Dynamic PAT and multiple interfaces using same zone
I realize I'm missing something and need some assistance. I have multiple "DMZ" interfaces sharing the same security zone, "DMZ" and I tried to make a manual Dynamic PAT rule for one of these traffic flows. I want traffic from the inside zone to be address translated when passing from inside to the "DMZ-2" interface.
I created the rule in FMC with the source zone and destination zone selected, original source I set to the inside source network, original destination to the DMZ-2 subnet, translated source to "Destination Interface IP" and Translated destination to "DMZ-2" subnet.
The thing is when I look at the connections in the FTD I see them being sent to another interface in the DMZ zone that has a totally different subnet. Am I missing something? Shouldn't me selecting the "original destination" be enough for the FTD to figure out which interface to send the traffic to even tough several interfaces are in the same zone?
Routing would be my guess as well but it seems the destination is chosen from the first interface in the zone. The access is IPv4.
Below is a few configuration snippets and connection events from a working and non-working config
Working setup where the destination subnet is part of a larger group of NAT excempt subnets nat (any,any) after-auto source static GLO-InternalNets GLO-InternalNets destination static GLO-InternalNets GLO-InternalNets no-proxy-arp
show connection TCP FNB-OT_PAsystem 10.243.12.18:80 FNB-ClientNet 192.168.42.151:61271, idle 0:00:02, bytes 0, flags U N1
Non working setup where I've tried to tell the FMC/FTD to do a dynamic PAT. FNB-OT_PAsystem is the intended destination interface
nat (FNB-ClientNet,FNB-OT_NauticAI) source dynamic FNB-ClientNet interface destination static FNB-OT_PAsystemNet FNB-OT_PAsystemNet
nat (FNB-ClientNet,FNB-OT_Autoload) source dynamic FNB-ClientNet interface destination static FNB-OT_PAsystemNet FNB-OT_PAsystemNet
nat (FNB-ClientNet,FNB-OT_HVAC) source dynamic FNB-ClientNet interface destination static FNB-OT_PAsystemNet FNB-OT_PAsystemNet
nat (FNB-ClientNet,FNB-OT_PAsystem) source dynamic FNB-ClientNet interface destination static FNB-OT_PAsystemNet FNB-OT_PAsystemNet
But the traffic is being sent to the interface FNB-OT_NauticAI which is in the same security zone but has a different subnet
TCP FNB-ClientNet 10.89.3.1(192.168.42.151):61340 FNB-OT_NauticAI 10.243.12.18:80, idle 0:00:01, bytes 0, flags xaA N1
TCP FNB-ClientNet 10.89.3.1(192.168.42.151):61339 FNB-OT_NauticAI 10.243.12.18:80, idle 0:00:01, bytes 0, flags xaA N1
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari...
Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ...
A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se...
How To: Cisco ISE Captive Portals with Aruba Wireless
Authors: Adam Hollifield, Brad Johnson
IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi...
Ready to learn more about SecureX? Our Cisco security expert @Juan Ponce Dominguez reviews the features and benefits of SecureX, as well as a product demo covering:
Customising SecureX dashboards to create a single pane, unified visibility