01-07-2020 11:47 AM - edited 02-21-2020 09:49 AM
Hello Cisco Community
I have configured the above firewall using Firepower Device Manager , i am a bit new to this GUI interface, and i am having issues with the access control. I have set up all my objects with their appropriate IP addresses and have also configured NAT.
The initial configuration just allowed may inside client machines to access internet , but connections from the outside can't reach my web server and exchange server (hence i can't get emails and access to the web). even though the site ,object ,ports were properly set up. I only got some hits on the rules when i added the https://www.mywebsite.com and Https://webmail.mysite.com (for the mail) under the URL tab.
My problem now is that even though i can send emails from inside , receiving emails is still a challenge.
Now
Solved! Go to Solution.
01-08-2020 09:40 PM
It looks like your web server is using the outside interface for static NAT while "any" inside uses the same interface for dynamic NAT. That needs to change - use a unique address for the web server otherwise the xlate tables will be ambiguous.
01-09-2020 11:58 AM
Thank you Marvin, that worked. I have also remove the url links and the inbound traffic is now flowing as intended
01-07-2020 02:25 PM
01-08-2020 07:00 AM
I have attached the screnshots of the GUI NAT and Access Control. The red circle is the urls that i had to put in to allow inbound traffic. Just to let you know , i tried with the flexiconfig to put in the extended access-list but as well they were not getting any hits. I will try to run the packet tracer off working hours, currently i have another firewall on the network that i want to retire.
01-07-2020 06:31 PM
Normally we allow the inbound traffic by using destination IP address, not by destination URL. If you use URL, one must pay careful attention to the interaction of DNS with the lookup feature.
01-08-2020 07:05 AM
The destination IP addresses are there , the only problem is the Access rule is not getting hits with only IP addresses
01-08-2020 09:40 PM
It looks like your web server is using the outside interface for static NAT while "any" inside uses the same interface for dynamic NAT. That needs to change - use a unique address for the web server otherwise the xlate tables will be ambiguous.
01-09-2020 07:32 AM
Thank you, will configure that and will let you know the results
01-09-2020 11:58 AM
Thank you Marvin, that worked. I have also remove the url links and the inbound traffic is now flowing as intended
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide