topic Re: Firepower NAT confusion in Network Security

Firepower NAT confusion

Warren Sullivan - Corp — Fri, 21 Feb 2020 17:12:43 GMT

Hi All,

I'm currently writing a migration document to move from SOPHOS UTM to Firepower and i'm getting a little confused with Firepower NAT.

Lets say i want to configure what i used to call a "masquerading" rule (NAT Overload or PAT)

I create a Dynamic Auto NAT Rule, select the original source of the traffic to be translated, all good

If i want to set the translated source to the outgoing physical interface, i set "translated source" to "Destination Interface IP"

If i want to hardset a different single IP on the outside i can configure a host object and select it there also....but;

What if i want to select a pool of addresses? It seems i can do that two ways?

In the "Translated Source" field below, i can set a range of addresses....isn't that essentially what happens on the next Tab? PAT Pool?

Are they essentially the same thing? (with a couple more options under PAT Pool)

Thanks in advance guys and gals 😉

Re: Firepower NAT confusion

Sheraz.Salim — Wed, 12 Jun 2019 08:17:50 GMT

Firepower NAT and ASA NAT is the same. if you understand the ASA NAT you could easily do Firepower NAT too.

here is the link would help you what you want to acheive.

https://community.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

Re: Firepower NAT confusion

Warren Sullivan - Corp — Thu, 13 Jun 2019 04:50:11 GMT

Thanks for the link Sheraz,

Unfortunately, it doesn't really help me or answer my questions, as i am not familiar with ASA or Firepower NAT, i have worked with PA, Fortigate and Sophos NAT but not Cisco, i'm a Cisco route/switch guy after a quick explanation if possible, i would have thought it was a fairly easy question for someone who is familiar with the Firepower GUI...

Thanks again

Re: Firepower NAT confusion

Marvin Rhoads — Thu, 13 Jun 2019 14:34:16 GMT

The configuration in your original post's screenshot is not PAT. It will dynamically assign the source addresses 1-1 NAT entries as long as there are addresses available in the pool or translated addresses. As the FMC Configuration Guide notes, "Many-to-few or many-to-one NAT is not PAT."

Using the PAT Pool tab will allow you to configure dynamic PAT in a many-many scenario such as you describe. The PAT will use the IPs in the pool sequentially - when the available source ports are exhausted for one address it will move on to the next available one, for all of the tcp connections or udp flows through the firewall.

Re: Firepower NAT confusion

Warren Sullivan - Corp — Fri, 14 Jun 2019 00:15:40 GMT

Thanks so much Marvin, this answered my question perfectly!

Re: Firepower NAT confusion

Warren Sullivan - Corp — Fri, 14 Jun 2019 00:30:28 GMT

Hi Marvin,

Just one last question, for this conversation anyway 🙂

I now understand the 1:1 nature of the pool defined under "Translated Packet"but;

Is the below PAT?

Re: Firepower NAT confusion

Marvin Rhoads — Fri, 14 Jun 2019 02:34:27 GMT

Yes, I believe that one will be PAT. It's a bit confusing/misleading how they reflect it in the GUI.