Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1231
Views
0
Helpful
1
Replies

NAT / VIP on FTD 6.1

benatnordisk
Level 1
Level 1

‎09-07-2016 08:46 PM - edited ‎03-12-2019 01:14 AM

Hi all!

   New to FTD...

   On other firewalls I've worked on, you could set up a "virtual" IP on the firewall itself that it could then NAT to hosts behind the firewall.  I know where to set up the NAT rules using FMC, but where do we set the additional IP (or VIP-equivalent) on the specific interface?  BTW, this is a Firepower 4100 running FTD, not an ASA...

Thanks!

1 person had this problem
Labels:
0 Helpful
1 Reply 1

christianh98114
Level 1
Level 1

‎12-02-2021 09:39 PM

Hi there,

 

I know this question is pretty old but I wanted to see if I could give it an answer in case anyone ever stumbled on it again. Currently, to my knowledge, FTD does not support any kind of VIP object (similar to the FortiGate VIP that does the NAT for you) and any NATing will need to be done purely through the NAT section of FDM / CDO / FMC / etc.

 

You can think of it in terms of (very simplied, and poorly written) ASA code like the following:

nat (wan,dmz) source static Server-Public Server-Private service HTTP HTTPS

 

In essence, the Server-Public address from the above example would be a pseudo-VIP as your wan interface isn't necessarily assigned that IP.

 

For this example, you'd also want to write your ACLs to allow inbound traffic to your Server-Private subnet specifically:

access-list WAN-TO-WEBDMZ extended permit tcp any object Server-Private eq http https

 

Hope this helps. If I've made any mistakes, please let me know and I'll get them corrected ASAP. Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card