside traffic to Exchange & Web Servers

Marvin Rhoads — Wed, 08 Jan 2020 02:31:57 GMT

Normally we allow the inbound traffic by using destination IP address, not by destination URL. If you use URL, one must pay careful attention to the interaction of DNS with the lookup feature.

Re: Cisco Firewall FPR 1120 Not allowing outside traffic to Exchange & Web Servers

easydee — Wed, 08 Jan 2020 15:00:50 GMT

I have attached the screnshots of the GUI NAT and Access Control. The red circle is the urls that i had to put in to allow inbound traffic. Just to let you know , i tried with the flexiconfig to put in the extended access-list but as well they were not getting any hits. I will try to run the packet tracer off working hours, currently i have another firewall on the network that i want to retire.

Re: Cisco Firewall FPR 1120 Not allowing outside traffic to Exchange & Web Servers

easydee — Wed, 08 Jan 2020 15:05:56 GMT

The destination IP addresses are there , the only problem is the Access rule is not getting hits with only IP addresses

Re: Cisco Firewall FPR 1120 Not allowing outside traffic to Exchange & Web Servers

Marvin Rhoads — Thu, 09 Jan 2020 05:40:56 GMT

It looks like your web server is using the outside interface for static NAT while "any" inside uses the same interface for dynamic NAT. That needs to change - use a unique address for the web server otherwise the xlate tables will be ambiguous.

Re: Cisco Firewall FPR 1120 Not allowing outside traffic to Exchange & Web Servers

easydee — Thu, 09 Jan 2020 15:32:05 GMT

Thank you, will configure that and will let you know the results

Re: Cisco Firewall FPR 1120 Not allowing outside traffic to Exchange & Web Servers

easydee — Thu, 09 Jan 2020 19:58:57 GMT

Thank you Marvin, that worked. I have also remove the url links and the inbound traffic is now flowing as intended