https://community.cisco.com/t5/network-security/ftd-static-nat-question/m-p/3817432#M132547 <P>You can do it with two rules. They should be Manual NAT ("NAT Rules Before") and not Auto NAT. The source port should be "any" since a client will use a random ephemeral port.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FTD Port Forward Multiple Ports with Manual NAT.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/31712i335F2FE06A74AF1D/image-size/large?v=v2&amp;px=999" role="button" title="FTD Port Forward Multiple Ports with Manual NAT.PNG" alt="FTD Port Forward Multiple Ports with Manual NAT.PNG" /></span></P> <P>Also remember to allow the traffic with an ACL. You can use the group for that to keep it simple.</P> <P>Here's the running-config, the first two lines reflect your NAT use case:</P> <PRE>&gt; show running-config nat nat (Outside-Home,Inside-Lab) source static any any destination static Outside_interfrace Jump_server service SVC_158913793770 SVC_158913793770 nat (Outside-Home,Inside-Lab) source static any any destination static Outside_interfrace Jump_server service SVC_158913793771 SVC_158913793771 nat (Inside-Lab,Outside-Home) source static Lab_net Lab_net destination static VPN_Pool VPN_Pool description NAT Exemption nat (Inside-Lab,Outside-Home) source static Lab_net Lab_net destination static FTDv-2_DMZ FTDv-2_DMZ no-proxy-arp nat (Outside-Home,Inside-Lab) source static Condo_net Condo_net destination static Lab_net Lab_net ! object network Lab_net nat (Inside-Lab,Outside-Home) dynamic interface &gt; </PRE> <P>&nbsp;</P> Mon, 11 Mar 2019 14:45:28 GMT Marvin Rhoads 2019-03-11T14:45:28Z https://community.cisco.com/t5/network-security/ftd-static-nat-question/m-p/3816634#M132544 <P>There's a good chance I'm doing this wrong, but when I try to forward more than one port on my FTD box, it gives me the following error:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 621px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/31635iB91ADA858D5C0D2B/image-dimensions/621x316?v=v2" width="621" height="316" role="button" title="image.png" alt="image.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/31636i6F1FB66143CC3AD0/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>Here's the current rule in CLI:</P> <P>&nbsp;</P> <P>nat (LAN-Side,ISP-Side) static interface service tcp ssh ssh<BR /><BR /></P> <P>Any idea why it won't let me add another PAT entry?</P> Sat, 09 Mar 2019 01:17:31 GMT https://community.cisco.com/t5/network-security/ftd-static-nat-question/m-p/3816634#M132544 Scott_22 2019-03-09T01:17:31Z https://community.cisco.com/t5/network-security/ftd-static-nat-question/m-p/3816651#M132545 <P>Make the services (ports) you want to allow part of a service group (via Object Management) and then use that group in the (single) NAT rule.</P> Sat, 09 Mar 2019 03:01:04 GMT https://community.cisco.com/t5/network-security/ftd-static-nat-question/m-p/3816651#M132545 Marvin Rhoads 2019-03-09T03:01:04Z https://community.cisco.com/t5/network-security/ftd-static-nat-question/m-p/3816808#M132546 <P>I attempted that by using the manual NAT entry, but continued having the same issue. See the error below after adding the object group.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 907px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/31648iFB18B0EB852D8B51/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Sat, 09 Mar 2019 16:44:30 GMT https://community.cisco.com/t5/network-security/ftd-static-nat-question/m-p/3816808#M132546 Scott_22 2019-03-09T16:44:30Z https://community.cisco.com/t5/network-security/ftd-static-nat-question/m-p/3817432#M132547 <P>You can do it with two rules. They should be Manual NAT ("NAT Rules Before") and not Auto NAT. The source port should be "any" since a client will use a random ephemeral port.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FTD Port Forward Multiple Ports with Manual NAT.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/31712i335F2FE06A74AF1D/image-size/large?v=v2&amp;px=999" role="button" title="FTD Port Forward Multiple Ports with Manual NAT.PNG" alt="FTD Port Forward Multiple Ports with Manual NAT.PNG" /></span></P> <P>Also remember to allow the traffic with an ACL. You can use the group for that to keep it simple.</P> <P>Here's the running-config, the first two lines reflect your NAT use case:</P> <PRE>&gt; show running-config nat nat (Outside-Home,Inside-Lab) source static any any destination static Outside_interfrace Jump_server service SVC_158913793770 SVC_158913793770 nat (Outside-Home,Inside-Lab) source static any any destination static Outside_interfrace Jump_server service SVC_158913793771 SVC_158913793771 nat (Inside-Lab,Outside-Home) source static Lab_net Lab_net destination static VPN_Pool VPN_Pool description NAT Exemption nat (Inside-Lab,Outside-Home) source static Lab_net Lab_net destination static FTDv-2_DMZ FTDv-2_DMZ no-proxy-arp nat (Outside-Home,Inside-Lab) source static Condo_net Condo_net destination static Lab_net Lab_net ! object network Lab_net nat (Inside-Lab,Outside-Home) dynamic interface &gt; </PRE> <P>&nbsp;</P> Mon, 11 Mar 2019 14:45:28 GMT https://community.cisco.com/t5/network-security/ftd-static-nat-question/m-p/3817432#M132547 Marvin Rhoads 2019-03-11T14:45:28Z https://community.cisco.com/t5/network-security/ftd-static-nat-question/m-p/3819586#M132548 <P>Thanks for your Marvin! I will give this a shot and let you know if it works.</P> Thu, 14 Mar 2019 14:26:22 GMT https://community.cisco.com/t5/network-security/ftd-static-nat-question/m-p/3819586#M132548 Scott_22 2019-03-14T14:26:22Z