10-31-2024 04:24 AM
Hi,
I am struggling to get my head around how to get an additional public ip range working through a cisco 1140 ftd.
I had asked previously and was told there arent alias interfaces or suchlike on the FTD like there is on Sophos and was told to just use static nat.
Ive watched a ton of videos and looked online and I keep finding different suggestions. (I cant get any to work anyway)
Below is a bad diagram of what my setup looks like (ive used made up public ips just for an example).
What i want to do is
1) traffic from the internet to the web server for http, https, udp 59221, tcp 59221 using the public ip 205.20.111.36
2) rdp to the rdp server using the public ip 205.20.111.33 but port 45456
3) have the public ip of 205.20.111.38 work on the internal router.
For 2) I have tried just doing a normal static nat with and without RDP port in destination port fields (ive also got it disabled at the moment but when testing i have enabled the status)
For info, internet out is working fine and i can remote onto the firewall fine too. so those basics are all ok. Oh i also forgot on my diagram i have an inside interface on subnet 192.168.1.x and also another interface on 192.168.3.x
If anyone could help it would be gratefully received.
Solved! Go to Solution.
11-04-2024 09:16 AM
Could be a software bug and this could be why it was showing no match on any rule but the default one when you ran packet tracer. Could you please try to add a replica of the DNAT_RDP rule, deploy and test again?
10-31-2024 07:36 AM
After watching more videos and learning that static nat is bidirectional and you control the direction via ACL I have tried my NAT this way. which still doesnt work.
10-31-2024 08:05 AM
the interface is correct
the rule must be manual NAT
that it
MHM
11-01-2024 02:29 AM
Changed it to manual but rule still doesnt work. Did a packet tracer and its looking like its hitting the default deny access rule and not being allowed by my access rule. What is wrong with the access rule I have done?
11-01-2024 02:33 AM
Share last config of NAT and ACP
MHM
11-01-2024 02:37 AM
11-01-2024 11:10 AM
public IP is not attach directly to any FTD interfaces
so you need two steps
1- use object host 205.20.111.38 instead of using interface in ACL and NAT
2- use static route for this IP point to OUT interface
MHM
11-01-2024 03:31 AM
Let's focus on requirement number 2, the others would have same concept and setup. In your last NAT screenshot you have configured the translated source address to be the outside interface. This should be changed with the RDP public IP 205.20.111.33, so you can create an object with that public IP and select it instead of the outside interface. If not if you leave the translated source as the outside interface it would mean the RDP server IP will be translated to the firewall outside interface IP.
Also, if you want the RDP traffic to be served on port 45456/tcp, then also here you have to change the translated source port to be port 45456/tcp. Finally on the access list you will have to change the destination port from the traditional RDP port 3389/tcp to 45456/tcp because port 45456/tcp will be the port exposed to the external world, so anyone that will try to RDP to the RDP server will be using port 45456/tcp.
11-01-2024 04:25 AM
Thanks, sorry ive wasted your time a bit there. To try and get it working in the simplest way my latest attempt is to get RDP working on the actual public ip of 205.20.102.222 using just the standard rdp port of 3389. Thats what my latest screenshot attempts were.
I thought if i could get it working in the simplest form then afterwards i could introduce each additional step one at a time (as in the 45456 port and then getting it to the other public ip)
11-01-2024 08:31 AM
No worries and what you're saying makes sense. Could you please try to create an object with the public IP 205.20.111.33 and change the translated source IP to this one rather than the interface and see if that works? if not, then please run some packet capture on the outside interface filtering with RDP port while you are testing RDP connection. This will allow us to see if you actually receive any traffic from the source. Alternatively, please run packet tracer simulating some traffic from one of the allowed sources with the public IP 205.20.111.33 and RDP port as destinations.
11-04-2024 06:37 AM - edited 11-04-2024 06:45 AM
I am reading this as its not hitting the acl and just hitting the default deny all acl?
> packet-tracer input outside tcp x.x.x.x 3389 x.x.x.x 3389
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 14848 ns
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 11776 ns
Config:
nat (inside,outside) source static RDPserver interface service _|NatOrigSvc_dbf4c634-97ae-11ef-8448-d18b8885a4a7 _|NatMappedSvc_dbf4c634-97ae-11ef-8448-d18b8885a4a7
Additional Information:
NAT divert to egress interface inside(vrfid:0)
Untranslate x.x.x.x/3389 to 192.168.1.10/3389
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Elapsed time: 6656 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:
Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 33280 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000561737636518 flow (NA)/NA
>
>
11-04-2024 07:11 AM - edited 11-04-2024 07:13 AM
This good' now NAT working as we want.
For ACL you need to specify ANY under source network' why ypu use object-group for network??
MHM
11-04-2024 07:38 AM
We have to lock down the RDP access to just the IT support
11-04-2024 07:45 AM
Ok, just make it any to check
Do packet-tracer or do real connect.
If traffic will not pass then we need to look for other reason
It temporarily for troubleshooting
MHM
11-04-2024 07:47 AM
The port that you specify after the source IP in the packet tracer command would be the source port. Don't worry much about that port as it could be anything like 12345, however, the second port that you specify after the destination IP is the port that should be accessed from outside. Did you specify one of the source allowed IP addresses on packet tracer command? if so, you might need to double check the access list rules and see why is not matching the right rule that would allow this traffic from outside to inside.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide