topic Re: Firepower 2130 - Current NAT rules failover check. in Network Security

Firepower 2130 - Current NAT rules failover check.

Mogwai — Wed, 09 Oct 2024 11:47:42 GMT

We have a Firepower 2130 that has all it's NAT rules/policies as being imported from our old ASA 5525. The ASA is still in production for a different purpose. While I can see the NAT rules on the Firepower, I can't edit them unless it's done on the ASA. That being said I'm unable to determine if the ASA were to go down would the NAT rules go down with it or are the NAT rules on the FP still locked in until the ASA would be restored?

Re: Firepower 2130 - Current NAT rules failover check.

Marvin Rhoads — Wed, 09 Oct 2024 13:57:31 GMT

It's unclear from your question how the 2130 is not currently receiving traffic but...

If traffic switches over to flow via your Firepower 2130, it would work pretty much the same as your ASA - assuming you migrated the configuration correctly.

Re: Firepower 2130 - Current NAT rules failover check.

Mogwai — Wed, 09 Oct 2024 14:09:24 GMT

I'm confused as I don't think that answers my concern... All I'm concerned about is if the ASA were to go down if the NAT rules on the FP will go down with them & where to check or confirm this?

Re: Firepower 2130 - Current NAT rules failover check.

MHM Cisco World — Wed, 09 Oct 2024 14:12:42 GMT

You run ASA on Firepower

So there is only one NAT' the NAT in lina of ASA

There is no NAT in firepower

MHM

Re: Firepower 2130 - Current NAT rules failover check.

Mogwai — Wed, 09 Oct 2024 14:18:26 GMT

We have both an ASA and a FP in our setup for separate purposes. Boh are physical devices. Only the NAT policies on the FP appear to be pulling from the ASA.

Re: Firepower 2130 - Current NAT rules failover check.

MHM Cisco World — Wed, 09 Oct 2024 14:24:42 GMT

Sorry again' how it pulling?

You use some kind of migrate tool?

MHM

Re: Firepower 2130 - Current NAT rules failover check.

Mogwai — Wed, 09 Oct 2024 14:42:22 GMT

Not sure, this was configured years before our team came in.

Re: Firepower 2130 - Current NAT rules failover check.

Marvin Rhoads — Wed, 09 Oct 2024 14:51:20 GMT

There is no such thing as a device running FTD actively "pulling" rules (NAT or otherwise) from an ASA.

ASA configuration can be migrated to FTD but that is a one time action using the separate migration tool.

Re: Firepower 2130 - Current NAT rules failover check.

Mogwai — Wed, 09 Oct 2024 15:13:37 GMT

Odd then, as this is what I'm running into.

On FMC

Devices > NAT > [Selected NAT Policy] > Can see the NAT rules, but unable to edit or modify them.

When I click on the pencil icon to edit the rule the option to enable/disable the rule is grey'd out. There is also a banner which states "Policy created from ASA with hostname *ASA*"

When I login to the ASA I can view & then subsequently edit the same rules.

Re: Firepower 2130 - Current NAT rules failover check.

Marvin Rhoads — Wed, 09 Oct 2024 17:02:11 GMT

If the NAT policy edit icon is greyed out, it would most likely be a user privilege level issue. The banner you mention is just a description field which one can optionally enter for a NAT or Access Control policy to provide additional information about it.

Are you logging in an admin user or username with admin level privilege?

Re: Firepower 2130 - Current NAT rules failover check.

Mogwai — Wed, 09 Oct 2024 18:56:53 GMT

Admin User & I can edit some of the rules, that I know I created locally on the FTD, just not any of the previously existing NAT rules that also on the ASA.