10-16-2024 09:25 AM
Im coming from a sophos background and this is my first time using FTD.
We have a /29 public ip range that in the Sophos firewall I would just create alias interfaces for each public ip and assign to the physical WAN interface. (then do nat / fw rule to allow traffic inbound to the internal servers etc)
How do I do this on FTD? Ive had a google and cant seem to find it the answer.
thanks
Solved! Go to Solution.
10-16-2024 09:28 AM - edited 10-16-2024 09:39 AM
@peat you can create host objects to represent the public IP address, you then reference this object in the NAT rules. FYI, you use the real IP address object in the Access Control Policy (not the public NAT IP address).
And here a the Cisco guide for NAT - https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html#toc-hId-1847764705
10-16-2024 09:28 AM - edited 10-16-2024 09:39 AM
@peat you can create host objects to represent the public IP address, you then reference this object in the NAT rules. FYI, you use the real IP address object in the Access Control Policy (not the public NAT IP address).
And here a the Cisco guide for NAT - https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html#toc-hId-1847764705
10-17-2024 01:20 AM - edited 10-17-2024 01:22 AM
Thanks ill have a read
10-16-2024 09:36 AM
Please take a look at this video:
16. Cisco FTD NAT Configuration (youtube.com)
Also when you configure the outside interface on the FTD with its public IP and subnet mask, the FTD by default proxy ARP for any public IP in that range, not sure if this is the same behaviour with Sophos firewalls.
10-17-2024 01:22 AM
thanks. Yes this is one of my issues. There are two public IP ranges on this.
The /30 that is the actual public ip on the WAN and a /29 in a completely different range that are used as the public ips on the internal servers.
10-17-2024 01:23 AM
@peat fine, ensure the ISP routes the public /29 to your outside interface IP address of the FTD. Then create NAT rules as described above.
10-17-2024 01:29 AM
That is not a problem as @Rob Ingram mentioned and it is actually quite common these days. Your ISP would need to route the /29 to your /30 public IP, and from the firewall perspective once you create the NAT rules they will dictate the traffic flow in this case. Essentially the firewall will be looking at its NAT rules and if there is any with a public IP from the /29 range it will proxy for that traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide