Solved: Re: Cisco FTD NAT rules

noxiosus · ‎06-22-2021

Dear colleagues,

on Cisco FTD it is a bit tricky to implement NAT-rules, please help me to understand how to do this.

I attached the picture. Here we have two sites, connected via ISP. On each site we have Cisco FTD and server. Servers should initiate a session between them with the private IPs. So the packet from Server 1 will be originated with src IP 192.168.1.2 and dst IP 192.168.2.2, similar on the Server 2 src IP 192.168.2.2 dst IP 192.168.1.2. 192.168/16 networks are not routed in the cloud. So I think to do like that: when FTD1 receives packet from the Server-1, it should change dst IP to 10.1.2.3 (free, unassigned IP address from the prefix on the outside interface of FTD2), keep src IP as 192.168.1.2 and send to the cloud, cloud sends it to the FTD2. FTD2 should again change dst IP from 10.1.2.3 to 192.168.2.2 and send to Server-2. The same should happen on on the reverse path: Server 2 sends packet with src IP 192.168.2.2 dst IP 192.168.1.2 to FTD2, FTD2 changes dst IP from 192.168.1.2 to 10.1.1.3, keeps the source IP as 192.168.2.2 and sends to the cloud, cloud sends to the FTD1, FTD1 changes dst ip from 10.1.1.3 to 192.168.1.2 and sends to the Server 1.

Kindly advise, which rules should work here?

Rob Ingram · ‎06-22-2021

@noxiosus

You'll need to translate the source and destination.

I've provided the ASA syntax example below, which should be easy enough to translate to FTD NAT configuration.

nat (INSIDE,OUTSIDE) source static <ORIGINAL SRC> <TRANSLATED SRC> destination static <ORIGINAL DST> <TRANSLATED DST>

ORIGINAL src=192.168.1.2

TRANSLATED src=10.1.1.3

ORIGINAL DST = 192.168.2.2

TRANSLATED DST = 10.1.2.3

The example above is for FTD1, you'll need to mirror this configuration on the other FTD, swapping the src and dst accordingly.

View solution in original post

Sheraz.Salim · ‎06-22-2021

This is a good start for you. kind of think what you want

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

please do not forget to rate.

Rob Ingram · ‎06-22-2021

@noxiosus

You'll need to translate the source and destination.

I've provided the ASA syntax example below, which should be easy enough to translate to FTD NAT configuration.

nat (INSIDE,OUTSIDE) source static <ORIGINAL SRC> <TRANSLATED SRC> destination static <ORIGINAL DST> <TRANSLATED DST>

ORIGINAL src=192.168.1.2

TRANSLATED src=10.1.1.3

ORIGINAL DST = 192.168.2.2

TRANSLATED DST = 10.1.2.3

The example above is for FTD1, you'll need to mirror this configuration on the other FTD, swapping the src and dst accordingly.

noxiosus · ‎06-22-2021

Hello Rob,

thank you, it works! But is it possible to keep the src IP unchanged during the NAT? Don't know for what reason, but just "academic" curiosity, is it possible?

Rob Ingram · ‎06-22-2021

No, you said the 192.168/16 network is not routed in the cloud, so it won't know how to route the traffic. If it was you wouldn't need these nat rules in the first place!!

noxiosus · ‎06-22-2021

Why not, destination IP would be still changed, routing works based on the destination IP (except some weird PBR things), so it would be routed to the end.

Rob Ingram · ‎06-22-2021

because the destination needs to know how to route back to the source and if the source was the 192.168/16 ip address that is not routable in the cloud, the destination won't know where to send the response. Hence why you need to NAT on both ends.

noxiosus · ‎06-22-2021

Desitnation is the Server-2 and it has default route via FTD-2, on FTD-2 there will be NAT rule, which changes dst IP from 192.168.1.2 to 10.1.1.3. Where am I wrong?