Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2161
Views
0
Helpful
7
Replies

Cisco Firewall FPR 1120 Not allowing outside traffic to Exchange & Web Servers

Go to solution
easydee
Level 1
Level 1

‎01-07-2020 11:47 AM - edited ‎02-21-2020 09:49 AM

Hello Cisco Community

 

I have configured the above firewall using Firepower Device Manager , i am a bit new to this GUI interface, and i am having issues with the access control. I have set up all my objects with their appropriate IP addresses and have also configured NAT.

 

The initial configuration just allowed may inside client machines to access internet , but connections from the outside can't reach my web server and exchange server (hence i can't get emails and access to the web). even though the site ,object ,ports were properly set up. I only got some hits on the rules when i added the   https://www.mywebsite.com  and Https://webmail.mysite.com (for the mail) under the URL tab.

 

My problem now is that even though i can send emails from inside , receiving emails is still a challenge. 

 

Now 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to easydee

‎01-08-2020 09:40 PM

It looks like your web server is using the outside interface for static NAT while "any" inside uses the same interface for dynamic NAT. That needs to change - use a unique address for the web server otherwise the xlate tables will be ambiguous.

View solution in original post

0 Helpful

Go to solution
easydee
Level 1
Level 1
In response to Marvin Rhoads

‎01-09-2020 11:58 AM

Thank you Marvin, that worked. I have also remove the url links and the inbound traffic is now flowing as intended 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎01-07-2020 02:25 PM

Hi,
Please can you provide a screenshot of your nat rules (either from the GUI or from the CLI). Can you also run packet-tracer and upload the output for review.

0 Helpful

Go to solution
easydee
Level 1
Level 1
In response to Rob Ingram

‎01-08-2020 07:00 AM

I have attached the screnshots of the GUI NAT and Access Control. The red circle is the urls that i had to put in to allow inbound traffic. Just to let you know , i tried with the flexiconfig to put in the extended access-list but as well they were not getting any hits. I will try to run the packet tracer off working hours, currently i have another firewall on the network that i want to retire. 

Preview file
40 KB
Preview file
55 KB
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-07-2020 06:31 PM

Normally we allow the inbound traffic by using destination IP address, not by destination URL. If you use URL, one must pay careful attention to the interaction of DNS with the lookup feature.

0 Helpful

Go to solution
easydee
Level 1
Level 1
In response to Marvin Rhoads

‎01-08-2020 07:05 AM

The destination IP addresses are there , the only problem is the Access rule is not getting hits with only IP addresses 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to easydee

‎01-08-2020 09:40 PM

It looks like your web server is using the outside interface for static NAT while "any" inside uses the same interface for dynamic NAT. That needs to change - use a unique address for the web server otherwise the xlate tables will be ambiguous.

0 Helpful

Go to solution
easydee
Level 1
Level 1
In response to Marvin Rhoads

‎01-09-2020 07:32 AM

Thank you, will configure that and will let you know the results

0 Helpful

Go to solution
easydee
Level 1
Level 1
In response to Marvin Rhoads

‎01-09-2020 11:58 AM

Thank you Marvin, that worked. I have also remove the url links and the inbound traffic is now flowing as intended 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card