Solved: Re: Port forwarding to my Cisco FPR 1010 using FDM

AmmarHermiz14196 · ‎05-31-2023

Hi,

I need help please. I'm looking to create a port forwarding on my firewall.

I am trying to come from the outside through UDP port to the inside to my network.

Can someone guide me please how to create the Nat rule.

Thanks Ammar

Rob Ingram · ‎06-07-2023

@AmmarHermiz14196 I googled this and found https://bst.cisco.com/bugsearch/bug/CSCvt22254

Symptom: The deploy will fail with the error "A package file required for deployment, vdb-.tgz, does not exist. The installation of a VDB update package may be required." when trying to deploy after a Restore and the FDM sensor is not able to get VDB update packages from the cloud server.

Conditions: As part of a Restore the sensor needs to have a VDB update package. If the sensor is not updated with a VDB update package, then during the deploy as part of the restore will Fail. This can happen with sensors that have network connection issues to the cloud server, or are in air gap networks that can not connect to the cloud server.

Workaround: After receiving the deploy error, install a VDB update package and deploy again. If the sensor had network connectivity issues, then correct the network issues and then perform an update from the cloud servers. If the sensor is air gapped, the VDB update package can be separately downloaded from Cisco and then uploaded to the sensor using the UI or API using the new feature in 6.6.0. If you are unable to update the VDB package at all, in expert mode if you run "touch /ngfw/var/cisco/deploy/pkg/var/cisco/packages/vdb-.tgz" this should allow you to deploy as well.

View solution in original post

Rob Ingram · ‎05-31-2023

@AmmarHermiz14196 create a manual static NAT,

The example below will NAT the webserver "SERVER01" behind the outside interface IP address for HTTPS.

Example here in the section "inbound access" https://integratingit.wordpress.com/2020/02/08/ftd-configuration-using-fdm/

AmmarHermiz14196 · ‎06-01-2023

Hi Rob.

My situation is I want to come from the outside to my all inside subnets through specific IP address and specific port number. it's sort of VPN connection trying to do. But the instructions said the opposite or I am seeing wrong.

Rob Ingram · ‎06-01-2023

@AmmarHermiz14196 the NAT rules are bi-directional. In the the example, allows inbound access from the outside to a host on the inside.

AmmarHermiz14196 · ‎06-01-2023

Thanks! Ammar

MHM Cisco World · ‎05-31-2023

Configure Cisco FTD Port Forwarding (via FDM) | PeteNetLive

AmmarHermiz14196 · ‎06-01-2023

Hi MHM,

I would have same response to you the instructions seem the opposite what I am trying to do. Thanks

MHM Cisco World · ‎06-01-2023

the NAT for specific port is two way,
traffic form INside will NATing to OUTside (same port differ IP)
traffic from OUTside will NATing to INside (same port differ IP)

AmmarHermiz14196 · ‎06-02-2023

Hi,

It is not working obviously I am doing it wrong. what I am trying to do is. i have Raspberry Pi installed Pivpn on it. trying to figure out how to set up Cisco FRP 1010.

so what I did. I set up one of the port on firewall statically with DHCP pool. also I created port it is must from WireGurad . my nat looks like below. so what I am doing wrong or what I need to do. please help. I appreciate your help.

MHM Cisco World · ‎06-04-2023

you use NAT for U-Turn anyconnect traffic ?

AmmarHermiz14196 · ‎06-04-2023

Don't have Anyconnect.

My network setup :

Dynamic IP coming in to the Router (Verizon) DHCP going out to the Firewall. Firewall connected through DHCP not Static from the firewall I have 6 networks all trunk to two switches. I have Vlans setup between all those networks. Everything working the way I want it.

I have one port left on the firewall unuse.

I have Raspberry Pi hooked up to the Verizon router working as Pi-Hole and of course its my DNS.

I have another Raspberry Pi want to install PiVPN on it.

So now the questions are:

- Where I plug the Ras.Pi the one I want to install PiVPN to router or the empty port on the FW?

- I have to open a specific UDP port for Port forwarding, So I should open it on the router or the FW?

- Do I need to create a network object or a host on the FW?

- How is the NAT and Access list should looks like?

To be honest to setup PiVPN is very easy but what makes it difficult at least in my world is the Cisco Firewall.

As always Thank you very much for you help and time.

Ammar

MHM Cisco World · ‎06-04-2023

So to confirm,
you have Ri-VPN (S2S VPN not remote access VPN), and you want to bypass this VPN traffic through the FPR, we need NATing the private IP behind the FPR to public IP (OUTSIDE)?
am I right ?

AmmarHermiz14196 · ‎06-04-2023

Yes. You are right.

MHM Cisco World · ‎06-04-2023

You have free public IP
then you need Static NAT 1:1

AmmarHermiz14196 · ‎06-04-2023

So if I understood correctly.

Create network object for the inside 192.168.75.x/24 ?

Plug the RasPi into the FRP? and make the interface type static and give it an IP 192.168.77.x/24 ?

I don't have DMZ. it is my home network.

Thank you.

Ammar