Re: Secondary outside/wan IP address on FTD

olivier.vigneresse · ‎06-17-2019

Hi all,

I have a 5508-X running FTD v6.2.3-83; it is configured in routed mode with "the usual" configuration: outside and inside interfaces / zones with traffic allowed out but not in. I also have AnyConnect services for remote access VPN services

I have a requirement to make a server behind the firewall accessible over https on the "standard port" (i.e. tcp/443) - as it stands, opening tcp/443 would mean removing the AnyConnect configuration which is not really an option (as I understand it, configuring remote-access VPN services on another port than tcp/443 is only possible from FMC, not FDM).

As my ISP provides me with several IP addresses on the link, I was thinking of doing the following:

- let's assume that <public-IP1> is the one currently configured on the outside interface and that <public-IP2> is routed by the ISP, not currently in use, and what my DNS record for the server will point to

- add a new NAT policy along the lines of:

Original Packet

Interface = outside

Source IP = any-ipv4

Destination IP = <pubic-IP2>

Source Port = Any

Destination Port = HTTPS

Destination Packet

Interface = inside

Source IP = any-ipv4

Destination IP = <the-LAN-IP-of-my-server>

Source Port = Any

Destination Port = HTTPS

- add a Access Rules as such:

Source

Zone = outside

Networks = ANY

Ports = ANY

Destination

Zone = inside

Networks = <the-LAN-IP-of-my-server>

Ports = HTTPS

...i.e. pretty much how you'd open a port in the firewall usually, except that the "public IP" is not the same as the one configured on the outside interface of the ASA.

It makes sense to me, but as the ASA is currently in production I'd rather dot my I's and cross my T's beforehand... has someone tried that configuration before and got it working - am I missing something?

Many thanks in advance for the advice,

Olivier

Francesco Molino · ‎06-17-2019

Hi

As your 2nd PUB IP is routed by your ISP to your primary IP, it shouldn't be a big deal.

For ACL, you're right.

For Nat, here a screenshot how to configure it:

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Warren Sullivan - Corp · ‎06-20-2019

Hi Francesco,

For context, we have just sent the purchase order to buy 2 x 4110 appliances and I'm labbing like crazy to get a solid understanding of how Cisco Firepower works, i have no background in ASA or firepower (just PA, Forti ans Sophos) so i have a question about this process.....

I 100% totally agree with your answer, i know it works that way, my lab reflects it, but my question is....why?

The process of "publishing" an external address seems somewhat backward to me, when your publishing an IP address on the outside for a web-server on the inside for example, would the traffic not be initiated from the outside? so the NAT should be outside==>inside not inside==>outside? that's the way we configure the ACP, why is NAT different?

Thanks heaps in advance if you answer as this has been bugging me for weeks :-)

Regards

Warren

Francesco Molino · ‎06-20-2019

I agree the gui isn't the most explicit here. Behind the scene there's asa code called lina.
The real command is nat (real-ifce, mapped-ifce) which means your real service is in your inside while the mapped interface is where external users are coming to to hit your exposed service.
That's why you have to configure it this way.

Here a link i always share to help people understand:
http://www.practicalnetworking.net/stand-alone/cisco-asa-nat/#nat-syntax

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question