topic Re: STATIC NAT/PAT Using on firepower 2130 using FDM in Network Security

STATIC NAT/PAT Using on firepower 2130 using FDM

cm — Fri, 25 Feb 2022 19:02:10 GMT

inside 192.168.1.1/24------FTD-----Outside -71.x.x.2/24 ------71.x.x.1 (Gw)

Mail - 192.168.1.2 -----------------71.x.x.3/24(Public)
ns2 - 192.168.1.3 -----------------71.x.x.4/24(Public)
www - 192.168.1.4 -----------------71.x.x.5/24(Public)

I m having challenge recreating this Scenario. I Wish to Protect Servers using Firepower
I m using FDM to configure. I have tried Setting the above but having issues.
I have setup Auto-Nat(2) to go out and working ok. I have configured STATIC NAT (1) above
auto-nat for the My servers. I can see the translations are ok on FTD from inside to Out ... Show conn
The problem is when I m coming from the Internet ... I can not ping the servers... what am I doing wrong.
the Ip address are all active ...

Re: STATIC NAT/PAT Using on firepower 2130 using FDM

Rob Ingram — Fri, 25 Feb 2022 19:05:09 GMT

@cm hard to tell without seeing your configuration.

Please provide screenshot of your NAT rules and the ACP rule that permits the inbound icmp.

You could also run packet-tracer from the CLI to simulate the traffic flow, provide the output for review.

Re: STATIC NAT/PAT Using on firepower 2130 using FDM

cm — Fri, 25 Feb 2022 20:18:31 GMT

Please check

Re: STATIC NAT/PAT Using on firepower 2130 using FDM

Rob Ingram — Fri, 25 Feb 2022 20:28:40 GMT

@cm you don't have an inbound rule from the internet, you've only got one outbound rule from inside to outside.

Re: STATIC NAT/PAT Using on firepower 2130 using FDM

cm — Fri, 25 Feb 2022 20:45:26 GMT

@Rob Ingram is the inbound for ACP or NAT

Re: STATIC NAT/PAT Using on firepower 2130 using FDM

Rob Ingram — Fri, 25 Feb 2022 20:49:02 GMT

@cm you need to permit the inbound traffic in the ACP (Access Control Policy), you obviously need this in addition to the static nat rule to translate the traffic from public to private IP address.