Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
3
Helpful
3
Replies

Firepower 2140 additional external IP range

m.santangelo
Level 1
Level 1

‎03-22-2023 08:55 AM

Hello all, happy Wednesday.

We have a Firepower 2140 on 7.0.1.1 build 11, and prior to yesterday, our outside IP range was limited to a single /27 network.  Yesterday as part of a HSRP installation, we got assigned an additional outside range, a /28.  I'm not 100% certain where I need to look in the FMC to define this network as it's completely different from our existing range.  It isn't contiguous, and is in fact a completely separate range, so I'm not sure if I need to add a whole extra physical interface with that range assigned to it or not.  When I try to edit the existing Outside interface, 1/13, I don't see the ability to add a second range, nor does it seem to be OK with a comma separated list.

Happy to provide any other information, just not sure what all would be needed.

Thanks!

0 Helpful
3 Replies 3

Octavian Szolga
Level 4
Level 4

‎03-22-2023 09:48 AM - edited ‎03-22-2023 09:50 AM

Hi,

The fact that you got a new subnet to you does not necessary means that you have to configure it on an interface.

The ISP will route that new subnet towards your existing Outside IP.

It's up to you what to do with it:

1. further subnet the network into a new DMZ and use an IP from that new subnet on FTD (gateway for hosts beloning to that new subnet)

2. leave everything as is and just use NAT (static/dynamic, your call) and use IPs from that new subnet

BTW - on FTD you don't have the option to add secondary IPs on an existing interface like on a router/switch SVI

BR,

Octavian

m.santangelo
Level 1
Level 1
In response to Octavian Szolga

‎03-23-2023 06:50 AM

As part of option 2, for testing, I did the following:

NAT Rule mapping TestVM-IN (10.1.1.67, a vm on our internal network) to TestVM-EXT (63.247.x.y; one of our new  external ips).

ACL Rule saying ports 80 and 443 are allowed to TestVM-IN.

When I try to access the site on http or https, I get a slow, very slow timeout page.

When I change the TestVM-EXT to one of our existing IPs 24.157.a.b, the site comes up properly, so I am pretty sure I have the NAT and the Port configuration properly.  I must be missing something else because I'm not even seeing packets hitting either IP in the logging. 

Maybe they're not properly routing our new IP space to us yet.  I am very unsure at this point and will need to reach out to them.  

Thank you anyway!

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎03-22-2023 11:42 PM

The routing part is good as long as the ISP is Routed to your network.

What you like to use for a new Subnet, it's purely your requirement, You can use a Pool of IP in Dynamic NAT or Static NAT for incoming traffic and so on.

You don't need any Interface to configure, you can make utilization of new subnets as Objects or object groups for your usage intention.

below configuration guide for reference :

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html#anc12

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card