Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8806
Views
0
Helpful
6
Replies

Cisco Firepower 1010 Port forwarding

Ronnieace
Level 1
Level 1

‎11-19-2019 11:22 AM - edited ‎02-21-2020 09:42 AM

I have recently bought a firepower 1010 as an upgrade from my older 5510 that I have. Unfortunately I am unfamiliar with the Firepower device manager and can not for the like of me figure out how to forward port 80 from my outside interface to my internal web server after trying a million different NAT and ACL combinations.

4 people had this problem
Labels:
0 Helpful
6 Replies 6

mohd_123shoaib
Level 1
Level 1

‎11-20-2019 05:03 AM

Hi,
Can you share with us the output of packet tracer once you have deployed the configuration. Also you can use the link below to configure the required NAT and access rules as well as run a packet tracer.

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm-nat.html#task_210AE84BB62745E69AC1A1BF0ACEA548
0 Helpful

kapydan88
Level 4
Level 4

‎04-16-2020 03:26 AM - edited ‎04-16-2020 03:34 AM

Did you manage to configure it? Because i try it, but unsuccesful...

port frw 1140.PNG

I need to forward access from external ip of my firepower 1140 1.1.1.1 and tcp 10555 to internal ip of oracle vm 2.2.2.2 and tcp 22.

vpn_outside 1.1.1.1

oracle vm 2.2.2.2

 

1.1.1.1:10555 -> 2.2.2.2:22

0 Helpful

Rob Ingram
VIP
VIP
In response to kapydan88

‎04-16-2020 05:57 AM

@kapydan88 

 

Amend your NAT rule as below, this works

 

1.PNG

 

2.PNG

Ensure the ACP has an inbound rule to the real IP address (2.2.2.2) and port (22) of the server.

 

HTH

0 Helpful

kapydan88
Level 4
Level 4
In response to Rob Ingram

‎04-16-2020 08:41 AM

It works, thanks.

 

But this moment isnt clear "Ensure the ACP has an inbound rule to the real IP address (2.2.2.2) and port (22) of the server" - i allow tcp 10555 from external interface and 22 also for external interface?

Because i allow all traffic for test pusposes.

0 Helpful

Rob Ingram
VIP
VIP
In response to kapydan88

‎04-16-2020 09:20 AM

In you Access Control Policy the source will be "any" (not the outside interface), the destination will be an object that represents the real IP address (2.2.2.2) of your server and the destination port is ssh (tcp/22). E.g.

 

11.PNG

 

0 Helpful

tmvuong09
Level 1
Level 1
In response to Rob Ingram

‎06-11-2020 02:29 AM

This suggested static Auto-NAT rule works for me also. However, the display of this NAT rule shows Source=inside-zone and Destination=outside-zone which seems intuitively opposite of what one would expect; for example, like the corresponding ACP rule (source=outside-zone/address to dest=inside-zone/address). Would you please elaborate on this NAT rule or its syntax? And why the original static Manual NAT rule does not do the trick? Thanks!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card