Sorry... hard to explain the new setup. Yes, we have a separate Firepower 2100 pair at a different location on our network. Currently we are in a hub/spoke type network with all locations going through HQ and out the Internet here. We just got the Firepower + Internet at another location on network that I wanted to test out hosting some services off of it.

Currently, the traffic flow for this specific server I'm testing is looking like this:

Incoming: Internet --> new site Firepower --> HQ Server Network --> Server
Reply: Server --> HQ Server Network --> HQ Firepower --> Internet

So reply traffic is going out the wrong Internet trying to respond to my request. A packet capture shows the Internet IP as the source and Server IP as destination. Need the source IP to show as the new site Firepower so traffic is routed properly. Like this:

Incoming: Internet --> new site Firepower --> HQ Server Network --> Server
Reply: Server --> HQ Server Network --> new site Firepower --> Internet

Thanks.

If you can do a quick draft of your current setup so I can see how your traffic flows. apparently it seems a reverse route problem. also check what is the default routes for the HQ server.

The only way to make this work correctly is to NAT the IPs that come from the internet to an IP you have routed to the new site Firepower.  for example:

Internet --> new site Firepower --> NAT source to 10.1.1.1 --> HQ Server network --> Server

Server --> HQ server network --> new site Firepower --> NAT destination back to original --> Internet

This way the default route at the HQ network will not cause asynchronous routing.

So your NAT statement at the new site Firepower should look something like this:

Manual NAT Rule

Static

Source Zone - HQ Network

 

Destination Zone - Outside

Original source - Server IP

Translated Source - New site Firepower public IP interface (or any other public IP routed towards the new site Firepower)

Original destination - 10.1.1.1 (or any other IP that you specify to be used specifically for this traffic)

Translated destination - any

 

Just be sure that 10.1.1.1 or whatever IP you use for this is routed towards the new site Firepower.

Hey Marius,

I think that worked. I set the translated source as the 'Inside Interface' and now the server is seeing the return traffic as the Firepower and not the Internet IP Address.

Would this be recommended against, however? NATing an outside IP all the way to the Inside interface? From a security perspective I could see some concern.

Thank you.

So you translated the IP of PCs on the internet to the inside interface of the FTD?  This I would consider a security risk, if my understanding is correct.  I would rather you find an IP that is not in use in your network and use that instead. Then it is easier to restrict what that IP has access to further inside the network.

But that being said, you should also be restricting the ports that internet clients are able to access the server on.  for example, if this is a web server be sure to have access control policy rule only allowing port tcp/80 and/or tcp/443 to that specific server and deny access to all others.

Correct, only when they are accessing the inside server. Can I NAT to an unused IP on the inside network if my Inside Interface is on a /30 subnet?

And yes, it's being restricted to allowing a single port on the Internet from coming through. It's for video streaming so TCP/1935.

Thanks.

Yes, you can NAT to an unused IP as long as all routing in that IP goes towards the interface that is in the NAT statement.  Proxy ARP will handle the rest.  But for this to work routing MUST be in place.