cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


557
Views
5
Helpful
8
Replies
Highlighted
Beginner

firepower FTD 6.2.2 hairpin

Hi There

We are running FTD 6.2.2 and wondering how we go about allowing access to a webserver in the DMZ using the public ip address which is natted from the FTD device.

Outside - 59.23.x.x

DMZ 172.16.100.x

Inside 192.168.17.x

 

We have a webserver sitting on 172.16.100.10 using a PAT on the FTD with public routed IP 59.23.x.2 on the outside interface The issue we have is this specific piece of software requires access to the web server utilizing the 59.23.x.x address rather than 172.16.100.10 address.

We setup an internal dns record pointing www.example.com to 59.23.x.x however unable to get this configuration to work. on ASA code we used to setup NAT hairpinning i believe it was called. Does anyone know how to do this in FTD.

Everyone's tags (1)
8 REPLIES 8
VIP Advisor

Re: firepower FTD 6.2.2 hairpin

Same thing on FTD. You can do it from NAT Tab and associate the NAT policy
with FTD device assuming you are using FMC
Beginner

Re: firepower FTD 6.2.2 hairpin

Thanks Mohammed, yes using FMC

Do you have any screenshot examples at all. In the example above would my source be inside interface object, DMZ destination interface object.

Then:

Original source 192.168.17.x 

Original Destination 59.x.x.x

Translated Source Any IPV4

Translated Destination 127.16.100.10

VIP Advisor

Re: firepower FTD 6.2.2 hairpin

If my understanding is correct you want to access from inside to DMZ on the
IP 59.x.x.x. You need to nat source as DMZ and destination as inside. then
nat the source IP which is your DMZ subnet.
Beginner

Re: firepower FTD 6.2.2 hairpin

Hi Mohammed, appreciate your help

Current situation

you are correct. The 59.x.x.x address is routed to the outside interface of the FTD box from ISP, it then uses a PAT rule for 59.x.x.x:443 to the DMZ internal subnet of 172.16.100.0 (webserver 172.16.100.10). Currently the inside network is blocked from accessing any services on the DMZ using access control policy.

Required situation

When a user browses from the inside network 192.168.17.x to the outside interface routed IP of 59.x.x.x we need to terminate this traffic on the webserver of 172.16.100.10 in the DMZ zone.

 

If we look at the solution on a palo alto it is reverse to what you are suggesting and doesnt mention using the DMZ zone at all.

 

  1. On the Original Packet tab, select the zone you created for your internal network in the Source Zone section (click Add and then select the zone) and the zone you created for the external network from the Destination Zone drop-down.
  2. In the Destination Address section, Add the address object you created for your public web server.
  3. On the Translated Packet tab, select Destination Address Translation and then enter the IP address that is assigned to the web server interface on the DMZ network, 172.16.100.10 in this example.
  4. Click OK.

Sorry i have used another vendors example, however i can't find much online about trying to achieve this with threat defense.

VIP Advisor

Re: firepower FTD 6.2.2 hairpin

Thanks. Now I got the scenario. This was doable in ASA as the command can
be taken with a warning message (nat to an existing subnet associated with
different interface). In FTD, you can't do this, i.e. natting between DMZ
and inside using the outside subnet. It will throw an error.
Beginner

Re: firepower FTD 6.2.2 hairpin

Thanks Mohammed,

Not sure why it posted the same thing so many times :)

So no work arounds that you know of?

Beginner

Re: firepower FTD 6.2.2 hairpin

 
Beginner

Re: firepower FTD 6.2.2 hairpin