05-17-2024 03:24 PM
I have configured NAT and access control on firepower ftd but it doesn't seen to work. I have a draytek router that connects to ISP via PPPOE and my firepower connects to the draytek, on intf1, intf3-8 is a vlan which connects 3 webservers and they all need to be NAT to a public IP address, i can access web pages but none of the servers are accessible via the public ip's on the internet, please i need help to check what is wrong. see screenshot attached
05-18-2024 04:28 AM
Hi Friend
sorry can you draw the topology
also PPPoE how you use static public IP?
MHM
05-18-2024 11:22 AM
Here is the NW topology
05-18-2024 05:15 PM
05-19-2024 11:59 AM
Have you confirmed that port forwarding on the Draytek is correct...and why are you doing NAT on both the Draytek and Firepower? NATing on both the Draytek and Firepower just adds extra complexity. To verify the connectivity though the Firepower device, run packet-tracer and verify that traffic is NATed and allowed through the firewall if all is good there then focus your efforts on the Draytek device.
05-20-2024 02:39 AM
There is a NAT policy already on Draytek router which works without the firepower FTD, I have configured PPPOE on FP Interface with all the settings used in the Draytek but it doesn't seem to allow internet through hence why am using both.
05-20-2024 01:21 PM
On the Draytek device, is it NATing to the real IP of the server you are having issues with? Or to an intermediary IP which is then again NATed to the real IP of the server?
Also, source ports are usually random high ports so I suggest removing the source port from the access rules.
05-23-2024 01:10 AM
On the Draytek Port redirection is what is implemented, the source IP is the server's and dest IP is the the static from ISP. I have remove the ports from NAT in FP FTD and only use ACL to filter the destination ports
05-20-2024 03:11 AM - edited 05-20-2024 03:15 AM
Thank you for your reply, I will implement this and get back to you. Also are other ACL correct or need changing?
05-20-2024 07:46 AM
Why are you configuring the NAT rules using Source Ports? if you want to use those NAT rules you can leave the source port as any since you will filter the access on the ACL.
05-22-2024 12:28 PM
Any update about this issue
MHM
05-22-2024 12:32 PM
Yes so static Nat from 192.168.20.x to 192.168.2.x shows and overlap to 192.168.2.x which is the outside, same with PPOE to outside hence the deployment failed.
05-22-2024 02:37 PM
If a post helped you reach your solution or it provided the solution please select it as a correct answer and / or rate the post.
05-22-2024 11:39 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide