08-28-2023 11:35 PM - edited 08-28-2023 11:38 PM
Hello to all
and thank you very much in advance for help and suggestion.
I have to configure my Firepower 1010 to allow external users (internet) to reach my internal server where the website and cpanel services reside.
My static ip is managed by the ISP router, the router is a TIM HUB+.
My network is set up like this:
ISP router (WAN IP 80.104.xxx.xxx reachable from the internet) and IP 192.168.0.10 (net 255.255.255.0)
The ISP router forwards all incoming calls to the DMZ 192.168.0.11 which is the outside interface of the Cisco Firepower 1010.
The internal server is connected to inside_3 interface of the Firepower 1010 and has a static IP 192.168.2.25.
I created following objects:
4 WebserverPrivate HOST 192.168.2.25
5 WebserverPublic HOST 80.104.xxx.xxx
I added a new NAT policy along the lines of:
Original Packet
Interface = outside
Source IP = any-ipv4
Destination IP = <WebServerPublic>
Source Port = Any
Destination Port = HTTPS (or ANY or 2087 for cpanel)
Destination Packet
Interface = inside_3
Source IP = any-ipv4
Destination IP = <WebServerPrivate>
Source Port = Any
Destination Port = HTTPS (or ANY or 2087 for cpanel)
Then I added a Access Rule as follow:
Source
Zones = outside_zone
Networks = ANY
Ports = ANY
Destination
Zone = inside_zone
Networks = <WebServerPrivate>
Ports = HTTPS (or ANY or 2087 for cpanel)
Unfortunately this configuration do not work, the server remain unreachable and unpingable.....
I tried a lot of configurations as NAT but the result is always the same...... external connections are blocked and the server cannot be reachable.
I also tried to change ISP router configuration trying before to forward to DMZ >192.168.0.11 and also trying to use port forwarding to specifics port to Firepower (outside interface192.168.0.11) but nothing.....
Thank you very much for suggestion....
Antonio
08-28-2023 11:49 PM
ISP router (WAN IP 80.104.xxx.xxx reachable from the internet) and IP 192.168.0.10 (net 255.255.255.0)
I assume below assumption your setup ?
Internet (ISP) --Router---FW 1010 - Inside
So your Router Doing NAT ? then you need to have routing in Place to reach Local Web Server
Either you need to do Double NAT on Firepower or you need to Configure on Router do to NAT
see example of NAT works :
what Router and what options you have on the Router ?
08-29-2023 12:09 AM
Good morning BB and thank you very much for your help.
Yes my configuration is Internet ISP Router (NAT activated, IPV4 80.104.xxx.xxx (static IP), Gateway 192.168.100.1, Server DNS 85.38.28.5,85.38.28.4 > Firepower 1010 > Inside. Router is a TIM HUB+ (Technicolor AGMY2020 Serial CP2050RAJ62 Software Version 19.4) with following configuration:
DHCP activated
Network Addresses 192.168.0.0
DNS Server 192.168.0.10
IP Router address 192.168.0.10
DMZ activated > 192.168.2.10 (Firepower)
But no option to setup or modify NAT.
Best
Antonio
08-29-2023 12:06 AM - edited 08-29-2023 12:08 AM
@reinventy You need to translate behind the outside interface (not the public IP address of WebServerPublic thats configured on the ISP router that FTD knows nothing about).
Assuming the ISP router is natting the required ports to the FTD outside interface, the example below should work. Just define the correct ports and source address object (WebServerPrivate).
08-29-2023 12:36 AM
Thank you very much Rob,
I tried also this NAT configuration but server still remain unreachable.....
Best
Antonio
08-29-2023 12:45 AM - edited 08-29-2023 12:58 AM
Hello,
I share screenshots of my 1010 conf:
Thnak you
Best
Antonio
08-29-2023 12:54 AM
And router cnf:
08-29-2023 01:56 AM
@reinventy run packet-tracer from the CLI and confirm what NAT rule is being matched, provide the output. Example:
packet-tracer input outside tcp 5.5.5.5 3000 80.104.xxx.xxx 443
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide