cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
260
Views
0
Helpful
5
Replies

Read source ip from proxy in firepower

raymondluis13
Beginner
Beginner

Hi,

So i have a proxy and a firepower.

If user on my network want to access internet, they traffics goes to proxy first and then goes to firepower. The problem is, on my firepower, the source ip become proxy ip instead of original ip. I want to change the source ip into the original ip. Is there a way to do this? thank you

RL
5 Replies 5

Eric R. Jones
Enthusiast
Enthusiast

We have the same configuration. We configure the Firewall with NAT to translate the inside address to our outside routable and the reverse. All internal addresses go out the Firewall as a single address.

hi, thanks for the response. Im not quite understand what you mean. so i use my firepower as NG-IPS (layer 2 transparent). I have another firewall before that too (Palo alto). 

PC -> Proxy -> palo alto -> Firepower -> internet

My palo alto and firepower dont change the ip address of the source. But my proxy did. So when the traffics goes through my firepower, all i see is the proxy ip address instead of the original pc ip address. I want to know how my firepower can see the original ip address. Thank you.

RL

Eric R. Jones
Enthusiast
Enthusiast

In your FMC or FTD you will create the rule to translate. I'm providing a foundation which you can modify. Hopefully I worded it properly. You should only need the one rule as the FTD's are stateful and the return traffic should be allowed back in.

object network <IP address object name> nat (insdie,Outside) static <outside ip object name>

 

Eric R. Jones
Enthusiast
Enthusiast

ok similarly your palo alto sits in a similar location as our DMZ switch. Between the proxy and the firewall. The address coming out of the palo alto will feed the firewall. The firewall will translate the IP or IP's into the address that exists your firewall.

 

Eric R. Jones
Enthusiast
Enthusiast

Also you will have to setup nat on the proxy so the PC ip is changed to the ip on the outside interface of the proxy. Sorry I left that part out.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers