Migrating a TMG configuration to the FDM and wondering if any functionality exists in the FDM for inbound inspection of SSL traffic vs requests from end users. As an example, there is a single internal web server w/ multiple nics, say 10.10.10.25 and 10.10.10.26 for private addresses. Public facing there are 2 public ip addresses associated w/ the 10 websites; 18.104.22.168 goes to 10.10.10.25 for sites 1-3, and it points to 10.10.10.26 for sites 4 and 5. 22.214.171.124 points to 10.10.10.26 for sites 6-7 and 126.96.36.199 points 8-9 for the the other sites. In the TMG you can specify the public ip to listen on and redirect it to an internal DNS name so no issues there. On the FTD I can specify inbound nats for 1 ip or the other so wondering how this can be accomplished, other than moving the sites to more public ips using external records. This is being managed via FDM by the way.
Would something like the following work as expected (so that I can NAT 2 different public ip addresses to the same private address and have the state table take care of the traffic flow once the initial connection comes from outside)
object network private_1
nat (inside,outside) static A.B.C.44
object network private_2
nat (inside,outside) static A.B.C.45
You something unique to distinguish the different servers, are the web sites using different local ports? If so you can configure static PAT, sharing the same public IP address.
I might be wrong, but doesn't TMG allow you to host multiple websites on the same port and it's the FQDN the users connects to which determines the redirection.
Yes, that's correct re the TMG and using FQDNs. So in moving the TMG configuration to the FTD I'm trying to get it mirrored as closely as possible. I'm getting the configuration cleaned up so that 1 public ip is only pointing to 1 single internal address, so that takes care of part of it.
In reviewing the TMG configuration I'm finding that there are instances where 2 public ips point to the same internal address and the web server on the back end is replying based on the header information. So I'm trying to confirm the FTD should work in a similar fashion in that the inbound request from user a to public ip 1 for a site will be nated to server x. If user b connects to public ip that also gets nated to server x the connection state table will keep track of the appropriate nat for the outbound connection to that user.
Unfortunately no the FTD won't translate based on the header information like the TMG.
On the FTD you'll have to translated based on IP address or port.
Oh, I know the FTD won't translate on the host, just want to make sure I can forward both public ip addresses to the same internal server.
No, you can't have a static NAT with the same source network/IP address (10.100.100.11), there is no way to distinguish between the connecions. You'd need to use static PAT, where you differentiate using unique ports.
Thanks. So I'm more concerned w/ the DNAT functionality (similar to if you have an ASA w/ 2 public ips where you can use a DNAT off of the backup ISP while the primary is working and the ASA maintains the connection table and allows both). If it won't work i'll have to see what can be done in terms of breaking up the IIS configuration onto multiple nics on the server.