Default NAT behavior FTD managed by FDM

MatthewHickey7355 · ‎11-05-2024

New Firewall installed, a FTD 1150 managed by FDM.

My understanding from reading documentation online was that FTD appliances do not do NAT out of the box. This was true for a couple other FTD appliances we installed for other customers in the past, but those were managed by a FMC.

The firewall seems to be blocking traffic sourced from the outside destined for resources on the inside, even though we have ACLs configured to explicitly allow the traffic. I suspect that NAT is the culprit (see attached image).

There is a rule called InsideOutsideNatRule under Manual NAT Rules (After) that I did not configure and I'm 99% sure it is the factory default. Original Packet source Interface is Inside, Original Packet source address is Any-ipv4. Translated Packet Destination Interface is Outside, Translated Packet source address is "Interface". So this definitely sounds like the firewall is doing PAT/Overload NAT. Show xlate has further convinced me that this is the case. We don't want the firewall to be doing NAT at all. We want all source traffic from the inside to maintain its original IP address through the firewall and to not be overloaded to the outside interface IP address.

Am I correct on my diagnosis that Overload NAT is in fact occurring, and how do I make it so that NAT is not being done on the appliance at all without causing any kind of major disruption in services?

Rob Ingram · ‎11-05-2024

@MatthewHickey7355 yes that's a default NAT rule when using FDM. If you delete the rule traffic would be routed out the outside interface.

Obviously the upstream device needs a route via the FTD's outside interface for the return traffic to the inside networks.

MatthewHickey7355 · ‎11-05-2024

Right, we definitely have routing in place all the way through to the Internet and back. Connectivity in terms of their inside resources getting out works fine. The WAN connection to this customer is not new and was not altered, it worked before a firewall was installed. The issue is external remote users not able to hit internal resources when they could before the firewall.

So you're saying that disabling the rule will make it so that, for example (current behavior):

10.0.100.15 ---> [Inside] |FTD| [Outside] ---> IP addr of outside interface

Disable rule (new behavior):

10.0.100.15 ---> [Inside] |FTD| [Outside] ---> 10.0.100.15

Because that is what we want. Thanks

Rob Ingram · ‎11-05-2024

@MatthewHickey7355 if there are no NAT rules, then traffic is routed through the FTD, so therefore once it egresses the outside interface the source IP address is still the same - 10.0.100.15 in your instance.

MatthewHickey7355 · ‎11-05-2024

I disabled the rule. ACLs are incrementing hits now. Waiting on the customer to test. I will accept your solution once I get confirmation that all is working.

Strangely, show xlate still shows all of the overloaded connections. My guess is that in time those will age out and be removed, but I wonder will show xlate provide any output now that NAT is fully disabled? My instincts tell me no.

Thanks again

Rob Ingram · ‎11-05-2024

@MatthewHickey7355 you may need to clear the existing connections.

Marvin Rhoads · ‎11-05-2024

FDM-managed devices build in the most common setup unless you explicitly tell it otherwise.

Add that to the list of reasons why friends don't let friends use FDM.

MatthewHickey7355 · ‎11-05-2024

I agree. But that's what the customer wanted, so that's what was provided.