Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2424
Views
0
Helpful
5
Replies

1:1 NAT

gcook0001
Level 1
Level 1

‎11-26-2020 10:49 AM

Good day,

 

I have two Firepower 1140 firewalls configured using FMC.

I am trying to setup a 1:1 NAT on it and I can't seem to get it working.  We have /28 subnet from our ISP that we are using.

 

I created a NAT with the following settings (this is just for testing purposes)

Manual NAT Rule (I tried auto as well)

Type: Static

Source Interface Object: any (tried the WAN interface object as well)

Destination Object: MGMT which is the sub-interface that the internal system is on

Translation - Original Source: - Gord-Test - object for my test machine on the MGMT network.

Original Source Port: RDP

Translated Source: Address - Test-Nat (WAN IP address I am using for the nat)

Translated Source Port: RDP

 

I am not sure what is wrong.  Do I need to do something to make the WAN IP address available to the outside.   When I try to do a tracert to that address it doesn't seem to find it.

 

0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎11-26-2020 11:47 AM

Hi @gcook0001 

Recreate as an Auto NAT Rule, example here:

 

static nat.PNG

This NAT's the SERVER01 private IP address to the public IP address object NAT-1.1.1.11 for tcp/80.

 

HTH

0 Helpful

gcook0001
Level 1
Level 1
In response to Rob Ingram

‎11-26-2020 01:24 PM

Capture.JPG

 

I tried that setup previously but tried it again.  SSMIC-MONITOR is an internal server listening on port 8095.  

Orion is my wan subnet defined as 66.97.20.77/28

Test-nat is 66.97.20.72

MGMT is the subnet that ssmic-monitor is located on.

 

When I check I am not seeing any traffic hitting .72

Is there something I need to do to make the upstream device see it.

0 Helpful

Rob Ingram
VIP
VIP

‎11-26-2020 01:32 PM - edited ‎11-26-2020 01:33 PM

So what does your inbound firewall rule look like in the ACP?

You'd need to permit inbound to SSMIC-MONITOR object not the NAT object.

0 Helpful

gcook0001
Level 1
Level 1

‎11-27-2020 07:38 AM

So I think I have figured out the issue.  I had our ISP check and it seems our production firewalls are claiming the IP address.  So I probably have it configured properly just the traffic is not getting to it.

 

Thanks for all the help

0 Helpful

Aref Alsouqi
VIP
VIP

‎11-27-2020 01:16 PM

In addition to the NAT rules you would need to allow the transit traffic to pass through the FTD appliance. One thing to keep in mind is that the FTD by default would proxy arp for any IP address falling into the subnets where its interfaces are configured in. This means if you have two firewalls on the same shared segment with the outside interfaces configured within the same subnet, they might fight to arp reply for the incoming requests, and this might disrupt the incoming traffic.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card