cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
380
Views
3
Helpful
6
Replies

How to create alias interfaces (for public ip range) on Cisco FTD

peat
Level 1
Level 1

Im coming from a sophos background and this is my first time using FTD.

We have a /29 public ip range that in the Sophos firewall I would just create alias interfaces for each public ip and assign to the physical WAN interface.  (then do nat / fw rule to allow traffic inbound to the internal servers etc)

How do I do this on FTD?  Ive had a google and cant seem to find it the answer.

thanks

1 Accepted Solution

Accepted Solutions

@peat you can create host objects to represent the public IP address, you then reference this object in the NAT rules. FYI, you use the real IP address object in the Access Control Policy (not the public NAT IP address).

And here a the Cisco guide for NAT - https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html#toc-hId-1847764705

 

View solution in original post

6 Replies 6

@peat you can create host objects to represent the public IP address, you then reference this object in the NAT rules. FYI, you use the real IP address object in the Access Control Policy (not the public NAT IP address).

And here a the Cisco guide for NAT - https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html#toc-hId-1847764705

 

Thanks ill have a read

Please take a look at this video:

16. Cisco FTD NAT Configuration (youtube.com)

Also when you configure the outside interface on the FTD with its public IP and subnet mask, the FTD by default proxy ARP for any public IP in that range, not sure if this is the same behaviour with Sophos firewalls.

thanks. Yes this is one of my issues.  There are two public IP ranges on this.

The /30 that is the actual public ip on the WAN and a /29 in a completely different range that are used as the public ips on the internal servers.

@peat fine, ensure the ISP routes the public /29 to your outside interface IP address of the FTD. Then create NAT rules as described above.

That is not a problem as @Rob Ingram mentioned and it is actually quite common these days. Your ISP would need to route the /29 to your /30 public IP, and from the firewall perspective once you create the NAT rules they will dictate the traffic flow in this case. Essentially the firewall will be looking at its NAT rules and if there is any with a public IP from the /29 range it will proxy for that traffic.

Review Cisco Networking for a $25 gift card