06-20-2019 08:10 PM - edited 02-21-2020 09:14 AM
Hi Guys,
Another NAT related question, i have a need to do some funky translations from our DMZ to the inside of our network for our migration, below is the topology for the lab environment that I'm testing this stuff on, the red line indicates the path of translation, below the image is the NAT rule and ACP Rule i have created to make it happen, at the very bottom is the actual question i have....if you make it that far :-)
Topology
NAT Rule
ACP Rule
What needs to happen is a Full NAT, source and destination translation;
A Web call from Ubuntu-2 in the DMZ_Zone (172.16.1.100) destined for IP 172.16.1.200 is to have the source translated to 10.30.0.100 and destination to 10.20.20.100 (Inside_Zone)
Now don't ask me why, its an application that cannot be changed, this configuration is a product of a dual layer checkpoint firewall architecture they had years ago, i can't change the way the app works, this unfortunately is the requirement at migration time.
The Question
The question is about NAT Rule position, and about what matches in a NAT Rule, because, if i have this rule in the number 1 position as per below....everything works, if i move it to position 2, it does not......why
Thanks so much for your help, if you need anything clarified let me know and ill provide.
Solved! Go to Solution.
07-08-2019 11:33 PM - edited 07-08-2019 11:34 PM
When NAT rule "nat (DMZ,Outside) source static HOST_172.16.1.100 HOST_192.168.114.200" is in the first position, FTD is doing source translation 172.16.1.100 >192.168.114.200 and using Outside interface as the egress interface based on route-lookup.
When you use the NAT rule "nat (DMZ,Inside) source static HOST_172.16.1.100 HOST_10.30.0.100 destination static HOST_172.16.1.200 HOST_10.20.20.100", FTD is performing twice NAT - 172.16.1.100 to itself and 10.30.0.100 to 10.20.20.100. Since there is a destination NAT involved, the egress interface is taken from NAT, i.e. inside interface in this case, and routing table is not consulted for egress interface determination:
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (DMZ,Inside) source static HOST_172.16.1.100 HOST_10.30.0.100 destination static HOST_172.16.1.200 HOST_10.20.20.100
Additional Information:
NAT divert to egress interface Inside <----------------Here.
Untranslate 172.16.1.200/0 to 10.20.20.100/0
06-20-2019 08:47 PM
06-20-2019 10:38 PM - edited 06-21-2019 06:53 PM
06-23-2019 09:01 PM
06-27-2019 07:08 PM
Hi Francesco,
No i did not clear the xlate table, this is all done in the GUI, not command line.
Disabling the below rule as you suggested seems to have fixed the issue, yay!
I suppose my question is now....why? this (now disabled) rule published the 192.168.114.200 address on the outside interface and allowed me to access the webserver running on 172.16.1.100 from the outside.
Thoughts?
Once again, i truly appreciate the help you are giving me, its a big knowledge shift from other vendors to Cisco for NGFW.
06-28-2019 02:46 PM
07-08-2019 10:11 PM
07-08-2019 11:33 PM - edited 07-08-2019 11:34 PM
When NAT rule "nat (DMZ,Outside) source static HOST_172.16.1.100 HOST_192.168.114.200" is in the first position, FTD is doing source translation 172.16.1.100 >192.168.114.200 and using Outside interface as the egress interface based on route-lookup.
When you use the NAT rule "nat (DMZ,Inside) source static HOST_172.16.1.100 HOST_10.30.0.100 destination static HOST_172.16.1.200 HOST_10.20.20.100", FTD is performing twice NAT - 172.16.1.100 to itself and 10.30.0.100 to 10.20.20.100. Since there is a destination NAT involved, the egress interface is taken from NAT, i.e. inside interface in this case, and routing table is not consulted for egress interface determination:
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (DMZ,Inside) source static HOST_172.16.1.100 HOST_10.30.0.100 destination static HOST_172.16.1.200 HOST_10.20.20.100
Additional Information:
NAT divert to egress interface Inside <----------------Here.
Untranslate 172.16.1.200/0 to 10.20.20.100/0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: