cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
733
Views
9
Helpful
22
Replies

Cisco 1140 FTD additional public IP range

peat
Level 1
Level 1

Hi, 

I am struggling to get my head around how to get an additional public ip range working through a cisco 1140 ftd.

I had asked previously and was told there arent alias interfaces or suchlike on the FTD like there is on Sophos and was told to just use static nat.

Ive watched a ton of videos and looked online and I keep finding different suggestions. (I cant get any to work anyway)

Below is a bad diagram of what my setup looks like (ive used made up public ips just for an example).

peat_0-1730373151009.png

What i want to do is

1)  traffic from the internet to the web server for http, https, udp 59221, tcp 59221 using the public ip 205.20.111.36

2)  rdp to the rdp server using the public ip 205.20.111.33 but port 45456

3) have the public ip of 205.20.111.38 work on the internal router.

For 2) I have tried just doing a normal static nat with and without RDP port in destination port fields (ive also got it disabled at the moment but when testing i have enabled the status)

peat_1-1730373518313.png

peat_2-1730373554147.png

For info, internet out is working fine and i can remote onto the firewall fine too. so those basics are all ok.  Oh i also forgot on my diagram i have an inside interface on subnet 192.168.1.x and also another interface on 192.168.3.x

If anyone could help it would be gratefully received.

 

1 Accepted Solution

Accepted Solutions

Could be a software bug and this could be why it was showing no match on any rule but the default one when you ran packet tracer. Could you please try to add a replica of the DNAT_RDP rule, deploy and test again?

View solution in original post

22 Replies 22

peat
Level 1
Level 1

After watching more videos and learning that static nat is bidirectional and you control the direction via ACL I have tried my NAT this way. which still doesnt work.

peat_0-1730385284100.png

 

the interface is correct 
the rule must be manual NAT 

that it 

MHM

peat
Level 1
Level 1

Changed it to manual but rule still doesnt work.  Did a packet tracer and its looking like its hitting the default deny access rule and not being allowed by my access rule.  What is wrong with the access rule I have done?

Share last config of NAT and ACP

MHM

peat
Level 1
Level 1

peat_0-1730453721924.png

peat_1-1730453788212.png

 

 

public IP is not attach directly to any FTD interfaces 
so you need two steps 
1- use object host 205.20.111.38 instead of using interface in ACL and NAT 
2- use static route for this IP point to OUT interface 

MHM

 

Let's focus on requirement number 2, the others would have same concept and setup. In your last NAT screenshot you have configured the translated source address to be the outside interface. This should be changed with the RDP public IP 205.20.111.33, so you can create an object with that public IP and select it instead of the outside interface. If not if you leave the translated source as the outside interface it would mean the RDP server IP will be translated to the firewall outside interface IP.

Also, if you want the RDP traffic to be served on port 45456/tcp, then also here you have to change the translated source port to be port 45456/tcp. Finally on the access list you will have to change the destination port from the traditional RDP port 3389/tcp to 45456/tcp because port 45456/tcp will be the port exposed to the external world, so anyone that will try to RDP to the RDP server will be using port 45456/tcp.

Thanks, sorry ive wasted your time a bit there.  To try and get it working in the simplest way my latest attempt is to get RDP working on the actual public ip of 205.20.102.222 using just the standard rdp port of 3389.  Thats what my latest screenshot attempts were.

I thought if i could get it working in the simplest form then afterwards i could introduce each additional step one at a time (as in the 45456 port and then getting it to the other public ip)

No worries and what you're saying makes sense. Could you please try to create an object with the public IP 205.20.111.33 and change the translated source IP to this one rather than the interface and see if that works? if not, then please run some packet capture on the outside interface filtering with RDP port while you are testing RDP connection. This will allow us to see if you actually receive any traffic from the source. Alternatively, please run packet tracer simulating some traffic from one of the allowed sources with the public IP 205.20.111.33 and RDP port as destinations.

peat
Level 1
Level 1

I am reading this as its not hitting the acl and just hitting the default deny all acl?

> packet-tracer input outside tcp x.x.x.x 3389 x.x.x.x 3389

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 14848 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 11776 ns
Config:
nat (inside,outside) source static RDPserver interface service _|NatOrigSvc_dbf4c634-97ae-11ef-8448-d18b8885a4a7 _|NatMappedSvc_dbf4c634-97ae-11ef-8448-d18b8885a4a7
Additional Information:
NAT divert to egress interface inside(vrfid:0)
Untranslate x.x.x.x/3389 to 192.168.1.10/3389

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Elapsed time: 6656 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 33280 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000561737636518 flow (NA)/NA

>
>

This good' now NAT working as we want.

For ACL you need to specify ANY under source network' why ypu use object-group for network??

MHM

We have to lock down the RDP access to just the IT support

Ok, just make it any to check 

Do packet-tracer or do real connect. 

If traffic will not pass then we need to look for other reason

It temporarily for troubleshooting 

MHM

The port that you specify after the source IP in the packet tracer command would be the source port. Don't worry much about that port as it could be anything like 12345, however, the second port that you specify after the destination IP is the port that should be accessed from outside. Did you specify one of the source allowed IP addresses on packet tracer command? if so, you might need to double check the access list rules and see why is not matching the right rule that would allow this traffic from outside to inside.

Review Cisco Networking for a $25 gift card