11-26-2020 10:49 AM
Good day,
I have two Firepower 1140 firewalls configured using FMC.
I am trying to setup a 1:1 NAT on it and I can't seem to get it working. We have /28 subnet from our ISP that we are using.
I created a NAT with the following settings (this is just for testing purposes)
Manual NAT Rule (I tried auto as well)
Type: Static
Source Interface Object: any (tried the WAN interface object as well)
Destination Object: MGMT which is the sub-interface that the internal system is on
Translation - Original Source: - Gord-Test - object for my test machine on the MGMT network.
Original Source Port: RDP
Translated Source: Address - Test-Nat (WAN IP address I am using for the nat)
Translated Source Port: RDP
I am not sure what is wrong. Do I need to do something to make the WAN IP address available to the outside. When I try to do a tracert to that address it doesn't seem to find it.
11-26-2020 11:47 AM
Hi @gcook0001
Recreate as an Auto NAT Rule, example here:
This NAT's the SERVER01 private IP address to the public IP address object NAT-1.1.1.11 for tcp/80.
HTH
11-26-2020 01:24 PM
I tried that setup previously but tried it again. SSMIC-MONITOR is an internal server listening on port 8095.
Orion is my wan subnet defined as 66.97.20.77/28
Test-nat is 66.97.20.72
MGMT is the subnet that ssmic-monitor is located on.
When I check I am not seeing any traffic hitting .72
Is there something I need to do to make the upstream device see it.
11-26-2020 01:32 PM - edited 11-26-2020 01:33 PM
So what does your inbound firewall rule look like in the ACP?
You'd need to permit inbound to SSMIC-MONITOR object not the NAT object.
11-27-2020 07:38 AM
So I think I have figured out the issue. I had our ISP check and it seems our production firewalls are claiming the IP address. So I probably have it configured properly just the traffic is not getting to it.
Thanks for all the help
11-27-2020 01:16 PM
In addition to the NAT rules you would need to allow the transit traffic to pass through the FTD appliance. One thing to keep in mind is that the FTD by default would proxy arp for any IP address falling into the subnets where its interfaces are configured in. This means if you have two firewalls on the same shared segment with the outside interfaces configured within the same subnet, they might fight to arp reply for the incoming requests, and this might disrupt the incoming traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide