topic Re: FMC-FTD NAT in Network Security

FMC-FTD NAT

Denis Negik — Fri, 08 Aug 2025 10:30:19 GMT

Good day. Remote FTD has a public IP. FMC is in another office and has an internal IP. I am trying to make a NAT translation of TCP port 8305 on FTD behind which FCM is located.

I created auto nat rule – static. InterfaceObjects: Source-any, Destination-outside. Translation: OriginalSource-local IP FMC, Port TCP 8305. Translated Packet: Destination Interface IP, Port 8305.

In ACL:

Source-Zone Inside, Network - public IP of remote FTD, port 8305.

Destination-Zone Outside, Network local ip FMC, port 8305

I cannot connect FTD with this configuration. Tell me where the error is.

Re: FMC-FTD NAT

MHM Cisco World — Fri, 08 Aug 2025 12:14:43 GMT

check below

MHM

Re: FMC-FTD NAT

Denis Negik — Fri, 08 Aug 2025 11:40:40 GMT

Change on remote FTD? There is no my script on the link. Or on FTD which is under FMC?

Re: FMC-FTD NAT

MHM Cisco World — Fri, 08 Aug 2025 12:14:26 GMT

check below

Re: FMC-FTD NAT

Denis Negik — Fri, 08 Aug 2025 11:42:16 GMT

I drew it as is

Re: FMC-FTD NAT

Rob Ingram — Fri, 08 Aug 2025 11:43:05 GMT

@Denis Negik the ACL you refer to is on the FTD in front of the FMC? The rule is for traffic from the remote FTD to the FMC which is on the inside of the FTD. In which case, surely the Source Zone should be OUTSIDE and destination should be INSIDE?

If you still have a problem run system support firewall-engine-debug apply a filter and generate traffic.

Re: FMC-FTD NAT

MHM Cisco World — Fri, 08 Aug 2025 12:23:05 GMT

You want to config FTD in which FMC is behind ? not remote FTD ?
if FTD in which FMC behind
1- you need prefilter config of ACL allow traffic between remote FTD and FMC bypass Snort inspect

2- and need to swapping zone, the traffic is initiate from outside

MHM

Re: FMC-FTD NAT

Denis Negik — Fri, 08 Aug 2025 12:21:23 GMT

system support firewall-engine-debug

after specifying all the data, nothing shows. Or does it not work via ssh? of course the problem remains

Re: FMC-FTD NAT

Rob Ingram — Fri, 08 Aug 2025 12:32:09 GMT

@Denis Negik are the zones correct though? Provide screenshot if you wish us to confirm.

You SSH to the FTD you've applied the firewall rule to (the FTD in front of the FMC), just filter on the source IP address and generate some traffic to generate some output.

Re: FMC-FTD NAT

Denis Negik — Fri, 08 Aug 2025 12:47:55 GMT

that's how it's set up

Re: FMC-FTD NAT

MHM Cisco World — Fri, 08 Aug 2025 12:58:13 GMT

FTD WAN remote IP ? that again confuse me
let make it more simple
FTD1-ISP-FTD2-FMC
in FMC2
you need to config NAT using FMC real IP and FTD2 WAN IP
confirm you do that ?

if Yes then from FMC access to FTD2 and use capture to see if FTD1 send traffic or not

Re: FMC-FTD NAT

Denis Negik — Fri, 08 Aug 2025 13:17:03 GMT

FTD WAN remote IP ? - public IP address of the FTD1 port manager according to the scheme FTD1-ISP-FTD2-FMC

Re: FMC-FTD NAT

MHM Cisco World — Fri, 08 Aug 2025 14:25:05 GMT

but FMC behind FTD2 and NAT config in FTD2 why you use FTD1 WAN IP in NAT config in FDT2?

that wrong

-FTD1 must config mgmt using FTD2 WAN IP

-FTD2 have ACL allow traffic between FTD1 and FMC

-FTD2 have NAT between FMC private IP and FTD2 WAN public IP

MHM

Re: FMC-FTD NAT

Denis Negik — Fri, 08 Aug 2025 14:18:19 GMT

I don't want to use wan port now. Is it a necessary condition? I assigned public ip for the manager port.

Re: FMC-FTD NAT

MHM Cisco World — Fri, 08 Aug 2025 14:23:54 GMT

Remember this for NAT

You want to use FTD2 public IP not FTD2 WAN port ?

If that your Q' yes you can use public IP of FTD2.

MHM

Re: FMC-FTD NAT

Denis Negik — Fri, 08 Aug 2025 14:45:55 GMT

What does FTD2 have to do with this? It feels like you're not talking to me. )) From which of my answers do you take this? You asked me about NAT. I made you screenshots and ACL. You didn't say anything about them at all. Is it configured correctly or not.

Re: FMC-FTD NAT

MHM Cisco World — Fri, 08 Aug 2025 14:49:50 GMT

this clear NOW