Solved: Re: Redirect traffic through FTD

muath1987 · ‎01-05-2019

Hello,

I have a couple of web server in my network which accessible from outside also from inside, I am trying to force on vlan to access this servers from outside, but whenever the request from this vlan hit the FTD it resolve the egress interface and use the private ip of the server (Inside-Zone), is there anyway to force this vlan to access the server from outside only ?

here is the packet tracer

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xff0623af40, priority=13, domain=capture, deny=false
   hits=195571, user_data=0xff65d31360, cs_id=0x0, l3_type=0x0
   src mac=0000.0000.0000, mask=0000.0000.0000
   dst mac=0000.0000.0000, mask=0000.0000.0000
   input_ifc=Wireless, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xff0610be40, priority=1, domain=permit, deny=false
   hits=71899, user_data=0x0, cs_id=0x0, l3_type=0x8
   src mac=0000.0000.0000, mask=0000.0000.0000
   dst mac=0000.0000.0000, mask=0100.0000.0000
   input_ifc=Wireless, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.80 using egress ifc Inside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip ifc Wireless any ifc Inside any rule-id 268435721 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268435721: ACCESS POLICY: NISR-Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435721: L4 RULE: Block access to sales
Additional Information:
Forward Flow based lookup yields rule:
in id=0xff0ed2ffe0, priority=12, domain=permit, deny=true
   hits=6344, user_data=0xffa8552300, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=Wireless
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=Inside, vlan=0, dscp=0x0
   input_ifc=any, output_ifc=any

Result:
input-interface: Wireless
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Marvin Rhoads · ‎01-05-2019

As long as they FTD is running routed interfaces, the system will always use the best known route for egress. You cannot force the traffic to go through the appliance to the outside interface and then "turn around" and re-enter the appliance.

View solution in original post

Marvin Rhoads · ‎01-05-2019

As long as they FTD is running routed interfaces, the system will always use the best known route for egress. You cannot force the traffic to go through the appliance to the outside interface and then "turn around" and re-enter the appliance.

muath1987 · ‎01-05-2019

Thank you Marvin, is there any work around can help here ?

Marvin Rhoads · ‎01-05-2019

There's often some way we can "hack" a technical solution.

What's the underlying functional requirement that you're trying to achieve?

muath1987 · ‎01-05-2019

I am only looking to allow web browsing for those servers from outside just to keep this VLAN totally isolated from internal network.

Marvin Rhoads · ‎01-05-2019

Since you are going to allow access to those servers why not just put in ACP rules to permit that specific access and block all other access?

That would be a standard way of handling it and not incur the technical debt of a more complex solution.