Solved: Cisco Firewall PAT

Anukalp S · ‎08-01-2025

Hi,

Looking for your suggestion here..

I have cisco internet 3850 L3 switch with ISP provided ip /29, switch is connected to FTD firewall where i need to do pat with free ip of /29 range.

---------------------------------------------------------------------------

3850#

vlan 10

!

int Gi1/1

switchport access vlan 10

description 'connected to ISP'

!

int vlan 10

ip address x.x.23.2 255.255.255.248

des ' ISP IP subnet'

!

int G1/2

description 'connected to Firewall Outside'

switchport access vlan 10

!

ip route 0.0.0.0 0.0.0.0 x.x.23.1 < To ISP Gateway>

----------------------------------------------------------------------------------

Firewall-

interface Ethernet1/1
nameif Outside

ip address x.x.23.3 255.255.255.248

!

interface Ethernet1/1
nameif Inside

ip address 172.16.10.1 255.255.255.0

!

object-group network LAN
network-object 172.16.10.0 255.255.255.0
!
object-group network PAT
network-object x.x.23.4 255.255.255.255

!

nat (IB-Inside,IB-Outside) source static LAN PAT

!

route Outside 0.0.0.0 0.0.0.0 x.x.23.2

----------------------------------------------------------------------------

My concern is ..how would switch know that PAT IP x.x.23.4 is on firewall side, is there any config need to do on firewall for nat to work properly.

Marvin Rhoads · ‎08-01-2025

Just configure the switch to connect via a Layer 2 (switchport) interface to both the upstream ISP equipment and the FTD firewall. Then there is no need for NAT, PAT or even the VLAN 10 SVI on the switch. (manage it via the Gi0 mgmt interface which has its own VRF on a 3850).

Your firewall then default routes to the ISP address and the ISP sees the firewall as the source for all addresses in your /29 (apart from itself of course) that you are using for NAT or PAT.

View solution in original post

Jonatan Jonasson · ‎08-01-2025

You can make this work with the current subnet.
But as Marvin points out, there's no need to involve the L3 functionality on the 3850 unless you specifically want to.

With the current setup, you would need to:
#1 On the FTD, change the default route from x.x.23.2 to x.x.23.1 (since everyone is in vlan10, no need to route "to" the 3850)
#2 On the FTD, change the NAT to be a dynamic NAT, not static.

Regarding your original questions. How does the switch (or in this case, the ISP) know that .4 is on the FTD.
The ISP (or the switch if this was a different setup) would do an ARP request for x.x.23.4
And because the firewall has NAT configured for x.x.23.4, it's going to respond to the ARP request with its own MAC address.
No additional config is needed

---
Please mark helpful answers & solutions
---

View solution in original post

MHM Cisco World · ‎08-01-2025

ip route 0.0.0.0 0.0.0.0 x.x.23.1 < To ISP Gateway> this wrong

It must point to Inside Interface IP of FTD' your L3SW not connect directly to ISP to use it IP in static route

MHM

Anukalp S · ‎08-01-2025

Hi, ISP link is connected to 3850 switch indeed.

MHM Cisco World · ‎08-01-2025

You have

ISP-SW-FTD

FTD config with NAT?

The user is direct connect to FTD or there is another interface from SW connect to FTD?

Also why FTD not direct connect to ISP?

MHM

Anukalp S · ‎08-01-2025

ISP-SW-FTD - Yes

FTD config with NAT? - Yes

The user is direct connect to FTD or there is another interface from SW connect to FTD? - another switch of users connected to FTD Inside.

Also why FTD not direct connect to ISP? - due to some limitation, cannot connect direct.

MHM Cisco World · ‎08-01-2025

Check below solution

MHM

Anukalp S · ‎08-01-2025

is there any other alternative with the current ip subnet ?

MHM Cisco World · ‎08-01-2025