Read source ip from proxy in firepower

raymondluis13 · ‎10-11-2022

Hi,

So i have a proxy and a firepower.

If user on my network want to access internet, they traffics goes to proxy first and then goes to firepower. The problem is, on my firepower, the source ip become proxy ip instead of original ip. I want to change the source ip into the original ip. Is there a way to do this? thank you

RL

Eric R. Jones · ‎10-11-2022

We have the same configuration. We configure the Firewall with NAT to translate the inside address to our outside routable and the reverse. All internal addresses go out the Firewall as a single address.

raymondluis13 · ‎10-11-2022

hi, thanks for the response. Im not quite understand what you mean. so i use my firepower as NG-IPS (layer 2 transparent). I have another firewall before that too (Palo alto).

PC -> Proxy -> palo alto -> Firepower -> internet

My palo alto and firepower dont change the ip address of the source. But my proxy did. So when the traffics goes through my firepower, all i see is the proxy ip address instead of the original pc ip address. I want to know how my firepower can see the original ip address. Thank you.

RL

Eric R. Jones · ‎10-11-2022

In your FMC or FTD you will create the rule to translate. I'm providing a foundation which you can modify. Hopefully I worded it properly. You should only need the one rule as the FTD's are stateful and the return traffic should be allowed back in.

object network <IP address object name> nat (insdie,Outside) static <outside ip object name>

Eric R. Jones · ‎10-11-2022

ok similarly your palo alto sits in a similar location as our DMZ switch. Between the proxy and the firewall. The address coming out of the palo alto will feed the firewall. The firewall will translate the IP or IP's into the address that exists your firewall.

Eric R. Jones · ‎10-11-2022

Also you will have to setup nat on the proxy so the PC ip is changed to the ip on the outside interface of the proxy. Sorry I left that part out.