cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2735
Views
5
Helpful
3
Replies

FTD isn't able to NAT multiple IPs

sanchezeldorado
Level 1
Level 1

I'm beating my head against a wall here. Here's my scenario.

 

My ISP provides me with a block of IP addresses. They required me to have a router to route that block of IPs to the ISP network. There is no NAT on this router. From my router, I have three physical devices that utilize my IP block. Two of them are SDWAN routers that work with no issues. Let's ignore these for now. The third device hooked to my router is my FTD firewall. I have multiple web servers in a DMZ behind my FTD, and I need to forward https to those DMZ web servers using more than one public IP. Should be easy. But not.

 

Relevant IPs

Public IP Subnet: 1.1.1.1/24

FTD's gateway (My router): 1.1.1.1

FTD's Outside IP: 1.1.1.2

FTD's DMZ interface: 10.0.0.1/24

DMZ server: 10.0.0.100/24

 

Problem 1.

NAT rule for port forwarding:

Source interface = DMZ

Destination interface = Outside

Original source = 10.0.0.100

Original dest = any

original source service = 443

Translated source = interface

translated dest = any

 

With the NAT rule above configured, packet tracer and a packet capture both show that incoming https traffic doesn't hit ANY NAT rules. Furthermore, when I activate this NAT rule, My web server loses all internet. Disabling this rule gives me internet again. I also have an auto NAT rule to force my web server(10.0.0.100) out the interface IP, and this works for internet access. If I change the auto nat rule to have a translated source of 1.1.1.3, I lose internet completely. That leads me to problem 2

 

Problem 2.

When I configure NAT to force my DMZ server's internet traffic out the IP 1.1.1.3, packet capturing shows traffic going out the outside interface with the correct natted source, but nothing comes back. In addition, trying to ping or connect to https remotely to the 1.1.1.3 IP never hits the firewall. The router I mentioned at the beginning is actually a L3 switch and my FTD firewall and two SDWAN routers are all on the same vlan sharing the block of public IPs. The L3 switch shows a correct arp entry for my FTD interface 1.1.1.2, but it shows incomplete for the alternate IP address 1.1.1.3. Debugging ARP on the switch, and I can see that the firewall never replies to the ARP request for the alternate IP. Here's the arp entries from my switch.

 

Internet 1.1.1.2 180 <MAC Address of FTD> ARPA Vlan996
Internet 1.1.1.3 0 Incomplete ARPA

 

I'm suspecting that proxy arp may be what I need, but I've had bad experiences with enabling proxy arp in the past. Since I have two SDWAN routers on the same subnet, I'd be afraid that I would break that. This is a 24/7 network and I'm working remotely, so I can't have downtime.

 

Any help would be GREATLY appreciated.

Andy

1 Accepted Solution

Accepted Solutions

sanchezeldorado
Level 1
Level 1

Sorry, I didn't realize this topic was still open. It took a while, but I ended up getting a hold of cisco. There were two separate issues. Problem 1 had to do with the the order of NAT rules. I still don't completely understand it, but my NAT rule was overriding my static default route. Trying to remember, but I believe adding a more specific route above it for traffic to my inside network did the trick. For the second issue, since I couldn't use proxy arp, I had to add static arp entries into my L3 switch for each of the alternate IP addresses I wanted to use. A bit of a hack, but it worked. 

View solution in original post

3 Replies 3

axlrod
Level 1
Level 1

necro, but yeah you need proxy arp..

show run nat <<- I need to see this 

sanchezeldorado
Level 1
Level 1

Sorry, I didn't realize this topic was still open. It took a while, but I ended up getting a hold of cisco. There were two separate issues. Problem 1 had to do with the the order of NAT rules. I still don't completely understand it, but my NAT rule was overriding my static default route. Trying to remember, but I believe adding a more specific route above it for traffic to my inside network did the trick. For the second issue, since I couldn't use proxy arp, I had to add static arp entries into my L3 switch for each of the alternate IP addresses I wanted to use. A bit of a hack, but it worked. 

Review Cisco Networking for a $25 gift card