FQDN NATs with FMC

michael18 · ‎11-15-2024

Hi. Is it possible to use FQDN in a manual nat rule.

The aim is to permit inside IPs to an outside cloud domain and nat to a specific public IP.

The acl works with a FQDN object containing a URL. The URL is resolved in DNS and traffic flow allowed.

The NAT would look like this:

internal IPs group public IP object (NAT IP) FQDN object FQDN object

nat (any,outside) source dynamic MAIL-RELAY-SOURCE mail.protection.outlook.com-NAT destination static mail.protection.outlook.com mail.protection.outlook.com

When building the NAT in FMC it wont accept the FQDN object in the original destination field. It will accept it in the Translated destination field.

Aref Alsouqi · ‎11-15-2024

AFAIK FQDNs are not supported in NAT rules.

MHM Cisco World · ‎11-15-2024

https://www.youtube.com/watch?v=ABIuSzUQPwE

try add object instead of using FQDN directly under NAT

michael18 · ‎11-18-2024

In the video hes using a host object in the original destination. As my original destination is a cloud based IP it needs to be a FQDN in order to look up the destination IP. The FMC will not even show a fqdn object to select in the original destination field. I tried to add the fqdn object to an object group but the FMC throws an error and wont apply it.

Looks like ill have to do an object group with manual IP entries. Not great in todays cloud world.

MHM Cisco World · ‎11-18-2024

If this NAT manual 1:1 you can flip the interface in this case the source will be destiantion and hence you can fqdn.

Thanks

MHM