Configure Cisco FTD Port Forwarding (via FDM)

KB ID 0001680


You have a Cisco FTD device that you manage via FDM, and you would like to setup port forwarding. In the example below I will forward TCP Port 80 (HTTP) traffic from the outside interface of my FTD Device (Firepower 1010) to an internal web server on

Solution (Step 1: Create an FTD NAT Policy)

Using a web browser connect to the FDM > Polices > NAT > Add.


Set the following options;

  • Title: Give the NAT rule a title e.g. Webserver-01
  • Create Rule for: Manual NAT
  • Status: Enable
  • Placement: Above a Specific Rule
  • Rule: InsideOutsideNATRule
  • Type: Static
  • Original Packet: Source Interface: inside
  • Original Packet: Source Address: Select ‘Create New Network’

Cisco FDM Port Forwarding

In the Add new Network Object Window;

  • Name: Name of the server/object you are port forwarding to e.g. Webserver-01
  • Host: IP address of the server/object you are port forwarding to
  • OK

Cisco FDM Create Network Object

Back At the NAT Rule Window;

  • Source Address: Ensure it’s set to the object you just created
  • Original Packet: Source Port: HTTP (or whatever port you wish to forward) 
  • Translated Packet: Destination Interface: outside
  • Translated PacketSource Address: Interface
  • Translated Packet: Source Port:HTTP (or whatever port you wish to forward)
  • OK.

Cisco FDM Port Forward HTTP

Solution (Step 2: Create an FTD Access Control Policy Rule)

Policies > Access Control > Add.

Set the access rule as follows;

  • Title: Give the access rule a title e.g. Webserver-Access
  • Source Zone: outside_zone
  • Source Networks:  any-ipv4
  • Source Ports: ANY
  • Destination Zone: inside_zone
  • Destination Networks:  The Object you created (above)
  • Destination: Ports/Protocols: HTTP
  • OK

Cisco FDM Open a port

You can expand the rule, and see a diagram version if you wish.

Cisco FDM Show ACL Diagram

Pending Changes > Deploy Now.

Cisco FDM Save and deploy Changes

Wait! The changes probably haven’t deployed yet, you can check progress by clicking the pending changes button again.

Cisco Deployment Progress

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On


  1. Hi Pete,

    I believe the NAT rule is incorrect, since you want to port forward from outside to inside, shouldn’t you invert the source and destination interface in the NAT rule ? ACL seems to go against the logic of the NAT rule …

    Thank you

    Post a Reply
    • Hi, I tested it and it worked? I’ll leave your comment, in case there is a problem.

      Post a Reply
    • This is Cisco’s logic. His implementation works.

      It’s whatever is going inside Cisco’s product designers that does not. My assumption is that they want to make things as complicated as possible so you can get one of their expensive contracts or hire someone with a CCNA. In any other product out in the market has a very simple interface where there is no way you can confuse this information. But that is not the case with Cisco, of course.

      Post a Reply
  2. Hello,

    Many thanks for your tuto! Have you an idea on how to use another IP available on the outside interface ?

    eg. :
    outside : (your methode use the interface IP “”)
    If I wan forward a port from the IP to an inside IP ?

    And for abuse a little : if you also know the method to dedicate an outside IP to an inside device.

    eg. :
    inside device : (use the ouside IP “” for any outgoing traffic)

    Post a Reply
  3. What do I change if I want to take port 1225 and send it to an internal server port 225?

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *