Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2495
Views
0
Helpful
2
Replies

Dynamic PAT and multiple interfaces using same zone

hoffa2000
Level 3
Level 3

‎05-05-2020 02:46 AM

Hi all

I realize I'm missing something and need some assistance. I have multiple "DMZ" interfaces sharing the same security zone, "DMZ" and I tried to make a manual Dynamic PAT rule for one of these traffic flows. I want traffic from the inside zone to be address translated when passing from inside to the "DMZ-2" interface.

I created the rule in FMC with the source zone and destination zone selected, original source I set to the inside source network, original destination to the DMZ-2 subnet, translated source to "Destination Interface IP" and Translated destination to "DMZ-2" subnet.

The thing is when I look at the connections in the FTD I see them being sent to another interface in the DMZ zone that has a totally different subnet. Am I missing something? Shouldn't me selecting the "original destination" be enough for the FTD to figure out which interface to send the traffic to even tough several interfaces are in the same zone?

 

Regards

Fredrik

0 Helpful
2 Replies 2

Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎05-05-2020 04:19 AM

Hi,

 

Destination interface is selected based on the Routing purely,i am not sure how you are accessing this service.  Are you accessing the destination via IP Address ?

0 Helpful

hoffa2000
Level 3
Level 3
In response to Muhammad Awais Khan

‎05-05-2020 11:12 PM - edited ‎05-05-2020 11:42 PM

Hi

Routing would be my guess as well but it seems the destination is chosen from the first interface in the zone. The access is IPv4. 

Below is a few configuration snippets and connection events from a working and non-working config

 

 

Working setup where the destination subnet is part of a larger group of NAT excempt subnets
nat (any,any) after-auto source static GLO-InternalNets GLO-InternalNets destination static GLO-InternalNets GLO-InternalNets no-proxy-arp
show connection
TCP FNB-OT_PAsystem  10.243.12.18:80 FNB-ClientNet  192.168.42.151:61271, idle 0:00:02, bytes 0, flags U N1

Non working setup where I've tried to tell the FMC/FTD to do a dynamic PAT. FNB-OT_PAsystem is the intended destination interface
nat (FNB-ClientNet,FNB-OT_NauticAI) source dynamic FNB-ClientNet interface destination static FNB-OT_PAsystemNet FNB-OT_PAsystemNet
nat (FNB-ClientNet,FNB-OT_Autoload) source dynamic FNB-ClientNet interface destination static FNB-OT_PAsystemNet FNB-OT_PAsystemNet
nat (FNB-ClientNet,FNB-OT_HVAC) source dynamic FNB-ClientNet interface destination static FNB-OT_PAsystemNet FNB-OT_PAsystemNet
nat (FNB-ClientNet,FNB-OT_PAsystem) source dynamic FNB-ClientNet interface destination static FNB-OT_PAsystemNet FNB-OT_PAsystemNet
But the traffic is being sent to the interface FNB-OT_NauticAI which is in the same security zone but has a different subnet
TCP FNB-ClientNet  10.89.3.1(192.168.42.151):61340 FNB-OT_NauticAI  10.243.12.18:80, idle 0:00:01, bytes 0, flags xaA N1
TCP FNB-ClientNet  10.89.3.1(192.168.42.151):61339 FNB-OT_NauticAI  10.243.12.18:80, idle 0:00:01, bytes 0, flags xaA N1

 

/Fredrik

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card