01-09-2020 09:41 PM - edited 02-21-2020 09:49 AM
Hi Guys
LAN (inside) network - 192.168.10.0/24
WAN (outside)network - for eg 137.14.191.12/28
Device: Cisco Firepower 2100 series managed by vFMC
I have around 15 servers residing inside the campus that needs to be opened for public. Each server has different outside ISP IP. For eg server one has 137.14.191.15 DNAT to 10.11 , server two 137.14.191.16 DNAT to 10.12 etc
I did DNAT for servers from outside to inside. It is working perfect. When someone from outside public network access 137.14.191.15 they gets connected.
Issue is;
When a LAN user (for eg 192.168.10.14) access 137.14.191.15 it does not work. Any idea how to get both DNAT scenarios work ?
1. outside to 137.14.191.15
2. inside to 137.14.191.15
when i add inside zone to source objects in DNAT, it works, but the server 10.11 looses internet connection.
NB: some might get confused why 192.168.10.xx not accessing servers using local IP. It is a specific requirement.
Any help appreciated please.
01-09-2020 09:53 PM
You cannot make the traffic hairpin through the FTD appliance in the way you ask. Traffic would have to actually leave the egress interface (outside) and come back in for the NAT translation to be applied to the flow.
01-09-2020 11:19 PM
Hi Marvin,
I was expecting this reply. The scenario you mentioned will work and i got it worked. Issue was NATed local IP will not get internet in this case.
137.14.191.15 DNAT to 10.11
192.168.10.14 access 137.14.191.15. It works, but no internet for 10.11
This is a very common scenario and can easily be done in other OEM firewalls.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide