08-30-2019 03:15 AM - edited 02-21-2020 09:26 AM
Hello everybody,
I have a Firepower 2110 (Rel. 6.4.0.4) that has several DMZ-interfaces.
There is a special box (IP: 172.17.80.40/24) where just a default gateway
(172.17.80.254) can be configured, that is a DMZ-interface1. This box needs to
transfer traffic to a remote network that is reachable via the DMZ-interface2
(IP: 172.18.126.254).
My question is now: is necessary to configure NAT (and if yes, what type) on the
Firepower or is it sufficient to make a static routing entry and set an access
control list entry for this situation?
Every hint is welcome!
Thanks a lot!
Salut!
Solved! Go to Solution.
09-01-2019 06:01 AM
NAT (or NAT exemption) is not required to communicate between interfaces.
It's only required when you need to translate addresses for whatever business or technical reasons external to the firewall itself.
08-30-2019 05:59 AM
That entirely depends on your existing NAT configuration.
If you don't want to NAT your traffic, you should configure a "no-NAT" rule for the relevant sources and destinations, and you should make sure that it gets hit before any more generic NAT rule. Using the packet tracer tool, you should be able to check if you need to add this.
08-31-2019 10:46 PM
Hi adufresneb,
thanks for the hint!
@everyone:
Even without the possibility of the packet tracer tool there is the quesition:
Do I need to use NAT (and if yes what kind) when transfering traffic between
the DMZ interfaces of the Firepower in the given situation?
Can someone answer this question?
Thanks a lot!
Salut!
09-01-2019 06:01 AM
NAT (or NAT exemption) is not required to communicate between interfaces.
It's only required when you need to translate addresses for whatever business or technical reasons external to the firewall itself.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide