https://community.cisco.com/t5/network-security/nat-exception-for-vpn-on-ftd/m-p/4062489#M1069025 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; &nbsp; Your NAT configuration makes use of the "any" keyword for the destination interface object?</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P> Thu, 09 Apr 2020 07:55:04 GMT Cristian Matei 2020-04-09T07:55:04Z https://community.cisco.com/t5/network-security/nat-exception-for-vpn-on-ftd/m-p/3756586#M132686 <P>Hello, everyone. I nee clarification about one thing. We are using FTD devices on out corporate network for RA ans S2S VPNs. FTD has one interface for internet and one WAN interface leased from SP for 3rd Party companies. Currently we have one site-to-site vpn with another company. The problem is that IPsec configurations are okay but internal endpoint cannot see each other until i make NAT exception for them. I do know understand why i need exception when i do not have any other NAT configured on that WAN interface. Only lots of Exceptions. Other Internet NAT cons are facing other internet interface. Is there any point forcing me making exceptions for VPNs?</P> <P>&nbsp;</P> <P>thank in advance!</P> Tue, 12 Mar 2019 11:16:43 GMT https://community.cisco.com/t5/network-security/nat-exception-for-vpn-on-ftd/m-p/3756586#M132686 orkhan.rustamli.96 2019-03-12T11:16:43Z https://community.cisco.com/t5/network-security/nat-exception-for-vpn-on-ftd/m-p/3756658#M132688 <P>Hi,<BR />VPN traffic required NAT exception because you may be PAT your internal subnets or 0.0.0.0 to the internet facing interface for the internet access. so the traffic in initiating from the internal subnet is get natted to the PAT/NAT IP.</P> <P>&nbsp;</P> <P>For the VPN traffic you can create a NAT exception rule like below. For FTD go to FMC and create a rule like below</P> <P>nat(inside,wan) source&nbsp;static inside-subnet inside-subnet destination static remote-subnet remote-subnet<BR /><BR />HTH<BR />Abheesh</P> Mon, 03 Dec 2018 09:47:11 GMT https://community.cisco.com/t5/network-security/nat-exception-for-vpn-on-ftd/m-p/3756658#M132688 Abheesh Kumar 2018-12-03T09:47:11Z https://community.cisco.com/t5/network-security/nat-exception-for-vpn-on-ftd/m-p/3756752#M132690 <P>Hi orkhan,</P><P>&nbsp;</P><P>the concept of FTD natting and ASA natting is same.</P><P>as long as you understand the concept of ASA nat you should be fine with FTD only change is FTD is GUI.</P><P>&nbsp;</P><P>just create the object as</P><P>!</P><P>object network INSIDE</P><P>&nbsp;subnet 192.168.1.0 255.255.255.0</P><P>!</P><P>object network REMOTE-SIDE</P><P>&nbsp;subnet 172.16.1.0 255.255.255.0</P><P>!</P><P>nat(inside,outside) source&nbsp;static INSIDE INSIDE destination static REMTOE-SIDE REMOTE-SIDE no proxy arp</P><P>&nbsp;</P><P>&nbsp;</P><P>sorry the above sytax is for ASA but FTD must be a very similar in GUI.</P><P>&nbsp;</P><P>&nbsp;</P><P>thanks.</P> Mon, 03 Dec 2018 11:57:58 GMT https://community.cisco.com/t5/network-security/nat-exception-for-vpn-on-ftd/m-p/3756752#M132690 Sheraz.Salim 2018-12-03T11:57:58Z https://community.cisco.com/t5/network-security/nat-exception-for-vpn-on-ftd/m-p/4062489#M1069025 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; &nbsp; Your NAT configuration makes use of the "any" keyword for the destination interface object?</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P> Thu, 09 Apr 2020 07:55:04 GMT https://community.cisco.com/t5/network-security/nat-exception-for-vpn-on-ftd/m-p/4062489#M1069025 Cristian Matei 2020-04-09T07:55:04Z