cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


369
Views
0
Helpful
5
Replies
Beginner

Redirect traffic through FTD

Hello,

 

I have a couple of web server in my network which accessible from outside also from inside, I am trying to force on vlan to access this servers from outside, but whenever the request from this vlan hit the FTD it resolve the egress interface and use the private ip of the server (Inside-Zone), is there anyway to force this vlan to access the server from outside only ?

 

here is the packet tracer

 

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xff0623af40, priority=13, domain=capture, deny=false
    hits=195571, user_data=0xff65d31360, cs_id=0x0, l3_type=0x0
    src mac=0000.0000.0000, mask=0000.0000.0000
    dst mac=0000.0000.0000, mask=0000.0000.0000
    input_ifc=Wireless, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xff0610be40, priority=1, domain=permit, deny=false
    hits=71899, user_data=0x0, cs_id=0x0, l3_type=0x8
    src mac=0000.0000.0000, mask=0000.0000.0000
    dst mac=0000.0000.0000, mask=0100.0000.0000
    input_ifc=Wireless, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.80 using egress ifc  Inside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip ifc Wireless any ifc Inside any rule-id 268435721 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268435721: ACCESS POLICY: NISR-Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435721: L4 RULE: Block access to sales
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xff0ed2ffe0, priority=12, domain=permit, deny=true
    hits=6344, user_data=0xffa8552300, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=Wireless
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=Inside, vlan=0, dscp=0x0
    input_ifc=any, output_ifc=any

Result:
input-interface: Wireless
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Master

Re: Redirect traffic through FTD

As long as they FTD is running routed interfaces, the system will always use the best known route for egress. You cannot force the traffic to go through the appliance to the outside interface and then "turn around" and re-enter the appliance.

5 REPLIES 5
Highlighted
Hall of Fame Master

Re: Redirect traffic through FTD

As long as they FTD is running routed interfaces, the system will always use the best known route for egress. You cannot force the traffic to go through the appliance to the outside interface and then "turn around" and re-enter the appliance.

Beginner

Re: Redirect traffic through FTD

Thank you Marvin, is there any work around can help here ?

Hall of Fame Master

Re: Redirect traffic through FTD

There's often some way we can "hack" a technical solution.

 

What's the underlying functional requirement that you're trying to achieve?

Beginner

Re: Redirect traffic through FTD

I am only looking to allow web browsing for those servers from outside just to keep this VLAN totally isolated from internal network.

Hall of Fame Master

Re: Redirect traffic through FTD

Since you are going to allow access to those servers why not just put in ACP rules to permit that specific access and block all other access?

 

That would be a standard way of handling it and not incur the technical debt of a more complex solution.