cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

5664
Views
0
Helpful
6
Replies
Roy Lee
Beginner

FirePower publish internal webserver

Hi all,

I am new to FirePower, and now migrating ASA 5520 to FirePower 2110 (FTD 6.2.2).

 

I have finished initial setup of FirePower 2110 by FirePower Device Manager (FDM), specified the outside interface with 113.x.x.2/24, inside interface with 192.168.1.2 for example.

 

We have 64 public IP addresses.

I am going to publish internal webserver to internet by FDM.

 

Followed the cisco document to create Providing Access to an Inside Web Server (Static Auto NAT).

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/fdm/fptd-fdm-config-guide-622/fptd-fdm-nat.html#task_3FA99245557D4DA4860FE90BCEF771A1

NAT.JPG

Where HKCitrixIT01Internal is the internal address 192.168.1.5 for example. And HKCitrixIT01Ext is the public address 113.x.x.5 for example.

I can't find reference about the Access Control rule for the web server publishing, so simply create a Access Control rule to allow any service.

ACL.JPGHowever it's failed.

I can ping the outside interface publish IP 113.x.x.2 from internet, but ping to the 113.x.x.5 is failed.

And I check the Policies hit from Monitoring page, hit is zero .....

 

Any advise?

Thanks.

Notmen

1 ACCEPTED SOLUTION

Accepted Solutions

Hello Roy, 

I ran into a similar issue when I was first using FDM. I think the issue that I ran into is that if you accept the default NAT policies configured when you first load FDM, the (any,outside) PAT statement has precedence over the other policies. 

Screenshot 2018-07-25 08.52.47.png

Edit this policy and change the source interface to inside (Or whatever the nameif of your segment is).

Try a packet tracer to your internal server from an internet address before and after your change and you should see a change in the behavior of your NAT processing in the packet-tracer output.

Screenshot 2018-07-25 08.57.07.pngHope that helps!

-A

View solution in original post

6 REPLIES 6