Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
0
Helpful
9
Replies

Problems pulishing webserver from FCM

Go to solution
emurray
Level 1
Level 1

‎10-26-2024 03:19 PM

I am traying to reach a website that is on an inside webserver, but I am failing to configure the NAT properly to allow the traffic. In the original source I have the private IP of the server, in the translated source I have the Public IP address which will be used to access the website. I hope anyone can help

NAT 2.pngNAT.png

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
emurray
Level 1
Level 1

‎11-02-2024 06:39 AM

I finally opened a Ticket with TAC. I had a mistake on the ports and on the Zone. Below are pictures of how the policy was done and an explanation of my understanding of how it works. Feel free to correct me if I got something wrong

emurray_0-1730554452588.png

 

The original destination is the public IP on which the website will be published to the internet. This will be done thru the outside or internet interface, even if you have a subnet of public IP's and are using one IP from the range to publish the page that is different from you WAN interface public IP. This is very important. 

The translated destination is the actual private IP of the webserver on your internal network.

 

I had all that correct but I had a mistake on the ports, I had the ports specified on the original and source port but that is used in the other NAT rule where you publish the page. In this wan you are intercepting traffic that is already been thru NAT so it is going to a destination port and that's where you put the information. Original destination and translated destination.

I hope this can help anyone. 

emurray_0-1730555188501.png

 

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Marius Gunnerud
VIP
VIP

‎10-26-2024 04:11 PM

Do you have access rules configured to allow access from the outside?

run a packet-tracer to verify NAT and access rule replace the real source interface name as needed.

packet-tracer input Outside tcp 8.8.8.8 12345 <public IP of server> 80

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
emurray
Level 1
Level 1
In response to Marius Gunnerud

‎10-26-2024 04:39 PM

It says Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000556fcf5d77df flow (NA)/NA

I have a policy that has outside zone and any network to the inside zone and the private IP of the server and the http port

How the policy should be created?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-26-2024 09:23 PM

Is your webserver really port 80 (http) only and not port 443 (https)?

Have you verified that nothing else in the ACP (e.g. a rule higher up) is blocking the access and that not other NAT rule conflicts with the public IP address you have assigned your web server?

0 Helpful

Go to solution
emurray
Level 1
Level 1
In response to Marvin Rhoads

‎10-27-2024 06:43 AM

I was able to solve the issue. Apparently, there were some default policies on the base parent policy interfering with mine.  We can access the website from outside, but we can't from the inside. 

 

I tried configuring the Hairpiring using this website Configure Hairpin with Firepower Management Center - Cisco with no luck. Apart from the Nat configuration, do I need to add another policy for the Hairpiring?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to emurray

‎10-27-2024 07:15 AM

Where on the inside is your PC that you are trying to access the webserver from?  are the server and the PC on the same subnet?

are you able to access the server using the IP address instead of URL?

My guess is that your DNS server is resolving to the public IP for the server.  So if you do not want to change the IP the URL resolves to on your internal DNS server then you would need to configure twice NAT / hairpinning on the FTD as well as access rules allowing the traffic.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
emurray
Level 1
Level 1
In response to Marius Gunnerud

‎10-28-2024 03:29 AM

Did configure another NAT Policy but I think I also need to do something else on the policy. But I don't know exactly what the policy will look like. They don't want to do it in the DNS. The DNS is resolving the Public IP

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to emurray

‎10-28-2024 08:41 AM

Do inside clients using the private IP even go via the firewall?

If they do, you then probably need an explicit rule allowing the traffic. Normally with FTD, the default is to deny all traffic as the default rule.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to emurray

‎10-28-2024 09:55 AM

You need hairpin NAT if the internal host know the public IP of server.

MHM

0 Helpful

Go to solution
emurray
Level 1
Level 1

‎11-02-2024 06:39 AM

I finally opened a Ticket with TAC. I had a mistake on the ports and on the Zone. Below are pictures of how the policy was done and an explanation of my understanding of how it works. Feel free to correct me if I got something wrong

emurray_0-1730554452588.png

 

The original destination is the public IP on which the website will be published to the internet. This will be done thru the outside or internet interface, even if you have a subnet of public IP's and are using one IP from the range to publish the page that is different from you WAN interface public IP. This is very important. 

The translated destination is the actual private IP of the webserver on your internal network.

 

I had all that correct but I had a mistake on the ports, I had the ports specified on the original and source port but that is used in the other NAT rule where you publish the page. In this wan you are intercepting traffic that is already been thru NAT so it is going to a destination port and that's where you put the information. Original destination and translated destination.

I hope this can help anyone. 

emurray_0-1730555188501.png

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card