cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8314
Views
5
Helpful
6
Replies

FirePower publish internal webserver

Roy Lee
Level 1
Level 1

Hi all,

I am new to FirePower, and now migrating ASA 5520 to FirePower 2110 (FTD 6.2.2).

 

I have finished initial setup of FirePower 2110 by FirePower Device Manager (FDM), specified the outside interface with 113.x.x.2/24, inside interface with 192.168.1.2 for example.

 

We have 64 public IP addresses.

I am going to publish internal webserver to internet by FDM.

 

Followed the cisco document to create Providing Access to an Inside Web Server (Static Auto NAT).

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/fdm/fptd-fdm-config-guide-622/fptd-fdm-nat.html#task_3FA99245557D4DA4860FE90BCEF771A1

NAT.JPG

Where HKCitrixIT01Internal is the internal address 192.168.1.5 for example. And HKCitrixIT01Ext is the public address 113.x.x.5 for example.

I can't find reference about the Access Control rule for the web server publishing, so simply create a Access Control rule to allow any service.

ACL.JPGHowever it's failed.

I can ping the outside interface publish IP 113.x.x.2 from internet, but ping to the 113.x.x.5 is failed.

And I check the Policies hit from Monitoring page, hit is zero .....

 

Any advise?

Thanks.

Notmen

1 Accepted Solution

Accepted Solutions

Hello Roy, 

I ran into a similar issue when I was first using FDM. I think the issue that I ran into is that if you accept the default NAT policies configured when you first load FDM, the (any,outside) PAT statement has precedence over the other policies. 

Screenshot 2018-07-25 08.52.47.png

Edit this policy and change the source interface to inside (Or whatever the nameif of your segment is).

Try a packet tracer to your internal server from an internet address before and after your change and you should see a change in the behavior of your NAT processing in the packet-tracer output.

Screenshot 2018-07-25 08.57.07.pngHope that helps!

-A

View solution in original post

6 Replies 6

Rahul Govindan
VIP Alumni
VIP Alumni

Change the Access rule destination network to HKCitrixIT01Internal. The Firepower (and ASA) Access rules should reference the internal server ip address. 

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/610/fdm/fptd-fdm-config-guide-610/fptd-fdm-access.html#ID-2124-00000055

 

Access rules always use the real IP addresses when determining an access rule match, even if you configure NAT. For example, if you configure NAT for an inside server, 10.1.1.5, so that it has a publicly routable IP address on the outside, 209.165.201.5, then the access rule to allow the outside traffic to access the inside server needs to reference the server’s real IP address (10.1.1.5), and not the mapped address (209.165.201.5).

Dear Rahul,

Tried the destination network to HKCitrixIT01Internal but no luck.

Also changed the destination zone to inside_zone, no luck.

The Policy hit still keep zero. Seems no packet arrive the outside interface?
Is ping allowed by default? I can ping the outside internet IP 113.x.x.2 only.

Thanks,

Notmen

Hello Roy, 

I ran into a similar issue when I was first using FDM. I think the issue that I ran into is that if you accept the default NAT policies configured when you first load FDM, the (any,outside) PAT statement has precedence over the other policies. 

Screenshot 2018-07-25 08.52.47.png

Edit this policy and change the source interface to inside (Or whatever the nameif of your segment is).

Try a packet tracer to your internal server from an internet address before and after your change and you should see a change in the behavior of your NAT processing in the packet-tracer output.

Screenshot 2018-07-25 08.57.07.pngHope that helps!

-A

Dear Aaron,

Thank You very much!! You save my days!

It should be very helpful for other newbies to FirePower device.

 

BTW, your FDM interface is more advanced to mine. What is your FTD version?

 

Regards,

Roy

Whoops, sorry I think that screen shot was from the 6.3 beta.

Hi Roy Lee,

 

Can you share the Nat configuration you have done on FTD.

 

Thanks in advance

Review Cisco Networking for a $25 gift card