Hi There We are running FTD 6.2.2 and wondering how we go about allowing access to a webserver in the DMZ using the public ip address which is natted from the FTD device. Outside - 59.23.x.x DMZ 172.16.100.x Inside 192.168.17.x   We have a webserver sitting on 172.16.100.10 using a PAT on the FTD with public routed IP 59.23.x.2 on the outside interface The issue we have is this specific piece of software requires access to the web server utilizing the 59.23.x.x address rather than 172.16.100.10 address. We setup an internal dns record pointing www.example.com to 59.23.x.x however unable to get this configuration to work. on ASA code we used to setup NAT hairpinning i believe it was called. Does anyone know how to do this in FTD. ... View more

Hey Guys I have a pretty simple network and have some questions in regards to port forwarding with two gateways. Please see the attached file for reference. Basically what i would like to achieve is enable port 80 port forwards from two gateways on the same subnet to my webserver. The issue we face is the port forwarding works fine for the default router as it is the default gateway of the network. How do i allow the webserver to respond to requests from the secondary router. Is there a route command i need to add on the primary router so it is aware of the second router, or is the only option to have the second router on a seperate network and install two nic's in the web server ... View more

Hey Guys Im having some problems getting easyvpn to work throught the CLI on a 877. I can get the vpn to establish the connection from the vpn client on an xp machine but i cant access any local resources and then after about 1 minute or so it drops out Any help is appreciated Here is my conf !This is the running config of the router: 10.0.1.1 !---------------------------------------------------------------------------- !version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname advancecisco ! boot-start-marker boot system flash:c870-advipservicesk9-mz.124-24.T2.bin boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging message-counter syslog logging buffered 52000 enable secret 5 ! aaa new-model ! ! aaa authentication login userauthen local aaa authorization network advancevpn local ! ! aaa session-id common ! crypto pki trustpoint TP-self-signed-142142351 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-142142351 revocation-check none rsakeypair TP-self-signed-142142351 ! ! crypto pki certificate chain TP-self-signed-142142351 certificate self-signed 01 CERTHERE    quit dot11 syslog no ip source-route ! ! ! ! ip cef no ip bootp server ip domain name ip name-server 192.231.203.132 ip name-server 192.231.203.3 ip port-map user-easyvpn port tcp 10000 description easyvpn ip port-map user-RDP port tcp 3389 description RDP no ipv6 cef ! multilink bundle-name authenticated ! ! ! username admin privilege 15 secret 5 username test secret 5 crypto keyring dmvpnspokes   pre-shared-key address 0.0.0.0 0.0.0.0 key apresharekey ! crypto isakmp policy 10 hash md5 authentication pre-share ! crypto isakmp policy 20 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group advancevpn key anotherkey dns 10.0.1.7 domain domain name pool dynpool acl 114 include-local-lan netmask 255.255.255.0 crypto isakmp profile VPNclient    match identity group advancevpn    client authentication list userauthen    isakmp authorization list advancevpn    client configuration address respond crypto isakmp profile DMVPN    keyring dmvpnspokes    match identity address 0.0.0.0 ! ! crypto ipsec transform-set strong esp-3des esp-sha-hmac mode transport ! crypto ipsec profile cisco set security-association lifetime seconds 120 set transform-set strong set isakmp-profile DMVPN ! ! crypto dynamic-map dynmap 10 set transform-set strong set isakmp-profile VPNclient reverse-route ! ! crypto map dynmap 1 ipsec-isakmp dynamic dynmap ! crypto map ipsec-maps client authentication list userauthen crypto map ipsec-maps isakmp authorization list groupauthor crypto map ipsec-maps client configuration address respond ! crypto ctcp archive log config   hidekeys ! ! ip tcp synwait-time 10 ! class-map type inspect match-all sdm-nat-syslog-1 match access-group 111 match protocol syslog class-map type inspect match-all sdm-nat-http-4 match access-group 112 match protocol http class-map type inspect match-all sdm-nat-http-1 match access-group 103 match protocol http class-map type inspect match-all sdm-nat-http-2 match access-group 106 match protocol http class-map type inspect match-any RDP match protocol user-RDP class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1 match class-map RDP match access-group name ConnectwiseRDP class-map type inspect match-all sdm-nat-http-3 match access-group 109 match protocol http class-map type inspect match-all sdm-nat-smtp-1 match access-group 108 match protocol smtp class-map type inspect match-any SDM_AH match access-group name SDM_AH class-map type inspect match-any sdm-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp class-map type inspect match-all sdm-insp-traffic match class-map sdm-cls-insp-traffic class-map type inspect match-any SDM-Voice-permit match protocol h323 match protocol skinny match protocol sip class-map type inspect match-any SDM_IP match access-group name SDM_IP class-map type inspect match-any SDM_ESP match access-group name SDM_ESP class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC match protocol isakmp match protocol ipsec-msft match class-map SDM_AH match class-map SDM_ESP class-map type inspect match-all SDM_EASY_VPN_SERVER_PT match class-map SDM_EASY_VPN_SERVER_TRAFFIC class-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all sdm-icmp-access match class-map sdm-cls-icmp-access class-map type inspect match-all sdm-invalid-src match access-group 102 class-map type inspect match-all sdm-protocol-http match protocol http class-map type inspect match-all sdm-nat-https-2 match access-group 110 match protocol https class-map type inspect match-all sdm-nat-https-1 match access-group 104 match protocol https class-map type inspect match-all sdm-nat-ftp-1 match access-group 107 match protocol ftp ! ! policy-map type inspect sdm-permit-icmpreply class type inspect sdm-icmp-access   inspect class class-default   pass policy-map type inspect sdm-pol-NATOutsideToInside-1 class type inspect sdm-nat-http-1   inspect class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1   inspect class type inspect sdm-nat-https-1   inspect class type inspect sdm-nat-http-2   inspect class type inspect sdm-nat-ftp-1   inspect class type inspect sdm-nat-smtp-1   inspect class type inspect sdm-nat-http-3   inspect class type inspect sdm-nat-https-2   inspect class type inspect sdm-nat-syslog-1   inspect class type inspect sdm-nat-http-4   inspect class class-default   drop policy-map type inspect sdm-inspect class type inspect sdm-invalid-src   drop log class type inspect sdm-insp-traffic   inspect class type inspect sdm-protocol-http   inspect class type inspect SDM-Voice-permit   inspect class class-default   pass policy-map type inspect sdm-permit class type inspect SDM_EASY_VPN_SERVER_PT   pass class class-default   drop policy-map type inspect sdm-permit-ip class type inspect SDM_IP   pass class class-default   drop log ! zone security ezvpn-zone zone security out-zone zone security in-zone zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-self-out source self destination out-zone service-policy type inspect sdm-permit-icmpreply zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone service-policy type inspect sdm-pol-NATOutsideToInside-1 zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permit zone-pair security sdm-zp-in-out source in-zone destination out-zone service-policy type inspect sdm-inspect ! ! ! interface Tunnel0 ip address 10.0.58.1 255.255.255.0 no ip redirects ip mtu 1440 ip nhrp authentication abcRp: ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 300 tunnel source Vlan1 tunnel mode gre multipoint tunnel key 0 tunnel protection ipsec profile cisco ! interface Null0 no ip unreachables ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress no atm ilmi-keepalive ! interface ATM0.2 point-to-point no ip redirects no ip unreachables no ip proxy-arp ip flow ingress pvc 8/35   pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ ip address 10.0.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly zone-member security in-zone ip tcp adjust-mss 1412 ! interface Dialer1 description $FW_OUTSIDE$ ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip flow ingress ip nat outside ip virtual-reassembly zone-member security out-zone encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname username ppp chap password blahaj crypto map dynmap ! ip local pool dynpool 10.0.56.1 10.0.56.100 no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 10.1.1.0 255.255.255.0 10.0.1.17 permanent ip route 10.1.10.0 255.255.255.0 10.0.1.17 permanent ip http server ip http access-class 3 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip nat inside source route-map notvpn interface Dialer1 overload ip nat inside source static tcp 10.0.1.6 80 EXTIP 80 extendable ip nat inside source static tcp 10.0.1.6 443 EXTIP 443 extendable ip nat inside source static tcp 10.0.0.3 80 EXTIP 80 extendable ip nat inside source static tcp 10.0.1.4 21 EXTIP 21 extendable ip nat inside source static tcp 10.0.1.25 25 EXTIP 25 extendable ip nat inside source static tcp 10.0.1.64 80 EXTIP 80 extendable ip nat inside source static tcp 10.0.1.7 443 EXTIP 443 extendable ip nat inside source static udp 10.0.1.25 514 EXTIP 514 extendable ip nat inside source static tcp 10.0.1.6 3389 EXTIP 3389 extendable ip nat inside source static tcp 10.0.1.16 80 EXTIP 8082 extendable ! ip access-list extended ConnectwiseRDP remark SDM_ACL Category=128 permit ip host 205.232.23.50 host 10.0.1.6 ip access-list extended SDM_AH remark SDM_ACL Category=1 permit ahp any any ip access-list extended SDM_ESP remark SDM_ACL Category=1 permit esp any any ip access-list extended SDM_IP remark SDM_ACL Category=1 permit ip any any ! access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.0.1.0 0.0.0.255 access-list 2 remark HTTP Access-class list access-list 2 remark SDM_ACL Category=1 access-list 2 permit 10.0.1.0 0.0.0.255 access-list 2 deny   any access-list 3 remark HTTP Access-class list access-list 3 remark SDM_ACL Category=1 access-list 3 permit 10.0.1.0 0.0.0.255 access-list 3 deny   any access-list 100 remark VTY Access-class list access-list 100 remark SDM_ACL Category=1 access-list 100 permit ip 10.0.1.0 0.0.0.255 any access-list 100 deny   ip any any access-list 101 remark SDM_ACL Category=4 access-list 101 permit ip 10.0.1.0 0.0.0.255 any access-list 102 remark SDM_ACL Category=128 access-list 102 permit ip host 255.255.255.255 any access-list 102 permit ip 127.0.0.0 0.255.255.255 any access-list 103 remark SDM_ACL Category=0 access-list 103 permit ip any host 10.0.1.6 access-list 104 remark SDM_ACL Category=0 access-list 104 permit ip any host 10.0.1.6 access-list 105 remark SDM_ACL Category=4 access-list 105 permit ip 10.0.1.0 0.0.0.255 any access-list 105 permit ip 10.1.1.0 0.0.0.255 any access-list 105 permit ip 10.1.10.0 0.0.0.255 any access-list 106 remark SDM_ACL Category=0 access-list 106 permit ip any host 10.0.0.3 access-list 107 remark SDM_ACL Category=0 access-list 107 permit ip any host 10.0.1.4 access-list 108 remark SDM_ACL Category=0 access-list 108 permit ip any host 10.0.1.25 access-list 109 remark SDM_ACL Category=0 access-list 109 permit ip any host 10.0.1.64 access-list 110 remark SDM_ACL Category=0 access-list 110 permit ip any host 10.0.1.7 access-list 111 remark SDM_ACL Category=0 access-list 111 permit ip any host 10.0.1.25 access-list 112 remark SDM_ACL Category=0 access-list 112 permit ip any host 10.0.1.16 access-list 113 remark SDM_ACL Category=4 access-list 113 permit ip 10.0.1.0 0.0.0.255 any access-list 114 permit ip 10.0.1.0 0.0.0.255 10.0.56.0 0.0.0.255 access-list 114 permit ip 10.0.1.0 0.0.0.255 any access-list 114 permit ip 10.0.56.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 115 deny   ip 10.0.1.0 0.0.0.255 10.0.56.0 0.0.0.255 access-list 115 permit ip any any dialer-list 1 protocol ip permit no cdp run ! ! ! ! route-map notvpn permit 1 match ip address 115 ! ! control-plane ! banner login ^CYour Session Had Been Logged. ^C ! line con 0 login authentication local_authen no modem enable transport output telnet line aux 0 login authentication local_authen transport output telnet line vty 0 4 access-class 100 in privilege level 15 authorization exec local_author login authentication local_authen transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end ... View more