cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4553
Views
1
Helpful
3
Replies

Secondary outside/wan IP address on FTD

Hi all,

 

I have a 5508-X running FTD v6.2.3-83; it is configured in routed mode with "the usual" configuration: outside and inside interfaces / zones with traffic allowed out but not in. I also have AnyConnect services for remote access VPN services

I have a requirement to make a server behind the firewall accessible over https on the "standard port" (i.e. tcp/443) - as it stands, opening tcp/443 would mean removing the AnyConnect configuration which is not really an option (as I understand it, configuring remote-access VPN services on another port than tcp/443 is only possible from FMC, not FDM).

 

As my ISP provides me with several IP addresses on the link, I was thinking of doing the following:

- let's assume that <public-IP1> is the one currently configured on the outside interface and that <public-IP2> is routed by the ISP, not currently in use, and what my DNS record for the server will point to

- add a new NAT policy along the lines of:

    Original Packet

        Interface = outside

        Source IP = any-ipv4

        Destination IP = <pubic-IP2>

        Source Port = Any

        Destination Port = HTTPS

    Destination Packet

        Interface = inside

        Source IP = any-ipv4

        Destination IP = <the-LAN-IP-of-my-server>

        Source Port = Any

        Destination Port = HTTPS

- add a Access Rules as such:

    Source

        Zone = outside

        Networks = ANY

        Ports = ANY

    Destination

        Zone = inside

        Networks = <the-LAN-IP-of-my-server>

        Ports = HTTPS

...i.e. pretty much how you'd open a port in the firewall usually, except that the "public IP" is not the same as the one configured on the outside interface of the ASA.

It makes sense to me, but as the ASA is currently in production I'd rather dot my I's and cross my T's beforehand... has someone tried that configuration before and got it working - am I missing something?

 

Many thanks in advance for the advice,

Olivier

3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

As your 2nd PUB IP is routed by your ISP to your primary IP, it shouldn't be a big deal.

 

For ACL, you're right.

For Nat, here a screenshot how to configure it:

 

image.png


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco,

For context, we have just sent the purchase order to buy 2 x 4110 appliances and I'm labbing like crazy to get a solid understanding of how Cisco Firepower works, i have no background in ASA or firepower (just PA, Forti ans Sophos) so i have a question about this process.....

 

I 100% totally agree with your answer, i know it works that way, my lab reflects it, but my question is....why?

 

The process of "publishing" an external address seems somewhat backward to me, when your publishing an IP address on the outside for a web-server on the inside for example, would the traffic not be initiated from the outside? so the NAT should be outside==>inside not inside==>outside? that's the way we configure the ACP, why is NAT different?

 

Thanks heaps in advance if you answer as this has been bugging me for weeks :-)

 

Regards

 

Warren

 

 

I agree the gui isn't the most explicit here. Behind the scene there's asa code called lina.
The real command is nat (real-ifce, mapped-ifce) which means your real service is in your inside while the mapped interface is where external users are coming to to hit your exposed service.
That's why you have to configure it this way.

Here a link i always share to help people understand:
http://www.practicalnetworking.net/stand-alone/cisco-asa-nat/#nat-syntax

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Review Cisco Networking for a $25 gift card