https://community.cisco.com/t5/network-security/dynamic-pat-and-multiple-interfaces-using-same-zone/m-p/4080237#M1069900 <P>Hi</P><P>Routing would be my guess as well but it seems the destination is chosen from the first interface in the zone. The access is IPv4.&nbsp;</P><P>Below is a few configuration snippets and connection events from a working and non-working config</P><P>&nbsp;</P><P>&nbsp;</P><PRE><STRONG>Working setup where the destination subnet is part of a larger group of NAT excempt subnets</STRONG><BR />nat (any,any) after-auto source static GLO-InternalNets GLO-InternalNets destination static GLO-InternalNets GLO-InternalNets no-proxy-arp <STRONG>show connection</STRONG><BR />TCP FNB-OT_PAsystem 10.243.12.18:80 FNB-ClientNet 192.168.42.151:61271, idle 0:00:02, bytes 0, flags U N1 <STRONG>Non working setup where I've tried to tell the FMC/FTD to do a dynamic PAT. FNB-OT_PAsystem is the intended destination interface</STRONG> nat (FNB-ClientNet,FNB-OT_NauticAI) source dynamic FNB-ClientNet interface destination static FNB-OT_PAsystemNet FNB-OT_PAsystemNet nat (FNB-ClientNet,FNB-OT_Autoload) source dynamic FNB-ClientNet interface destination static FNB-OT_PAsystemNet FNB-OT_PAsystemNet nat (FNB-ClientNet,FNB-OT_HVAC) source dynamic FNB-ClientNet interface destination static FNB-OT_PAsystemNet FNB-OT_PAsystemNet nat (FNB-ClientNet,FNB-OT_PAsystem) source dynamic FNB-ClientNet interface destination static FNB-OT_PAsystemNet FNB-OT_PAsystemNet <STRONG>But the traffic is being sent to the interface FNB-OT_NauticAI which is in the same security zone but has a different subnet</STRONG> TCP FNB-ClientNet 10.89.3.1(192.168.42.151):61340 FNB-OT_NauticAI 10.243.12.18:80, idle 0:00:01, bytes 0, flags xaA N1 TCP FNB-ClientNet 10.89.3.1(192.168.42.151):61339 FNB-OT_NauticAI 10.243.12.18:80, idle 0:00:01, bytes 0, flags xaA N1</PRE><P>&nbsp;</P><P>/Fredrik</P> Wed, 06 May 2020 06:42:56 GMT hoffa2000 2020-05-06T06:42:56Z https://community.cisco.com/t5/network-security/dynamic-pat-and-multiple-interfaces-using-same-zone/m-p/4079555#M1069859 <P>Hi all</P><P>I realize I'm missing something and need some assistance. I have multiple "DMZ" interfaces sharing the same security zone, "DMZ" and I tried to make a manual Dynamic PAT rule for one of these traffic flows. I want traffic from the inside zone to be address translated when passing from inside to the "DMZ-2" interface.</P><P>I created the rule in FMC with the source zone and destination zone selected, original source I set to the inside source network, original destination to the DMZ-2 subnet, translated source to "Destination Interface IP" and Translated destination to "DMZ-2" subnet.</P><P>The thing is when I look at the connections in the FTD I see them being sent to another interface in the DMZ zone that has a totally different subnet. Am I missing something? Shouldn't me selecting the "original destination" be enough for the FTD to figure out which interface to send the traffic to even tough several interfaces are in the same zone?</P><P>&nbsp;</P><P>Regards</P><P>Fredrik</P> Tue, 05 May 2020 09:46:22 GMT https://community.cisco.com/t5/network-security/dynamic-pat-and-multiple-interfaces-using-same-zone/m-p/4079555#M1069859 hoffa2000 2020-05-05T09:46:22Z https://community.cisco.com/t5/network-security/dynamic-pat-and-multiple-interfaces-using-same-zone/m-p/4079622#M1069861 <P>Hi,</P><P>&nbsp;</P><P>Destination interface is selected based on the Routing purely,i am not sure how you are accessing this service.&nbsp; Are you accessing the destination via IP Address ?</P> Tue, 05 May 2020 11:19:24 GMT https://community.cisco.com/t5/network-security/dynamic-pat-and-multiple-interfaces-using-same-zone/m-p/4079622#M1069861 Muhammad Awais Khan 2020-05-05T11:19:24Z https://community.cisco.com/t5/network-security/dynamic-pat-and-multiple-interfaces-using-same-zone/m-p/4080237#M1069900 <P>Hi</P><P>Routing would be my guess as well but it seems the destination is chosen from the first interface in the zone. The access is IPv4.&nbsp;</P><P>Below is a few configuration snippets and connection events from a working and non-working config</P><P>&nbsp;</P><P>&nbsp;</P><PRE><STRONG>Working setup where the destination subnet is part of a larger group of NAT excempt subnets</STRONG><BR />nat (any,any) after-auto source static GLO-InternalNets GLO-InternalNets destination static GLO-InternalNets GLO-InternalNets no-proxy-arp <STRONG>show connection</STRONG><BR />TCP FNB-OT_PAsystem 10.243.12.18:80 FNB-ClientNet 192.168.42.151:61271, idle 0:00:02, bytes 0, flags U N1 <STRONG>Non working setup where I've tried to tell the FMC/FTD to do a dynamic PAT. FNB-OT_PAsystem is the intended destination interface</STRONG> nat (FNB-ClientNet,FNB-OT_NauticAI) source dynamic FNB-ClientNet interface destination static FNB-OT_PAsystemNet FNB-OT_PAsystemNet nat (FNB-ClientNet,FNB-OT_Autoload) source dynamic FNB-ClientNet interface destination static FNB-OT_PAsystemNet FNB-OT_PAsystemNet nat (FNB-ClientNet,FNB-OT_HVAC) source dynamic FNB-ClientNet interface destination static FNB-OT_PAsystemNet FNB-OT_PAsystemNet nat (FNB-ClientNet,FNB-OT_PAsystem) source dynamic FNB-ClientNet interface destination static FNB-OT_PAsystemNet FNB-OT_PAsystemNet <STRONG>But the traffic is being sent to the interface FNB-OT_NauticAI which is in the same security zone but has a different subnet</STRONG> TCP FNB-ClientNet 10.89.3.1(192.168.42.151):61340 FNB-OT_NauticAI 10.243.12.18:80, idle 0:00:01, bytes 0, flags xaA N1 TCP FNB-ClientNet 10.89.3.1(192.168.42.151):61339 FNB-OT_NauticAI 10.243.12.18:80, idle 0:00:01, bytes 0, flags xaA N1</PRE><P>&nbsp;</P><P>/Fredrik</P> Wed, 06 May 2020 06:42:56 GMT https://community.cisco.com/t5/network-security/dynamic-pat-and-multiple-interfaces-using-same-zone/m-p/4080237#M1069900 hoffa2000 2020-05-06T06:42:56Z