Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1261
Views
0
Helpful
3
Replies

Firepower 2110: NAT necessary for traffic between DMZ-interfaces?

Go to solution
rherud
Level 1
Level 1

‎08-30-2019 03:15 AM - edited ‎02-21-2020 09:26 AM

Hello everybody,

 

I have a Firepower 2110 (Rel. 6.4.0.4) that has several DMZ-interfaces.

 

There is a special box (IP: 172.17.80.40/24) where just a default gateway
(172.17.80.254) can be configured, that is a DMZ-interface1. This box needs to
transfer traffic to a remote network that is reachable via the DMZ-interface2
(IP: 172.18.126.254).

 

My question is now: is necessary to configure NAT (and if yes, what type) on the
Firepower or is it sufficient to make a static routing entry and set an access
control list entry for this situation?

 

Every hint is welcome!

 

Thanks a lot!

 

 


Salut!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to rherud

‎09-01-2019 06:01 AM

NAT (or NAT exemption) is not required to communicate between interfaces.

It's only required when you need to translate addresses for whatever business or technical reasons external to the firewall itself.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
alex_dufresne
Level 1
Level 1

‎08-30-2019 05:59 AM

That entirely depends on your existing NAT configuration. 

 

If you don't want to NAT your traffic, you should configure a "no-NAT" rule for the relevant sources and destinations, and you should make sure that it gets hit before any more generic NAT rule. Using the packet tracer tool, you should be able to check if you need to add this.

0 Helpful

Go to solution
rherud
Level 1
Level 1
In response to alex_dufresne

‎08-31-2019 10:46 PM

Hi adufresneb,

 

thanks for the hint!


@everyone:

Even without the possibility of the packet tracer tool there is the quesition:
Do I need to use NAT (and if yes what kind) when transfering traffic between
the DMZ interfaces of the Firepower in the given situation?


Can someone answer this question?


Thanks a lot!


Salut!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to rherud

‎09-01-2019 06:01 AM

NAT (or NAT exemption) is not required to communicate between interfaces.

It's only required when you need to translate addresses for whatever business or technical reasons external to the firewall itself.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card