We are running FTD 6.2.2 and wondering how we go about allowing access to a webserver in the DMZ using the public ip address which is natted from the FTD device.
Outside - 59.23.x.x
We have a webserver sitting on 172.16.100.10 using a PAT on the FTD with public routed IP 59.23.x.2 on the outside interface The issue we have is this specific piece of software requires access to the web server utilizing the 59.23.x.x address rather than 172.16.100.10 address.
We setup an internal dns record pointing www.example.com to 59.23.x.x however unable to get this configuration to work. on ASA code we used to setup NAT hairpinning i believe it was called. Does anyone know how to do this in FTD.
Thanks Mohammed, yes using FMC
Do you have any screenshot examples at all. In the example above would my source be inside interface object, DMZ destination interface object.
Original source 192.168.17.x
Original Destination 59.x.x.x
Translated Source Any IPV4
Translated Destination 127.16.100.10
Hi Mohammed, appreciate your help
you are correct. The 59.x.x.x address is routed to the outside interface of the FTD box from ISP, it then uses a PAT rule for 59.x.x.x:443 to the DMZ internal subnet of 172.16.100.0 (webserver 172.16.100.10). Currently the inside network is blocked from accessing any services on the DMZ using access control policy.
When a user browses from the inside network 192.168.17.x to the outside interface routed IP of 59.x.x.x we need to terminate this traffic on the webserver of 172.16.100.10 in the DMZ zone.
If we look at the solution on a palo alto it is reverse to what you are suggesting and doesnt mention using the DMZ zone at all.
Sorry i have used another vendors example, however i can't find much online about trying to achieve this with threat defense.