topic Re: firepower device manager NAT rule in Network Security

firepower device manager NAT rule

GordonKao6335 — Fri, 21 Feb 2020 17:19:16 GMT

I wanna configure a static NAT rule , from outside network (internet) to access inside switch (intranet)

using telnet protocol . pls see below my setting ,but NAT didn't work , kindly advise right setting .

inside switch IP : 192.168.101.211

firepower outside interface IP : 192.168.0.20

allow telnet protocol

Re: firepower device manager NAT rule

Marvin Rhoads — Sat, 20 Jul 2019 03:15:40 GMT

Make the NAT type static and source address "Any".

Also add an associated ACL allowing the incoming traffic.

I'm hoping this is only for lab/learning purpose - otherwise don't use telnet as it is insecure. Use ssh instead.

Re: firepower device manager NAT rule

GordonKao6335 — Mon, 22 Jul 2019 07:19:51 GMT

have done as you told me , but still no luck ,pls see my setting as attached ,

all I wanna is outside hosts can make a telnet connection from outside to inside switch using telnet port 23 ,

NAT rule translate Firepwer outside interface IP 192.168.0.20 to inside switch IP 192.168.101.211

I choose " auto NAT " , type : static ,

firewall outside interface ip: 192.168.0.20

firewall inside interface ip : 192.168.101.254

switch vlan ip 192.168.101.211

the connection scenario is :

outside host : 192.168.0.4 --> FPR2110 outside interface (192.168.0.20 ) --> FPR2110 inside interface (192.168.101.254)--> inside switch 192.168.101.211

Re: firepower device manager NAT rule

GordonKao6335 — Mon, 22 Jul 2019 11:07:34 GMT

while deploy NAT rule via firepower 2110 device manager console , I got the following error message

pls advise how to resolve the outside interface overlaps issue . tks .

22 July, 2019 Deployment failed User(Admin) Trigger deployment

ERROR: Address 140.110.141.117 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Config Error -- nat (inside,outside) static Switch_Public_IP service tcp 23 23

Re: firepower device manager NAT rule

Marvin Rhoads — Tue, 23 Jul 2019 04:15:00 GMT

Make your NAT rule type manual NAT instead of AutoNAT. Make sure it is above the AutoNAT rules an ASA 5506 generally has for inside-outside.

Since you are using the outside interface address make the translated address "interface" instead of the IP address of the interface.

I just set it up using FDM on my lab ASA 5506 with FTD (using ssh instead of telnet as my test protocol).

Here what the confirmed working config looks like in the GUI:

ACL EntryNAT RuleObject definition