Re: Azure FTDv 6.2.2 Multiple IP addresses and NAT Problem

JSS73 · ‎10-23-2017

I have watched Anubhav Swami's video http://youtu.be/FUZMTBZrA74 and cannot get it to work - hoping someone can assist. To be more precise, I want to be able to reach 2 web servers behind the FTDv using 2 different public IP addresses.

I have an FTDv with public IP on nic2 as well as a secondary public IP on nic2.

I have created an ACP that allows "any any http".

I have created 2 internal web servers behind the FTDv.

When I create the static NAT rule using the primary public IP of nic2 as the original destination, I can access the web page with no problem.

I created another static NAT rule using the secondary public IP on nic2 as the original destination, and I cannot access the second web server.

To rule out any obvious config issues on my side, I changed the original NAT rule to point to the second web server, and it worked.

Next, I changed the IP on the outside interface via the FMC to the secondary private IP on nic2, and again it worked in both scenarios.

Next, I disabled the rule with interface nic2 being the original destination, and created a rule with the IP of primary public IP of nic2 being the original destination, and again I could not access the web server.

Anybody have any ideas of what to do next?

rjross2086 · ‎12-16-2017

Were you ever able to get this to work? I am going to attempt this configuration here on Monday.

I would recommend rebooting the FTDv device in Azure since I have noticed some VMs will not immeaditely take the second IP configuration on the VM level right away.

How is your latency using the FTDv in Azure VM to VM?

JSS73 · ‎12-18-2017

I never did get it working even after a reboot, then got busy with other things. I am going to spin up my VM's and try it again this week. As for latency, I was just doing a PoC so I did not do any performance testing etc.

ewaterwo · ‎03-14-2018

Have you solved your issue?

Here's an example that might be helpful to you or to others working with multiple IPs

And some associated NAT configuration on FTDv. There are a number of ways to do this but here is one:

NAT configuration that preserves the Original Source Address of traffic coming from internet.
Only one IP needed on the inside interface. Internet Source IP's are preserved- so make sure interior UDRs point to FTDv inside private IP as outbound route.

1) Internet traffic that hits the 2nd outside IP 10.8.0.51 (xx.xx.xx.xx) is NATed to Dest IP of Server 1 (10.8.1.20) and Source IP preserved from the Internet
type: static
interface objects: <don't assign any interface objects>
Translation:
Original Source: any-ipv4 (0.0.0.0/0)
Original Destination: Address, outside-ip2(created object 10.8.0.51)
Translated Source: Address, any-ip (created object 0.0.0.0/0)
Translated Destination: inside-server1 (created object 10.8.1.20)
<leave source ports blank>
<leave dest ports blank - unless you want to pin the rule to a specific protocol>

2) Internet traffic that hits the 3rd outside IP 10.8.0.52 (yy.yy.yy.yy) is NATed to Dest IP of Server 2 (10.8.1.5) and Source IP preserved from the Internet
type: static
interface objects: <don't assign any interface objects>
Translation:
Original Source: any-ipv4 (0.0.0.0/0)
Original Destination: Address, outside-ip3(created object 10.8.0.52)
Translated Source: Address, any-ip(created object 0.0.0.0/0)
Translated Destination: inside-server2 (created object 10.8.1.5)
<leave source ports blank>
<leave dest ports blank - unless you want to pin the rule to a specific protocol>

3) NAT any internet bound traffic coming from the inside. Change the source IP to FTDv's outside IP 10.8.0.50 - so that it can be mapped to ww.ww.ww.ww
type: dynamic
interface objects:
Source Interface Object: inside
Destination Interface Object: outside
Translation:
Original Source: any-ipv4 (0.0.0.0/0)
Original Destination: Address, any-ip(created object 0.0.0.0/0)
Translated Source: Destination Interface IP
Translated Destination: any-ip (created object 0.0.0.0/0)
<leave source ports blank>
<leave dest ports blank to allow all types of outbound traffic>

Silver_Cat · ‎04-14-2020

This is great explanation ,

Any idea how we can implement Multiple public IP hosting with Two FTDv in scalable /sandwich design in Azure ?

ThisisGonnaHurt · ‎04-16-2020

There are a few different ways, one being an external load balancer point to both FTDv on the backend pools. You can make multiple secondary IPs on outside nic of the FTDv units and then point the load balancer pool to those.

mateens · ‎09-08-2021

You find a solution to this ?

ThisisGonnaHurt · ‎03-15-2020

I also found Anubhav's video and couldn't have done the install without the excellent guidance. However, having this exact same situation (web server on interface IP is fine but a secondary IP wouldn't work), I had to change slightly from his deployment and make the translated source the destination interface. It now works with no issue; screen shot attached.