Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
322
Views
0
Helpful
5
Replies

Hairpin Nat issues FMC

sherali mamatkarimov
Level 1
Level 1

‎10-05-2024 10:46 PM

I have FMC and configured hairpin NAT to access to web server with public IP from internal LAN, and it works fine when I try to access to web server with public ip from internal LAN, but problem is when I try to enter to web server with internal IP from internal LAN FMC drop packet.

111.png

 

222.png

 

333.png

 

444.png

 

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎10-06-2024 01:44 AM

Where is the Gateway for this Subnet ? on FTD ?

If the same subnet it should not be, are you trying to access using IP address or DNS FQDN., in these kind of scenario always have DNS A entry for Local IP to resolve.

check some config (hope you come across this document)  - clear the NAT and test it.

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-management-center/221985-configure-hairpin-with-firepower-managem.html

https://integratingit.wordpress.com/2021/07/11/ftd-nat-reflection/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

sherali mamatkarimov
Level 1
Level 1
In response to balaji.bandi

‎10-06-2024 06:28 AM

Gateway is in FTD, subnet is same, I am trying to access by IP, If I disable NAT rule it works 

0 Helpful

MHM Cisco World
VIP
VIP

‎10-06-2024 02:16 AM

In NAT advance 

There is option 

""Translate DNS replies that match this rule""

This option need to translate private IP to public IP for dns reply.

MHM

0 Helpful

sherali mamatkarimov
Level 1
Level 1
In response to MHM Cisco World

‎10-06-2024 06:30 AM

But this option is inactive, I think I haven't error in my NAT rule but it works incorretly

0 Helpful

MHM Cisco World
VIP
VIP
In response to sherali mamatkarimov

‎10-07-2024 12:52 AM

this your network ?
If Yes then no need hairpin NAT you can use FTD NAT from external user to server and add option 

""Translate DNS replies that match this rule""

NOTE:- here the traffic is not pass via FTD

NAT issue FTD.png

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card