Help with NAT & ACL FP1120

am_rajan · ‎08-09-2023

Hello,

Looking for some help with this topic since I am new to this one.

We have 2 FP1120 in HA. The inside interface is 1/8 with 2 sub interfaces. 1/8.100 & 1/8.101

The 1/8.100 has a network of 172.16.x.x/24.

The Outside Interface is assigned an public IP 84.100.xx.xxx

Now we have a webservice (k8s) srv.example.ws which is DNS to our outside interface ip (84.100.xx.xxx), so what we want to achieve is from outside world (internet) when we call www.srv.example.ws this should route to our internal server Eg: 172.16.x.18:8080, so basically a NAT & ACL to help with this connectivity.

I am using FDM ( Firewall Device Manager) to configure this. Any help with steps will be grateful.

Regards

marce1000 · ‎08-10-2023

Checkout this procedure

Create a NAT rule on the outside interface to map the public IP address (84.100.xx.xxx) to the internal IP address (172.16.x.18). The NAT rule should also specify the destination port as 8080.
Create an ACL on the inside interface to allow traffic from the public IP address (84.100.xx.xxx) to the internal IP address (172.16.x.18) on port 8080.
Here are the specific steps on how to create the NAT rule and ACL on FDM:

Log in to FDM and navigate to the "Firewall" tab.

Click on the "NAT" tab.

Click on the "Add" button to create a new NAT rule.

In the "Name" field, enter a name for the NAT rule.

In the "Source Address" field, enter the public IP address (84.100.xx.xxx).

In the "Destination Address" field, enter the internal IP address (172.16.x.18).

In the "Destination Port" field, enter 8080.

Select the "Static" option for the "Translation Type".

Click on the "Save" button.

Click on the "ACL" tab.

Click on the "Add" button to create a new ACL.

In the "Name" field, enter a name for the ACL.

In the "Source Address" field, enter the public IP address (84.100.xx.xxx).

In the "Destination Address" field, enter the internal IP address (172.16.x.18).

In the "Destination Port" field, enter 8080.

Select the "Allow" option for the "Action".

Click on the "Save" button.

Once you have created the NAT rule and ACL, you should be able to access the web service on your internal server from the internet by calling www.srv.example.ws.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

am_rajan · ‎08-10-2023

Hello Marce,

First of all, thank you for taking the time to help me with this topic, I really appreciate it.

I have tried to do what you have mentioned but there are a few things which are missed. I have attached few pics which will help you and me to get this going.

1. ACL wizard in FDM - that will show you what all options we have when we click the ADD Rule button

2. NAT wizard in FDM - This will show us what all options we get when we hit the add NAT rule button

3. Interfaces - will show you how the interfaces are configured, as mentioned the outside interface is assigned with the same public IP as for the web service (outside interface & web service (www.srv.example.ws) have the same ip ie.. 84.100.xx.xxx) The inside interface has 2 sub interfaces ( Data & LLO) and the webservice is hosted on the data subinterface ( Inside >>Data)

Currently there are a few nat & acl in the FTD and you can see that in the NAT rules and ACLs.

I tried what you mentioned but it doesnt look like its working, may be I am missing something or didnt add it correctly ( you can check the NAT & ACL Wizard and will understand how its been set up. I also tried a packet tracer ( I dont know whether its the right way to test this and whether its the correct port) but it looks like its getting blocked mostly by an implicit rule or a rule just created.

I hope this gives a better view on this topic and help in getting some solutions. look forward to your response.

Regards

AR