topic Re: Cisco Firewall PAT in Network Security

Cisco Firewall PAT

Anukalp S — Fri, 01 Aug 2025 14:40:54 GMT

Hi,

Looking for your suggestion here..

I have cisco internet 3850 L3 switch with ISP provided ip /29, switch is connected to FTD firewall where i need to do pat with free ip of /29 range.

---------------------------------------------------------------------------

3850#

vlan 10

int Gi1/1

switchport access vlan 10

description 'connected to ISP'

int vlan 10

ip address x.x.23.2 255.255.255.248

des ' ISP IP subnet'

int G1/2

description 'connected to Firewall Outside'

switchport access vlan 10

ip route 0.0.0.0 0.0.0.0 x.x.23.1 < To ISP Gateway>

----------------------------------------------------------------------------------

Firewall-

interface Ethernet1/1
nameif Outside

ip address x.x.23.3 255.255.255.248

interface Ethernet1/1
nameif Inside

ip address 172.16.10.1 255.255.255.0

object-group network LAN
network-object 172.16.10.0 255.255.255.0
!
object-group network PAT
network-object x.x.23.4 255.255.255.255

nat (IB-Inside,IB-Outside) source static LAN PAT

route Outside 0.0.0.0 0.0.0.0 x.x.23.2

----------------------------------------------------------------------------

My concern is ..how would switch know that PAT IP x.x.23.4 is on firewall side, is there any config need to do on firewall for nat to work properly.

Re: Cisco Firewall PAT

MHM Cisco World — Fri, 01 Aug 2025 14:45:31 GMT

ip route 0.0.0.0 0.0.0.0 x.x.23.1 < To ISP Gateway> this wrong

It must point to Inside Interface IP of FTD' your L3SW not connect directly to ISP to use it IP in static route

MHM

Re: Cisco Firewall PAT

Anukalp S — Fri, 01 Aug 2025 14:53:30 GMT

Hi, ISP link is connected to 3850 switch indeed.

Re: Cisco Firewall PAT

MHM Cisco World — Fri, 01 Aug 2025 14:58:58 GMT

You have

ISP-SW-FTD

FTD config with NAT?

The user is direct connect to FTD or there is another interface from SW connect to FTD?

Also why FTD not direct connect to ISP?

MHM

Re: Cisco Firewall PAT

Anukalp S — Fri, 01 Aug 2025 15:32:04 GMT

ISP-SW-FTD - Yes

FTD config with NAT? - Yes

The user is direct connect to FTD or there is another interface from SW connect to FTD? - another switch of users connected to FTD Inside.

Also why FTD not direct connect to ISP? - due to some limitation, cannot connect direct.

Re: Cisco Firewall PAT

MHM Cisco World — Sat, 02 Aug 2025 05:04:47 GMT

Check below solution

MHM

Re: Cisco Firewall PAT

Anukalp S — Fri, 01 Aug 2025 17:14:59 GMT

is there any other alternative with the current ip subnet ?

Re: Cisco Firewall PAT

MHM Cisco World — Sat, 02 Aug 2025 05:04:10 GMT

Check below solution

MHM

Re: Cisco Firewall PAT

Marvin Rhoads — Fri, 01 Aug 2025 17:59:55 GMT

Just configure the switch to connect via a Layer 2 (switchport) interface to both the upstream ISP equipment and the FTD firewall. Then there is no need for NAT, PAT or even the VLAN 10 SVI on the switch. (manage it via the Gi0 mgmt interface which has its own VRF on a 3850).

Your firewall then default routes to the ISP address and the ISP sees the firewall as the source for all addresses in your /29 (apart from itself of course) that you are using for NAT or PAT.

Re: Cisco Firewall PAT

MHM Cisco World — Fri, 01 Aug 2025 18:08:19 GMT

Ftd cannot direct connect because of ?

It fiber link issue? I.e. it L1 issue

MHM

Re: Cisco Firewall PAT

Jonatan Jonasson — Fri, 01 Aug 2025 21:05:11 GMT

You can make this work with the current subnet.
But as Marvin points out, there's no need to involve the L3 functionality on the 3850 unless you specifically want to.

With the current setup, you would need to:
#1 On the FTD, change the default route from x.x.23.2 to x.x.23.1 (since everyone is in vlan10, no need to route "to" the 3850)
#2 On the FTD, change the NAT to be a dynamic NAT, not static.

Regarding your original questions. How does the switch (or in this case, the ISP) know that .4 is on the FTD.
The ISP (or the switch if this was a different setup) would do an ARP request for x.x.23.4
And because the firewall has NAT configured for x.x.23.4, it's going to respond to the ARP request with its own MAC address.
No additional config is needed