https://community.cisco.com/t5/network-security/inside-to-outside-interface-ip-nat/m-p/4009233#M934223 <P>Hi Guys</P><P>LAN (inside) network - 192.168.10.0/24</P><P>WAN (outside)network - for eg 137.14.191.12/28</P><P>Device: Cisco Firepower 2100 series managed by vFMC</P><P>&nbsp;</P><P>I have around 15 servers residing inside the campus that needs to be opened for public. Each server has different outside ISP IP. For eg server one has&nbsp;137.14.191.15 DNAT to 10.11 , server two&nbsp;137.14.191.16 DNAT to 10.12 etc</P><P>&nbsp;</P><P>I did DNAT for servers from outside to inside. It is working perfect. When someone from outside public network access 137.14.191.15 they gets connected.</P><P>&nbsp;</P><P><STRONG>Issue is;</STRONG></P><P>When a LAN user (for eg 192.168.10.14) access&nbsp;137.14.191.15 it does not work. Any idea how to get both DNAT scenarios work ?</P><P>1. outside to&nbsp;137.14.191.15</P><P>2. inside to&nbsp;137.14.191.15</P><P>&nbsp;</P><P>when i add inside zone to source objects in DNAT, it works, but the server 10.11 looses internet connection.</P><P>NB: some might get confused why 192.168.10.xx not accessing servers using local IP. It is a specific requirement.</P><P>&nbsp;</P><P>Any help appreciated please.</P> Fri, 21 Feb 2020 17:49:30 GMT manvik 2020-02-21T17:49:30Z https://community.cisco.com/t5/network-security/inside-to-outside-interface-ip-nat/m-p/4009233#M934223 <P>Hi Guys</P><P>LAN (inside) network - 192.168.10.0/24</P><P>WAN (outside)network - for eg 137.14.191.12/28</P><P>Device: Cisco Firepower 2100 series managed by vFMC</P><P>&nbsp;</P><P>I have around 15 servers residing inside the campus that needs to be opened for public. Each server has different outside ISP IP. For eg server one has&nbsp;137.14.191.15 DNAT to 10.11 , server two&nbsp;137.14.191.16 DNAT to 10.12 etc</P><P>&nbsp;</P><P>I did DNAT for servers from outside to inside. It is working perfect. When someone from outside public network access 137.14.191.15 they gets connected.</P><P>&nbsp;</P><P><STRONG>Issue is;</STRONG></P><P>When a LAN user (for eg 192.168.10.14) access&nbsp;137.14.191.15 it does not work. Any idea how to get both DNAT scenarios work ?</P><P>1. outside to&nbsp;137.14.191.15</P><P>2. inside to&nbsp;137.14.191.15</P><P>&nbsp;</P><P>when i add inside zone to source objects in DNAT, it works, but the server 10.11 looses internet connection.</P><P>NB: some might get confused why 192.168.10.xx not accessing servers using local IP. It is a specific requirement.</P><P>&nbsp;</P><P>Any help appreciated please.</P> Fri, 21 Feb 2020 17:49:30 GMT https://community.cisco.com/t5/network-security/inside-to-outside-interface-ip-nat/m-p/4009233#M934223 manvik 2020-02-21T17:49:30Z https://community.cisco.com/t5/network-security/inside-to-outside-interface-ip-nat/m-p/4009235#M934332 <P>You cannot make the traffic hairpin through the FTD appliance in the way you ask. Traffic would have to actually leave the egress interface (outside) and come back in for the NAT translation to be applied to the flow.</P> Fri, 10 Jan 2020 05:53:34 GMT https://community.cisco.com/t5/network-security/inside-to-outside-interface-ip-nat/m-p/4009235#M934332 Marvin Rhoads 2020-01-10T05:53:34Z https://community.cisco.com/t5/network-security/inside-to-outside-interface-ip-nat/m-p/4009263#M934333 <P>Hi Marvin,</P><P>I was expecting this reply. The scenario you mentioned will work and i got it worked. Issue was NATed local IP will not get internet in this case.</P><P>137.14.191.15 DNAT to 10.11</P><P>192.168.10.14 access 137.14.191.15. It works, but no internet for 10.11</P><P>&nbsp;</P><P>This is a very common scenario and can easily be done in other OEM firewalls.</P> Fri, 10 Jan 2020 07:19:33 GMT https://community.cisco.com/t5/network-security/inside-to-outside-interface-ip-nat/m-p/4009263#M934333 manvik 2020-01-10T07:19:33Z