KB ID 0001680
Problem
You have a Cisco FTD device that you manage via FDM, and you would like to setup port forwarding. In the example below I will forward TCP Port 80 (HTTP) traffic from the outside interface of my FTD Device (Firepower 1010) to an internal web server on 10.254.254.212
Solution (Step 1: Create an FTD NAT Policy)
Using a web browser connect to the FDM > Polices > NAT > Add.
Set the following options;
- Title: Give the NAT rule a title e.g. Webserver-01
- Create Rule for: Manual NAT
- Status: Enable
- Placement: Above a Specific Rule
- Rule: InsideOutsideNATRule
- Type: Static
- Original Packet: Source Interface: inside
- Original Packet: Source Address: Select ‘Create New Network’
In the Add new Network Object Window;
- Name: Name of the server/object you are port forwarding to e.g. Webserver-01
- Host: IP address of the server/object you are port forwarding to
- OK
Back At the NAT Rule Window;
- Source Address: Ensure it’s set to the object you just created
- Original Packet: Source Port: HTTP (or whatever port you wish to forward)
- Translated Packet: Destination Interface: outside
- Translated PacketSource Address: Interface
- Translated Packet: Source Port:HTTP (or whatever port you wish to forward)
- OK.
Solution (Step 2: Create an FTD Access Control Policy Rule)
Policies > Access Control > Add.
Set the access rule as follows;
- Title: Give the access rule a title e.g. Webserver-Access
- Source Zone: outside_zone
- Source Networks: any-ipv4
- Source Ports: ANY
- Destination Zone: inside_zone
- Destination Networks: The Object you created (above)
- Destination: Ports/Protocols: HTTP
- OK
You can expand the rule, and see a diagram version if you wish.
Pending Changes > Deploy Now.
Wait! The changes probably haven’t deployed yet, you can check progress by clicking the pending changes button again.
Related Articles, References, Credits, or External Links
NA