07-08-2019 01:00 PM
2130 HA pair running 6.4.0.1.
I am setting up outgoing NAT/PAT. There are several internal interfaces with their own private subnets. My intent is to IP masquerade all outgoing connections from internal private subnet A to a pool of public IP's on my external interface using a PAT pool without round robin.
I configured the first internal subnet to do Auto dynamic NAT with the interface object defined for source and destination and set the Translated Object to be "Address" and put in the IP address of the external interface. By setting it to "Address" versus "Destination interface IP" it enabled the checkbox to enable a PAT pool.
However when I go to save the config it errors out with this text
"Translated Source or Original Destination network IP address cannot overlap with Interface Ip address IP address overlap configurations observed for following interface configurations : Interface Object [outside] having interfaces [outside] of device FTDv1 Specify Interface Object or specify an alternate IP address for Network Translation"
This is puzzling since of course the Translated address need to be defined on a firewall interface right?
I found this KB article referencing 6.3.0 which seems to indicate it is a bug, but it still doesnt work in 6.4.0.1
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvo68820
The only way I could get any sort of NAT to work was to do Auto Dynamic and not choose Address for the Translated field but use "Destination interface IP". But then PAT Pool is greyed out!
So at this point, all I can do is setup multiple rules that define the internal source private subnets/interfaces to NAT to the single external interface IP.
But what I want is the following
Internal Private Subnet A --> PAT pool of public ip's on the external interface public /23 subnet. X.X.X.1-X.X.X.4
Internal Private Subnet B --> NAT/PAT to a different public ip on the external interface public /23 X.X.X.5
Internal Private Subnet C --> NAT/PAT to a different public ip on the external interface public /23 X.X.X.6
Appreciate any insights
07-08-2019 01:41 PM
I think I may have figured this out. Here is what I did
On the Translation tab, I set the Translated Packet to "Address" but then just left it blank. Then went to the PAT Pool tab and set PAT to Address and selected an Object with a range of sequential public IP's
Is that the solution?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide