cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

254
Views
0
Helpful
3
Replies
Beginner

Firepower 2110: NAT necessary for traffic between DMZ-interfaces?

Hello everybody,

 

I have a Firepower 2110 (Rel. 6.4.0.4) that has several DMZ-interfaces.

 

There is a special box (IP: 172.17.80.40/24) where just a default gateway
(172.17.80.254) can be configured, that is a DMZ-interface1. This box needs to
transfer traffic to a remote network that is reachable via the DMZ-interface2
(IP: 172.18.126.254).

 

My question is now: is necessary to configure NAT (and if yes, what type) on the
Firepower or is it sufficient to make a static routing entry and set an access
control list entry for this situation?

 

Every hint is welcome!

 

Thanks a lot!

 

 


Salut!

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

Re: Firepower 2110: NAT necessary for traffic between DMZ-interfaces?

NAT (or NAT exemption) is not required to communicate between interfaces.

It's only required when you need to translate addresses for whatever business or technical reasons external to the firewall itself.

3 REPLIES 3
Beginner

Re: Firepower 2110: NAT necessary for traffic between DMZ-interfaces?

That entirely depends on your existing NAT configuration. 

 

If you don't want to NAT your traffic, you should configure a "no-NAT" rule for the relevant sources and destinations, and you should make sure that it gets hit before any more generic NAT rule. Using the packet tracer tool, you should be able to check if you need to add this.

Beginner

Re: Firepower 2110: NAT necessary for traffic between DMZ-interfaces?

Hi adufresneb,

 

thanks for the hint!


@everyone:

Even without the possibility of the packet tracer tool there is the quesition:
Do I need to use NAT (and if yes what kind) when transfering traffic between
the DMZ interfaces of the Firepower in the given situation?


Can someone answer this question?


Thanks a lot!


Salut!

Hall of Fame Master

Re: Firepower 2110: NAT necessary for traffic between DMZ-interfaces?

NAT (or NAT exemption) is not required to communicate between interfaces.

It's only required when you need to translate addresses for whatever business or technical reasons external to the firewall itself.