cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
855
Views
0
Helpful
2
Replies

inside to outside interface IP NAT

manvik
Level 3
Level 3

Hi Guys

LAN (inside) network - 192.168.10.0/24

WAN (outside)network - for eg 137.14.191.12/28

Device: Cisco Firepower 2100 series managed by vFMC

 

I have around 15 servers residing inside the campus that needs to be opened for public. Each server has different outside ISP IP. For eg server one has 137.14.191.15 DNAT to 10.11 , server two 137.14.191.16 DNAT to 10.12 etc

 

I did DNAT for servers from outside to inside. It is working perfect. When someone from outside public network access 137.14.191.15 they gets connected.

 

Issue is;

When a LAN user (for eg 192.168.10.14) access 137.14.191.15 it does not work. Any idea how to get both DNAT scenarios work ?

1. outside to 137.14.191.15

2. inside to 137.14.191.15

 

when i add inside zone to source objects in DNAT, it works, but the server 10.11 looses internet connection.

NB: some might get confused why 192.168.10.xx not accessing servers using local IP. It is a specific requirement.

 

Any help appreciated please.

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

You cannot make the traffic hairpin through the FTD appliance in the way you ask. Traffic would have to actually leave the egress interface (outside) and come back in for the NAT translation to be applied to the flow.

Hi Marvin,

I was expecting this reply. The scenario you mentioned will work and i got it worked. Issue was NATed local IP will not get internet in this case.

137.14.191.15 DNAT to 10.11

192.168.10.14 access 137.14.191.15. It works, but no internet for 10.11

 

This is a very common scenario and can easily be done in other OEM firewalls.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: