Configure Cisco FTD Port Forwarding (via FDM)

KB ID 0001680

Problem

You have a Cisco FTD device that you manage via FDM, and you would like to setup port forwarding. In the example below I will forward TCP Port 80 (HTTP) traffic from the outside interface of my FTD Device (Firepower 1010) to an internal web server on 10.254.254.212

Solution (Step 1: Create an FTD NAT Policy)

Using a web browser connect to the FDM > Polices > NAT > Add.

 

Set the following options;

  • Title: Give the NAT rule a title e.g. Webserver-01
  • Create Rule for: Manual NAT
  • Status: Enable
  • Placement: Above a Specific Rule
  • Rule: InsideOutsideNATRule
  • Type: Static
  • Original Packet: Source Interface: inside
  • Original Packet: Source Address: Select ‘Create New Network’

Cisco FDM Port Forwarding

In the Add new Network Object Window;

  • Name: Name of the server/object you are port forwarding to e.g. Webserver-01
  • Host: IP address of the server/object you are port forwarding to
  • OK

Cisco FDM Create Network Object

Back At the NAT Rule Window;

  • Source Address: Ensure it’s set to the object you just created
  • Original Packet: Source Port: HTTP (or whatever port you wish to forward) 
  • Translated Packet: Destination Interface: outside
  • Translated PacketSource Address: Interface
  • Translated Packet: Source Port:HTTP (or whatever port you wish to forward)
  • OK.

Cisco FDM Port Forward HTTP

Solution (Step 2: Create an FTD Access Control Policy Rule)

Policies > Access Control > Add.

Set the access rule as follows;

  • Title: Give the access rule a title e.g. Webserver-Access
  • Source Zone: outside_zone
  • Source Networks:  any-ipv4
  • Source Ports: ANY
  • Destination Zone: inside_zone
  • Destination Networks:  The Object you created (above)
  • Destination: Ports/Protocols: HTTP
  • OK

Cisco FDM Open a port

You can expand the rule, and see a diagram version if you wish.

Cisco FDM Show ACL Diagram

Pending Changes > Deploy Now.

Cisco FDM Save and deploy Changes

Wait! The changes probably haven’t deployed yet, you can check progress by clicking the pending changes button again.

Cisco Deployment Progress

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

2 Comments

  1. Hi Pete,

    I believe the NAT rule is incorrect, since you want to port forward from outside to inside, shouldn’t you invert the source and destination interface in the NAT rule ? ACL seems to go against the logic of the NAT rule …

    Thank you

    Post a Reply
    • Hi, I tested it and it worked? I’ll leave your comment, in case there is a problem.

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *