Showing results for 
Search instead for 
Did you mean: 

firepower FTD 6.2.2 hairpin

Luke Fahey

Hi There

We are running FTD 6.2.2 and wondering how we go about allowing access to a webserver in the DMZ using the public ip address which is natted from the FTD device.

Outside - 59.23.x.x

DMZ 172.16.100.x

Inside 192.168.17.x


We have a webserver sitting on using a PAT on the FTD with public routed IP 59.23.x.2 on the outside interface The issue we have is this specific piece of software requires access to the web server utilizing the 59.23.x.x address rather than address.

We setup an internal dns record pointing to 59.23.x.x however unable to get this configuration to work. on ASA code we used to setup NAT hairpinning i believe it was called. Does anyone know how to do this in FTD.

8 Replies 8

Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
Same thing on FTD. You can do it from NAT Tab and associate the NAT policy
with FTD device assuming you are using FMC

Thanks Mohammed, yes using FMC

Do you have any screenshot examples at all. In the example above would my source be inside interface object, DMZ destination interface object.


Original source 192.168.17.x 

Original Destination 59.x.x.x

Translated Source Any IPV4

Translated Destination

If my understanding is correct you want to access from inside to DMZ on the
IP 59.x.x.x. You need to nat source as DMZ and destination as inside. then
nat the source IP which is your DMZ subnet.

Hi Mohammed, appreciate your help

Current situation

you are correct. The 59.x.x.x address is routed to the outside interface of the FTD box from ISP, it then uses a PAT rule for 59.x.x.x:443 to the DMZ internal subnet of (webserver Currently the inside network is blocked from accessing any services on the DMZ using access control policy.

Required situation

When a user browses from the inside network 192.168.17.x to the outside interface routed IP of 59.x.x.x we need to terminate this traffic on the webserver of in the DMZ zone.


If we look at the solution on a palo alto it is reverse to what you are suggesting and doesnt mention using the DMZ zone at all.


  1. On the Original Packet tab, select the zone you created for your internal network in the Source Zone section (click Add and then select the zone) and the zone you created for the external network from the Destination Zone drop-down.
  2. In the Destination Address section, Add the address object you created for your public web server.
  3. On the Translated Packet tab, select Destination Address Translation and then enter the IP address that is assigned to the web server interface on the DMZ network, in this example.
  4. Click OK.

Sorry i have used another vendors example, however i can't find much online about trying to achieve this with threat defense.

Thanks. Now I got the scenario. This was doable in ASA as the command can
be taken with a warning message (nat to an existing subnet associated with
different interface). In FTD, you can't do this, i.e. natting between DMZ
and inside using the outside subnet. It will throw an error.

Thanks Mohammed,

Not sure why it posted the same thing so many times :)

So no work arounds that you know of?


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers