03-08-2019 05:17 PM
There's a good chance I'm doing this wrong, but when I try to forward more than one port on my FTD box, it gives me the following error:
Here's the current rule in CLI:
nat (LAN-Side,ISP-Side) static interface service tcp ssh ssh
Any idea why it won't let me add another PAT entry?
03-08-2019 07:01 PM
Make the services (ports) you want to allow part of a service group (via Object Management) and then use that group in the (single) NAT rule.
03-09-2019 08:44 AM
I attempted that by using the manual NAT entry, but continued having the same issue. See the error below after adding the object group.
03-11-2019 07:45 AM
You can do it with two rules. They should be Manual NAT ("NAT Rules Before") and not Auto NAT. The source port should be "any" since a client will use a random ephemeral port.
Also remember to allow the traffic with an ACL. You can use the group for that to keep it simple.
Here's the running-config, the first two lines reflect your NAT use case:
> show running-config nat nat (Outside-Home,Inside-Lab) source static any any destination static Outside_interfrace Jump_server service SVC_158913793770 SVC_158913793770 nat (Outside-Home,Inside-Lab) source static any any destination static Outside_interfrace Jump_server service SVC_158913793771 SVC_158913793771 nat (Inside-Lab,Outside-Home) source static Lab_net Lab_net destination static VPN_Pool VPN_Pool description NAT Exemption nat (Inside-Lab,Outside-Home) source static Lab_net Lab_net destination static FTDv-2_DMZ FTDv-2_DMZ no-proxy-arp nat (Outside-Home,Inside-Lab) source static Condo_net Condo_net destination static Lab_net Lab_net ! object network Lab_net nat (Inside-Lab,Outside-Home) dynamic interface >
03-14-2019 07:26 AM
Thanks for your Marvin! I will give this a shot and let you know if it works.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: