Solved: Re: Options to NAT to multiple internal servers from internet on FTD?

CiscoBrownBelt · ‎06-27-2025

Just checking community to see best option to reach multiple internal say web servers from certain sites across WAN/internet on the FTD?
I was thinking say manual static NAT to an object-group which contains the internal server objects or something?

MHM Cisco World · ‎06-27-2025

There are two case

1- one public to multi server use same l4 port (this ftd not support)

2- one public to multi server use different l4 port' this ftd support

MHM

View solution in original post

patterson123payne · ‎06-27-2025

@CiscoBrownBelt ForemostPayOnlinewrote:
Just checking community to see best option to reach multiple internal say web servers from certain sites across WAN/internet on the FTD?
I was thinking say manual static NAT to an object-group which contains the internal server objects or something?

For exposing multiple internal web servers to the WAN/Internet via an FTD, the **best option is to deploy a Reverse Proxy/Load Balancer in your DMZ**. A simple static NAT to an object-group won't differentiate between multiple internal web servers sharing the same public IP and standard web ports (80/443). Instead, your FTD will perform a static NAT translating your single public IP to the DMZ-located reverse proxy's private IP. The FTD's Access Control Policy will then allow traffic from the internet to the proxy, and from the proxy to your internal web servers, with robust threat inspection applied to both flows. This approach centralizes SSL, provides intelligent routing, enhances security by hiding internal structure, and allows for load balancing, making it superior to using multiple public IPs for each internal server.

View solution in original post

MHM Cisco World · ‎06-27-2025

round robin is not support in FTD

Sorry

MHM

CiscoBrownBelt · ‎06-27-2025

Thanks again @MHM Cisco World

Sorry so you saying a NAT rule like I described would it not alternate traffic to the different servers?

MHM Cisco World · ‎06-27-2025

There are two case

1- one public to multi server use same l4 port (this ftd not support)

2- one public to multi server use different l4 port' this ftd support

MHM

CiscoBrownBelt · ‎06-30-2025

Great thanks that is what I figured

patterson123payne · ‎06-27-2025

@CiscoBrownBelt ForemostPayOnlinewrote:
Just checking community to see best option to reach multiple internal say web servers from certain sites across WAN/internet on the FTD?
I was thinking say manual static NAT to an object-group which contains the internal server objects or something?

For exposing multiple internal web servers to the WAN/Internet via an FTD, the **best option is to deploy a Reverse Proxy/Load Balancer in your DMZ**. A simple static NAT to an object-group won't differentiate between multiple internal web servers sharing the same public IP and standard web ports (80/443). Instead, your FTD will perform a static NAT translating your single public IP to the DMZ-located reverse proxy's private IP. The FTD's Access Control Policy will then allow traffic from the internet to the proxy, and from the proxy to your internal web servers, with robust threat inspection applied to both flows. This approach centralizes SSL, provides intelligent routing, enhances security by hiding internal structure, and allows for load balancing, making it superior to using multiple public IPs for each internal server.

CiscoBrownBelt · ‎06-30-2025

Great thanks. Yes was planning on doing better solution possible down the road. Able to suggest any of the free solutions out there lol?