Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8476
Views
10
Helpful
5
Replies

Firepower - hairpin/reflected NAT rule

Go to solution
Micccc4
Level 1
Level 1

‎11-12-2021 11:03 AM

Hi Everyone,

 

On the FTD 2110 running the newest recommended software (6.6.5-81) we have to interfaces on the inside (internal + dmz) and outside one. In dmz there is a service that is exposed to the internet (NAT to the public IP that is with the same network as outside interface). That service in dmz is to be reached from the internal zone via internet. So the expected flow is:

client in internal zone -> source NATed to public IP of the outside interface -> accessing service from dmz zone from internet.

Unfortunately this doesn't seem to work. So there are 2 questions:

- is it supported on Firepower (I know it was achievable on ASA)

- if not what would be the best workaround

 

Please see attached flow diagram.

All you comments are much appreciated - thanks!

Preview file
42 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎11-12-2021 11:54 AM

@Micccc4 very little information on this scenario, this post is the closest you may find - just amend the destination interface.

View solution in original post

Go to solution
Marius Gunnerud
VIP
VIP
In response to Micccc4

‎11-15-2021 09:44 PM

I do not believe this setup will not work as you are expecting it to work. 

The problem is that you will be NATing the source to the Outside interface public IP.  To NAT to an interface IP the destination interface would need to be the Outside interface, in your scenario the destination interface would be the DMZ interface.  Also, the FTD will drop any traffic to an interface IP that is not the ingress interface IP.  So you would need to use a different IP than the Outside public IP (for example 168.22.22.11).

So your NAT statement should look like the following:

Source interface Inside

Source IP NAT to 168.22.22.11

Destination interface DMZ

Destination IP (162.22.22.22) NAT to real IP of DMZ service

 

Another option would be to use DNS re-write.  This is where the FTD "re-writes" the DNS reply to the real IP of the DMZ service.  This would require firewall openings on the internal interface towards the private IP of the DMZ service.

There are other option also, such as placing a router in the Outside interface zone to perform hairpin routing and perhaps som NAT, but doing this makes the setup quite....dirty....So I do not suggest doing that.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎11-12-2021 11:54 AM

@Micccc4 very little information on this scenario, this post is the closest you may find - just amend the destination interface.

Go to solution
Marius Gunnerud
VIP
VIP

‎11-12-2021 12:22 PM

Are you also trying to NAT the Internal IP to the outside interface public IP when going to the dmz?  Or are you just trying to reach the dmz using a FQDN that resolves to the public IP?

Are you managing the FTD using FMC or FDM?

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Micccc4
Level 1
Level 1
In response to Marius Gunnerud

‎11-15-2021 02:58 PM

Thanks a lot for your comments Guys. 

@Rob Ingram - we are going to test shared setup tomorrow or Wednesday and report the status.

@Marius Gunnerud  - end point in the internal zone is learning target's public IP (168.22.22.22) via lookup to public DNS. Then it's initiating the session to that IP. With current setup the idee was that this request will be source NATed to the IP of the Outside interface (168.22.22.10) and then routed to the DMZ service on 168.22.22.22 (inbound static NAT rule).  Firepower capture shows those request on internal interface and it looks like is stops there  

 

I will keep you updated!

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Micccc4

‎11-15-2021 09:44 PM

I do not believe this setup will not work as you are expecting it to work. 

The problem is that you will be NATing the source to the Outside interface public IP.  To NAT to an interface IP the destination interface would need to be the Outside interface, in your scenario the destination interface would be the DMZ interface.  Also, the FTD will drop any traffic to an interface IP that is not the ingress interface IP.  So you would need to use a different IP than the Outside public IP (for example 168.22.22.11).

So your NAT statement should look like the following:

Source interface Inside

Source IP NAT to 168.22.22.11

Destination interface DMZ

Destination IP (162.22.22.22) NAT to real IP of DMZ service

 

Another option would be to use DNS re-write.  This is where the FTD "re-writes" the DNS reply to the real IP of the DMZ service.  This would require firewall openings on the internal interface towards the private IP of the DMZ service.

There are other option also, such as placing a router in the Outside interface zone to perform hairpin routing and perhaps som NAT, but doing this makes the setup quite....dirty....So I do not suggest doing that.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Micccc4
Level 1
Level 1
In response to Marius Gunnerud

‎11-20-2021 03:00 AM

@Rob Ingram , @Marius Gunnerud - thanks again for your responses in this ticket. We were prepared to test all possible solutions listed in this ticket but it actually worked fine with the first one (one from post shared by @Rob Ingram). At first it did not work for the reason you have point @Marius Gunnerud but then we have moved that specific NAT rule over the existing Dynamic Rule (which was NATing all outbound traffic to the Outside interface public IP). Thanks again. Case closed!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card