cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1702
Views
2
Helpful
7
Replies

Firepower 1010 NAT configuration for ISP Router WAN STATIC IP

reinventy
Level 1
Level 1

Hello to all 

and thank you very much in advance for help and suggestion.

I have to configure my Firepower 1010 to allow external users (internet) to reach my internal server where the website and cpanel services reside.

My static ip is managed by the ISP router, the router is a TIM HUB+.

My network is set up like this:

 

ISP router (WAN IP 80.104.xxx.xxx reachable from the internet) and  IP 192.168.0.10 (net 255.255.255.0)

The ISP router forwards all incoming calls to the DMZ 192.168.0.11 which is the outside interface of the Cisco Firepower 1010.

The internal server is connected to inside_3 interface of the Firepower 1010 and has a static IP 192.168.2.25.

I created following objects:
4 WebserverPrivate HOST 192.168.2.25
5 WebserverPublic HOST 80.104.xxx.xxx

I added a new NAT policy along the lines of:

Original Packet
Interface = outside
Source IP = any-ipv4
Destination IP = <WebServerPublic>
Source Port = Any
Destination Port = HTTPS (or ANY or 2087 for cpanel)

Destination Packet
Interface = inside_3
Source IP = any-ipv4
Destination IP = <WebServerPrivate>
Source Port = Any
Destination Port = HTTPS (or ANY or 2087 for cpanel)

Then I added  a Access Rule as follow:

Source
Zones = outside_zone
Networks = ANY
Ports = ANY
Destination
Zone = inside_zone
Networks = <WebServerPrivate>
Ports = HTTPS (or ANY or 2087 for cpanel)

Unfortunately this configuration do not work, the server remain unreachable and unpingable.....

I tried a lot of configurations as NAT but the result is always the same...... external connections are blocked and the server cannot be reachable.

I also tried to change ISP router configuration trying before to forward to DMZ >192.168.0.11 and also trying to use port forwarding to specifics port to Firepower (outside interface192.168.0.11) but nothing.....

Thank you very much for suggestion....

Antonio

 

 

 

 

 

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame
ISP router (WAN IP 80.104.xxx.xxx reachable from the internet) and  IP 192.168.0.10 (net 255.255.255.0)

I assume below assumption your setup ?

Internet (ISP) --Router---FW 1010 - Inside

So your Router Doing NAT ? then you need to have routing in Place to reach Local Web Server

Either you need to do Double NAT on Firepower or you need to Configure on Router do to NAT

see example of NAT works :

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html

what Router and what options you have on the Router ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Good morning BB and thank you very much for your help.

Yes my configuration is Internet ISP Router (NAT activated, IPV4 80.104.xxx.xxx (static IP), Gateway 192.168.100.1, Server DNS 85.38.28.5,85.38.28.4 > Firepower 1010 > Inside. Router is a TIM HUB+ (Technicolor AGMY2020 Serial CP2050RAJ62 Software Version 19.4) with following configuration:

DHCP activated

Network Addresses 192.168.0.0

DNS Server 192.168.0.10

IP Router address 192.168.0.10

DMZ activated > 192.168.2.10 (Firepower)

But no option to setup or modify NAT.

Best

Antonio

 

@reinventy You need to translate behind the outside interface (not the public IP address of WebServerPublic thats configured on the ISP router that FTD knows nothing about).

Assuming the ISP router is natting the required ports to the FTD outside interface, the example below should work. Just define the correct ports and source address object (WebServerPrivate).

020820_1405_ftdconfigur17.png

Thank you very much Rob,

I tried also this NAT configuration but server still remain unreachable.....

Best

Antonio

Hello,

I share screenshots of my 1010 conf:

Conf1.png

Conf2.png

Conf6.png

Conf3.png

Conf4.png

Conf5.png

 Thnak you

Best

Antonio

 

reinventy
Level 1
Level 1

And router cnf:

RouterCnf.png

RouterCnf2.png

RouterCnf3.png

@reinventy run packet-tracer from the CLI and confirm what NAT rule is being matched, provide the output. Example:

packet-tracer input outside tcp 5.5.5.5 3000 80.104.xxx.xxx 443

Review Cisco Networking for a $25 gift card