Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3695
Views
0
Helpful
3
Replies

Nat exception for VPN on FTD

orkhan.rustamli.96
Level 1
Level 1

‎12-02-2018 10:44 PM - edited ‎03-12-2019 04:16 AM

Hello, everyone. I nee clarification about one thing. We are using FTD devices on out corporate network for RA ans S2S VPNs. FTD has one interface for internet and one WAN interface leased from SP for 3rd Party companies. Currently we have one site-to-site vpn with another company. The problem is that IPsec configurations are okay but internal endpoint cannot see each other until i make NAT exception for them. I do know understand why i need exception when i do not have any other NAT configured on that WAN interface. Only lots of Exceptions. Other Internet NAT cons are facing other internet interface. Is there any point forcing me making exceptions for VPNs?

 

thank in advance!

Labels:
0 Helpful
3 Replies 3

Abheesh Kumar
VIP Alumni
VIP Alumni

‎12-03-2018 01:42 AM - edited ‎12-03-2018 01:47 AM

Hi,
VPN traffic required NAT exception because you may be PAT your internal subnets or 0.0.0.0 to the internet facing interface for the internet access. so the traffic in initiating from the internal subnet is get natted to the PAT/NAT IP.

 

For the VPN traffic you can create a NAT exception rule like below. For FTD go to FMC and create a rule like below

nat(inside,wan) source static inside-subnet inside-subnet destination static remote-subnet remote-subnet

HTH
Abheesh

0 Helpful

Sheraz.Salim
VIP
VIP

‎12-03-2018 03:57 AM

Hi orkhan,

 

the concept of FTD natting and ASA natting is same.

as long as you understand the concept of ASA nat you should be fine with FTD only change is FTD is GUI.

 

just create the object as

!

object network INSIDE

 subnet 192.168.1.0 255.255.255.0

!

object network REMOTE-SIDE

 subnet 172.16.1.0 255.255.255.0

!

nat(inside,outside) source static INSIDE INSIDE destination static REMTOE-SIDE REMOTE-SIDE no proxy arp

 

 

sorry the above sytax is for ASA but FTD must be a very similar in GUI.

 

 

thanks.

please do not forget to rate.
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎04-09-2020 12:55 AM

Hi,

 

    Your NAT configuration makes use of the "any" keyword for the destination interface object?

 

Regards,

Cristian Matei.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card