02-04-2019 08:34 PM - edited 02-21-2020 08:46 AM
Hi There
We are running FTD 6.2.2 and wondering how we go about allowing access to a webserver in the DMZ using the public ip address which is natted from the FTD device.
Outside - 59.23.x.x
DMZ 172.16.100.x
Inside 192.168.17.x
We have a webserver sitting on 172.16.100.10 using a PAT on the FTD with public routed IP 59.23.x.2 on the outside interface The issue we have is this specific piece of software requires access to the web server utilizing the 59.23.x.x address rather than 172.16.100.10 address.
We setup an internal dns record pointing www.example.com to 59.23.x.x however unable to get this configuration to work. on ASA code we used to setup NAT hairpinning i believe it was called. Does anyone know how to do this in FTD.
02-04-2019 10:41 PM
02-04-2019 11:13 PM - edited 02-04-2019 11:13 PM
Thanks Mohammed, yes using FMC
Do you have any screenshot examples at all. In the example above would my source be inside interface object, DMZ destination interface object.
Then:
Original source 192.168.17.x
Original Destination 59.x.x.x
Translated Source Any IPV4
Translated Destination 127.16.100.10
02-04-2019 11:38 PM
02-05-2019 07:21 PM - edited 02-05-2019 07:31 PM
Hi Mohammed, appreciate your help
Current situation
you are correct. The 59.x.x.x address is routed to the outside interface of the FTD box from ISP, it then uses a PAT rule for 59.x.x.x:443 to the DMZ internal subnet of 172.16.100.0 (webserver 172.16.100.10). Currently the inside network is blocked from accessing any services on the DMZ using access control policy.
Required situation
When a user browses from the inside network 192.168.17.x to the outside interface routed IP of 59.x.x.x we need to terminate this traffic on the webserver of 172.16.100.10 in the DMZ zone.
If we look at the solution on a palo alto it is reverse to what you are suggesting and doesnt mention using the DMZ zone at all.
Sorry i have used another vendors example, however i can't find much online about trying to achieve this with threat defense.
02-05-2019 09:33 PM
02-06-2019 01:36 PM
Thanks Mohammed,
Not sure why it posted the same thing so many times :)
So no work arounds that you know of?
02-05-2019 07:32 PM - edited 02-06-2019 01:35 PM
02-05-2019 07:34 PM - edited 02-06-2019 01:34 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide