topic Re: Static NAT for FTD? in Network Security

Static NAT for FTD?

andrew.er.brown — Wed, 01 Nov 2017 15:58:54 GMT

Hey everyone,

I have been attempting to find documentation that shows how to create a static 1:1 NAT statement in FTD for a server that needs to be accessible on the Internet.

The only documentation I can find talks about how NAT works in FTD but does not give a step by step procedure of how to do so in the FMC.

For example, in my lab, I have a web server that needs to be accessible on port 80.

Private IP address: 192.168.254.3

Public IP address: 10.13.1.3

Port opening: TCP/80

Does anyone have a cut and dry method for doing this?

Re: Static NAT for FTD?

Pranay Prasoon — Wed, 01 Nov 2017 16:31:55 GMT

Below link has all the procedure of how you can create NAT

https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/Network_Address_Translation__NAT__for_Threat_Defense.pdf

Re: Static NAT for FTD?

andrew.er.brown — Sun, 05 Nov 2017 20:26:48 GMT

Pranay, thanks for your response, however this is the part of the document that creates confusion;

Configure the basic rule options:

• Source Interface, Destination Interface—(Required for bridge group member interfaces.) The interfaces where this NAT rule applies. Source is the real interface, the one through which the traffic enters the device. Destination is the mapped interface, the one through which traffic exits the device. By default, the rule applies to all interfaces (Any) except for bridge group member interface.

Here inlines the problem. In an ASA, the "real interface" would typically be the "inside interface" where the actual host with the private IP address resides. However, it describes the "real interface" as "one through which the traffic enters the device."

For a publicly accessible server I would expect my unsolicited traffic would be entering from the "outside" or "mapped interface"

thoughts?

Re: Static NAT for FTD?

Pranay Prasoon — Mon, 06 Nov 2017 07:42:12 GMT

Hi Andrew,

In my opinion both you and the document is correct. NAT is always configured from the perspective of where the host resides. See in below example

(Inside)

Server A ---------- FTD

(192.168.75.14) | (DMZ)

Host B (192.168.76.14)

Host B wants to access the server on IP 192.168.76.100

The rule that I will create is on firepower is

firepower# show run nat

nat (inside,dmz) source static Host-A Host-B

Where the object is

firepower# show run object

object network Host-A

host 192.168.75.14

object network Host-B

host 192.168.76.100

So on firepower while creating the rule,the source interface is "inside" and destination interface is "dmz". However this is because if we assume that traffic is bidirectional then traffic going from inside to DMZ is source NAT and in this case source interface is inside and destination is DMZ. If we reverse the traffic then it is destination NAT (destination address is translating) which we need in case of servers. But the rule that we created is from inside perspective.

Thanks

Pranay