Hi Mohammed, appreciate your help
you are correct. The 59.x.x.x address is routed to the outside interface of the FTD box from ISP, it then uses a PAT rule for 59.x.x.x:443 to the DMZ internal subnet of 172.16.100.0 (webserver 172.16.100.10). Currently the inside network is blocked from accessing any services on the DMZ using access control policy.
When a user browses from the inside network 192.168.17.x to the outside interface routed IP of 59.x.x.x we need to terminate this traffic on the webserver of 172.16.100.10 in the DMZ zone.
If we look at the solution on a palo alto it is reverse to what you are suggesting and doesnt mention using the DMZ zone at all.
On the Original Packet tab, select the zone you created for your internal network in the Source Zone section (click Add and then select the zone) and the zone you created for the external network from the Destination Zone drop-down.
In the Destination Address section, Add the address object you created for your public web server.
On the Translated Packet tab, select Destination Address Translation and then enter the IP address that is assigned to the web server interface on the DMZ network, 172.16.100.10 in this example.
Click OK .
Sorry i have used another vendors example, however i can't find much online about trying to achieve this with threat defense.
... View more
Thanks Mohammed, yes using FMC
Do you have any screenshot examples at all. In the example above would my source be inside interface object, DMZ destination interface object.
Original source 192.168.17.x
Original Destination 59.x.x.x
Translated Source Any IPV4
Translated Destination 127.16.100.10
... View more
We are running FTD 6.2.2 and wondering how we go about allowing access to a webserver in the DMZ using the public ip address which is natted from the FTD device.
Outside - 59.23.x.x
We have a webserver sitting on 172.16.100.10 using a PAT on the FTD with public routed IP 59.23.x.2 on the outside interface The issue we have is this specific piece of software requires access to the web server utilizing the 59.23.x.x address rather than 172.16.100.10 address.
We setup an internal dns record pointing www.example.com to 59.23.x.x however unable to get this configuration to work. on ASA code we used to setup NAT hairpinning i believe it was called. Does anyone know how to do this in FTD.
... View more
Thanks for the info, I will give this a try. I have not completed a survey but have no interfernece on the channel selected. The issue i have is this router replaced a standard linksys home grade router. I have had to reinstall the linksys as it provided better coverage with the exact same channel, encryption etc. The distance is about 10 metres but through a few solid walls. The ap works fine when you are in the same room. But when in the distant room it connects at 54mb then drops back to 36mbps then seems to just start dropping packets while still reporting as being connected.
... View more
Hey Guys I have just setup my new cisco 887 wireless embeded router. I'm finding clients have very poor wireless signal strength. All client machines support G only. Do i have a mistake in my config or do these routers have very poor wireless. Any help appreciated. Luke dot11 ssid myssid vlan 1 authentication open authentication key-management wpa guest-mode wpa-psk ascii 7 mykey ! dot11 network-map ! ! username admin privilege 15 secret 5 mypass ! ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 1 mode ciphers tkip ! ssid lovellrs ! antenna gain 0 speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. station-role root ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface GigabitEthernet0 description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router no ip address no ip route-cache ! interface GigabitEthernet0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 192.168.100.254 255.255.255.0 no ip route-cache ! ip default-gateway 10.0.60.1 ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag bridge 1 route ip
... View more
Hey Guys Im wondering if anyone has a config that can help me out with getting internet access via a easy vpn tunnel on a cisco 877 router. Basically we would like roaming users to be able to use the internet via the vpn rather than using a split tunnel. The reason for this is we have multiple sites that are tied down via external IP access lists for some services. We would like roaming users to be able to interact with these sites through the central router and use the routers external IP address to acess the secured sites. Hopefully this makes sence. I know we can use a proxy but we also use some other non proxy bases services at these sites so would rather direct routed access. Thanks Luke
... View more
Hey Guys I have a pretty simple network and have some questions in regards to port forwarding with two gateways. Please see the attached file for reference. Basically what i would like to achieve is enable port 80 port forwards from two gateways on the same subnet to my webserver. The issue we face is the port forwarding works fine for the default router as it is the default gateway of the network. How do i allow the webserver to respond to requests from the secondary router. Is there a route command i need to add on the primary router so it is aware of the second router, or is the only option to have the second router on a seperate network and install two nic's in the web server
... View more
Hey Guys Im having some problems getting easyvpn to work throught the CLI on a 877. I can get the vpn to establish the connection from the vpn client on an xp machine but i cant access any local resources and then after about 1 minute or so it drops out Any help is appreciated Here is my conf !This is the running config of the router: 10.0.1.1 !---------------------------------------------------------------------------- !version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname advancecisco ! boot-start-marker boot system flash:c870-advipservicesk9-mz.124-24.T2.bin boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging message-counter syslog logging buffered 52000 enable secret 5 ! aaa new-model ! ! aaa authentication login userauthen local aaa authorization network advancevpn local ! ! aaa session-id common ! crypto pki trustpoint TP-self-signed-142142351 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-142142351 revocation-check none rsakeypair TP-self-signed-142142351 ! ! crypto pki certificate chain TP-self-signed-142142351 certificate self-signed 01 CERTHERE quit dot11 syslog no ip source-route ! ! ! ! ip cef no ip bootp server ip domain name ip name-server 220.127.116.11 ip name-server 18.104.22.168 ip port-map user-easyvpn port tcp 10000 description easyvpn ip port-map user-RDP port tcp 3389 description RDP no ipv6 cef ! multilink bundle-name authenticated ! ! ! username admin privilege 15 secret 5 username test secret 5 crypto keyring dmvpnspokes pre-shared-key address 0.0.0.0 0.0.0.0 key apresharekey ! crypto isakmp policy 10 hash md5 authentication pre-share ! crypto isakmp policy 20 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group advancevpn key anotherkey dns 10.0.1.7 domain domain name pool dynpool acl 114 include-local-lan netmask 255.255.255.0 crypto isakmp profile VPNclient match identity group advancevpn client authentication list userauthen isakmp authorization list advancevpn client configuration address respond crypto isakmp profile DMVPN keyring dmvpnspokes match identity address 0.0.0.0 ! ! crypto ipsec transform-set strong esp-3des esp-sha-hmac mode transport ! crypto ipsec profile cisco set security-association lifetime seconds 120 set transform-set strong set isakmp-profile DMVPN ! ! crypto dynamic-map dynmap 10 set transform-set strong set isakmp-profile VPNclient reverse-route ! ! crypto map dynmap 1 ipsec-isakmp dynamic dynmap ! crypto map ipsec-maps client authentication list userauthen crypto map ipsec-maps isakmp authorization list groupauthor crypto map ipsec-maps client configuration address respond ! crypto ctcp archive log config hidekeys ! ! ip tcp synwait-time 10 ! class-map type inspect match-all sdm-nat-syslog-1 match access-group 111 match protocol syslog class-map type inspect match-all sdm-nat-http-4 match access-group 112 match protocol http class-map type inspect match-all sdm-nat-http-1 match access-group 103 match protocol http class-map type inspect match-all sdm-nat-http-2 match access-group 106 match protocol http class-map type inspect match-any RDP match protocol user-RDP class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1 match class-map RDP match access-group name ConnectwiseRDP class-map type inspect match-all sdm-nat-http-3 match access-group 109 match protocol http class-map type inspect match-all sdm-nat-smtp-1 match access-group 108 match protocol smtp class-map type inspect match-any SDM_AH match access-group name SDM_AH class-map type inspect match-any sdm-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp class-map type inspect match-all sdm-insp-traffic match class-map sdm-cls-insp-traffic class-map type inspect match-any SDM-Voice-permit match protocol h323 match protocol skinny match protocol sip class-map type inspect match-any SDM_IP match access-group name SDM_IP class-map type inspect match-any SDM_ESP match access-group name SDM_ESP class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC match protocol isakmp match protocol ipsec-msft match class-map SDM_AH match class-map SDM_ESP class-map type inspect match-all SDM_EASY_VPN_SERVER_PT match class-map SDM_EASY_VPN_SERVER_TRAFFIC class-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all sdm-icmp-access match class-map sdm-cls-icmp-access class-map type inspect match-all sdm-invalid-src match access-group 102 class-map type inspect match-all sdm-protocol-http match protocol http class-map type inspect match-all sdm-nat-https-2 match access-group 110 match protocol https class-map type inspect match-all sdm-nat-https-1 match access-group 104 match protocol https class-map type inspect match-all sdm-nat-ftp-1 match access-group 107 match protocol ftp ! ! policy-map type inspect sdm-permit-icmpreply class type inspect sdm-icmp-access inspect class class-default pass policy-map type inspect sdm-pol-NATOutsideToInside-1 class type inspect sdm-nat-http-1 inspect class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1 inspect class type inspect sdm-nat-https-1 inspect class type inspect sdm-nat-http-2 inspect class type inspect sdm-nat-ftp-1 inspect class type inspect sdm-nat-smtp-1 inspect class type inspect sdm-nat-http-3 inspect class type inspect sdm-nat-https-2 inspect class type inspect sdm-nat-syslog-1 inspect class type inspect sdm-nat-http-4 inspect class class-default drop policy-map type inspect sdm-inspect class type inspect sdm-invalid-src drop log class type inspect sdm-insp-traffic inspect class type inspect sdm-protocol-http inspect class type inspect SDM-Voice-permit inspect class class-default pass policy-map type inspect sdm-permit class type inspect SDM_EASY_VPN_SERVER_PT pass class class-default drop policy-map type inspect sdm-permit-ip class type inspect SDM_IP pass class class-default drop log ! zone security ezvpn-zone zone security out-zone zone security in-zone zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-self-out source self destination out-zone service-policy type inspect sdm-permit-icmpreply zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone service-policy type inspect sdm-pol-NATOutsideToInside-1 zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permit zone-pair security sdm-zp-in-out source in-zone destination out-zone service-policy type inspect sdm-inspect ! ! ! interface Tunnel0 ip address 10.0.58.1 255.255.255.0 no ip redirects ip mtu 1440 ip nhrp authentication abcRp: ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 300 tunnel source Vlan1 tunnel mode gre multipoint tunnel key 0 tunnel protection ipsec profile cisco ! interface Null0 no ip unreachables ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress no atm ilmi-keepalive ! interface ATM0.2 point-to-point no ip redirects no ip unreachables no ip proxy-arp ip flow ingress pvc 8/35 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ ip address 10.0.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly zone-member security in-zone ip tcp adjust-mss 1412 ! interface Dialer1 description $FW_OUTSIDE$ ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip flow ingress ip nat outside ip virtual-reassembly zone-member security out-zone encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname username ppp chap password blahaj crypto map dynmap ! ip local pool dynpool 10.0.56.1 10.0.56.100 no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 10.1.1.0 255.255.255.0 10.0.1.17 permanent ip route 10.1.10.0 255.255.255.0 10.0.1.17 permanent ip http server ip http access-class 3 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip nat inside source route-map notvpn interface Dialer1 overload ip nat inside source static tcp 10.0.1.6 80 EXTIP 80 extendable ip nat inside source static tcp 10.0.1.6 443 EXTIP 443 extendable ip nat inside source static tcp 10.0.0.3 80 EXTIP 80 extendable ip nat inside source static tcp 10.0.1.4 21 EXTIP 21 extendable ip nat inside source static tcp 10.0.1.25 25 EXTIP 25 extendable ip nat inside source static tcp 10.0.1.64 80 EXTIP 80 extendable ip nat inside source static tcp 10.0.1.7 443 EXTIP 443 extendable ip nat inside source static udp 10.0.1.25 514 EXTIP 514 extendable ip nat inside source static tcp 10.0.1.6 3389 EXTIP 3389 extendable ip nat inside source static tcp 10.0.1.16 80 EXTIP 8082 extendable ! ip access-list extended ConnectwiseRDP remark SDM_ACL Category=128 permit ip host 22.214.171.124 host 10.0.1.6 ip access-list extended SDM_AH remark SDM_ACL Category=1 permit ahp any any ip access-list extended SDM_ESP remark SDM_ACL Category=1 permit esp any any ip access-list extended SDM_IP remark SDM_ACL Category=1 permit ip any any ! access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.0.1.0 0.0.0.255 access-list 2 remark HTTP Access-class list access-list 2 remark SDM_ACL Category=1 access-list 2 permit 10.0.1.0 0.0.0.255 access-list 2 deny any access-list 3 remark HTTP Access-class list access-list 3 remark SDM_ACL Category=1 access-list 3 permit 10.0.1.0 0.0.0.255 access-list 3 deny any access-list 100 remark VTY Access-class list access-list 100 remark SDM_ACL Category=1 access-list 100 permit ip 10.0.1.0 0.0.0.255 any access-list 100 deny ip any any access-list 101 remark SDM_ACL Category=4 access-list 101 permit ip 10.0.1.0 0.0.0.255 any access-list 102 remark SDM_ACL Category=128 access-list 102 permit ip host 255.255.255.255 any access-list 102 permit ip 127.0.0.0 0.255.255.255 any access-list 103 remark SDM_ACL Category=0 access-list 103 permit ip any host 10.0.1.6 access-list 104 remark SDM_ACL Category=0 access-list 104 permit ip any host 10.0.1.6 access-list 105 remark SDM_ACL Category=4 access-list 105 permit ip 10.0.1.0 0.0.0.255 any access-list 105 permit ip 10.1.1.0 0.0.0.255 any access-list 105 permit ip 10.1.10.0 0.0.0.255 any access-list 106 remark SDM_ACL Category=0 access-list 106 permit ip any host 10.0.0.3 access-list 107 remark SDM_ACL Category=0 access-list 107 permit ip any host 10.0.1.4 access-list 108 remark SDM_ACL Category=0 access-list 108 permit ip any host 10.0.1.25 access-list 109 remark SDM_ACL Category=0 access-list 109 permit ip any host 10.0.1.64 access-list 110 remark SDM_ACL Category=0 access-list 110 permit ip any host 10.0.1.7 access-list 111 remark SDM_ACL Category=0 access-list 111 permit ip any host 10.0.1.25 access-list 112 remark SDM_ACL Category=0 access-list 112 permit ip any host 10.0.1.16 access-list 113 remark SDM_ACL Category=4 access-list 113 permit ip 10.0.1.0 0.0.0.255 any access-list 114 permit ip 10.0.1.0 0.0.0.255 10.0.56.0 0.0.0.255 access-list 114 permit ip 10.0.1.0 0.0.0.255 any access-list 114 permit ip 10.0.56.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 115 deny ip 10.0.1.0 0.0.0.255 10.0.56.0 0.0.0.255 access-list 115 permit ip any any dialer-list 1 protocol ip permit no cdp run ! ! ! ! route-map notvpn permit 1 match ip address 115 ! ! control-plane ! banner login ^CYour Session Had Been Logged. ^C ! line con 0 login authentication local_authen no modem enable transport output telnet line aux 0 login authentication local_authen transport output telnet line vty 0 4 access-class 100 in privilege level 15 authorization exec local_author login authentication local_authen transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end
... View more