Lots of NAT rules have to migrate to FMC

Roy Lee — Fri, 21 Feb 2020 16:25:51 GMT

Hi All,

I have nearly hundred of Static NAT mapping need to migrate to FTD (FMC).

Because those NAT are one to one mapping, i have to create hundred of NAT rule in FMC?

It's not difficult in ASA, but for FMC, I have to create hundred of objects and rules.....

Any better way to handle this?

Thanks,

Roy

Re: Lots of NAT rules have to migrate to FMC

matty-boy — Fri, 02 Nov 2018 15:16:39 GMT

Hello Roy,

If you're running 6.2.3 you can use the FMC REST API to create NAT rules (https://www.cisco.com/c/en/us/td/docs/security/firepower/623/relnotes/Firepower_Release_Notes_623/new_features_and_changed_behavior.html#reference_mmb_fzg_lbb).

I've not tried the API for NAT specifically but I've played with it a little bit recently.

Start by looking at the API explorer for your FMC. You'll need to globally enable the API first in the FMC (System>Configuration>REST API Preference>Enable REST API) and make sure your user has the appropriate privs then browse to https://<YOUR_FMC_IP>/api/api-explorer

You can manually use this directly to DELETE, PUT (modify existing), POST (create new) or GET various records.

You can then go on to write scripts to automate the process. I managed to get something up and running fairly easily.

See my other post here for an example Python script: https://community.cisco.com/t5/firepower/my-python-script-to-query-fmc-api-for-list-of-sensor-names-and/m-p/3737313

As far as I am aware the only options you have are to use the FMC GUI or learn how to use the REST API 😞

Alternatively you could use the ASA-->FTD migration tool to add a 'dummy' device?? This will add all the objects for you. Then delete the dummy device. You might need a spare physical FTD to do that though - not sure.

Best of luck and keep us posted on how you get on.

Cheers,

Matt.

topic Lots of NAT rules have to migrate to FMC in Network Security

Lots of NAT rules have to migrate to FMC

Re: Lots of NAT rules have to migrate to FMC