cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
663
Views
0
Helpful
9
Replies

Problems pulishing webserver from FCM

emurray
Level 1
Level 1

I am traying to reach a website that is on an inside webserver, but I am failing to configure the NAT properly to allow the traffic. In the original source I have the private IP of the server, in the translated source I have the Public IP address which will be used to access the website. I hope anyone can help

NAT 2.pngNAT.png

 

 

1 Accepted Solution

Accepted Solutions

emurray
Level 1
Level 1

I finally opened a Ticket with TAC. I had a mistake on the ports and on the Zone. Below are pictures of how the policy was done and an explanation of my understanding of how it works. Feel free to correct me if I got something wrong

emurray_0-1730554452588.png

 

The original destination is the public IP on which the website will be published to the internet. This will be done thru the outside or internet interface, even if you have a subnet of public IP's and are using one IP from the range to publish the page that is different from you WAN interface public IP. This is very important. 

The translated destination is the actual private IP of the webserver on your internal network.

 

I had all that correct but I had a mistake on the ports, I had the ports specified on the original and source port but that is used in the other NAT rule where you publish the page. In this wan you are intercepting traffic that is already been thru NAT so it is going to a destination port and that's where you put the information. Original destination and translated destination.

I hope this can help anyone. 

emurray_0-1730555188501.png

 

View solution in original post

9 Replies 9

Do you have access rules configured to allow access from the outside?

run a packet-tracer to verify NAT and access rule replace the real source interface name as needed.

packet-tracer input Outside tcp 8.8.8.8 12345 <public IP of server> 80

--
Please remember to select a correct answer and rate helpful posts

It says Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000556fcf5d77df flow (NA)/NA

I have a policy that has outside zone and any network to the inside zone and the private IP of the server and the http port

How the policy should be created?

Marvin Rhoads
Hall of Fame
Hall of Fame

Is your webserver really port 80 (http) only and not port 443 (https)?

Have you verified that nothing else in the ACP (e.g. a rule higher up) is blocking the access and that not other NAT rule conflicts with the public IP address you have assigned your web server?

I was able to solve the issue. Apparently, there were some default policies on the base parent policy interfering with mine.  We can access the website from outside, but we can't from the inside. 

 

I tried configuring the Hairpiring using this website Configure Hairpin with Firepower Management Center - Cisco with no luck. Apart from the Nat configuration, do I need to add another policy for the Hairpiring?

Where on the inside is your PC that you are trying to access the webserver from?  are the server and the PC on the same subnet?

are you able to access the server using the IP address instead of URL?

My guess is that your DNS server is resolving to the public IP for the server.  So if you do not want to change the IP the URL resolves to on your internal DNS server then you would need to configure twice NAT / hairpinning on the FTD as well as access rules allowing the traffic.

--
Please remember to select a correct answer and rate helpful posts

Did configure another NAT Policy but I think I also need to do something else on the policy. But I don't know exactly what the policy will look like. They don't want to do it in the DNS. The DNS is resolving the Public IP

Do inside clients using the private IP even go via the firewall?

If they do, you then probably need an explicit rule allowing the traffic. Normally with FTD, the default is to deny all traffic as the default rule.

You need hairpin NAT if the internal host know the public IP of server.

MHM

emurray
Level 1
Level 1

I finally opened a Ticket with TAC. I had a mistake on the ports and on the Zone. Below are pictures of how the policy was done and an explanation of my understanding of how it works. Feel free to correct me if I got something wrong

emurray_0-1730554452588.png

 

The original destination is the public IP on which the website will be published to the internet. This will be done thru the outside or internet interface, even if you have a subnet of public IP's and are using one IP from the range to publish the page that is different from you WAN interface public IP. This is very important. 

The translated destination is the actual private IP of the webserver on your internal network.

 

I had all that correct but I had a mistake on the ports, I had the ports specified on the original and source port but that is used in the other NAT rule where you publish the page. In this wan you are intercepting traffic that is already been thru NAT so it is going to a destination port and that's where you put the information. Original destination and translated destination.

I hope this can help anyone. 

emurray_0-1730555188501.png

 

Review Cisco Networking for a $25 gift card