Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1744
Views
80
Helpful
8
Replies

Escalation for FDM on FTD

Go to solution
cm
Level 1
Level 1

‎03-03-2022 05:33 AM

Hi Cisco 

 

I would like escalate to Cisco Technician. After few days of try to get things working with FDM to get Identity NAT Working. I have the a problem as my there seem to be handover problem on one of the legs for FTD.  I have enclosed the configuration and ping results

Preview file
19 KB
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-03-2022 06:19 AM

This is the (free) Cisco community, not the (paid) Cisco TAC. Members here help out of goodwill.

Your NAT rules should use (inside,outside). Also, when you run packet-tracer, make the input inside and use the real IP address of the server you want to test. (not the public NAT address). Finally, your incoming access-list entries allow ip any incoming to your servers. This is generally a very bad idea as it essentially exposes the server to the Internet on all ports.

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to cm

‎03-05-2022 07:58 PM

So you want something like this example?

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/nat-reference.html#ID-2091-00000009

That's on ASA but the concept is the same. You might also take a look at this free Labminutes video for a demonstration on how to setup static NAT using FDM:

http://www.labminutes.com/sec0232_ftd_61_firepower_device_manager_configuration_1

View solution in original post

8 Replies 8

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-03-2022 06:19 AM

This is the (free) Cisco community, not the (paid) Cisco TAC. Members here help out of goodwill.

Your NAT rules should use (inside,outside). Also, when you run packet-tracer, make the input inside and use the real IP address of the server you want to test. (not the public NAT address). Finally, your incoming access-list entries allow ip any incoming to your servers. This is generally a very bad idea as it essentially exposes the server to the Internet on all ports.

Go to solution
cm
Level 1
Level 1
In response to Marvin Rhoads

‎03-03-2022 09:04 AM

@Marvin Rhoads the idea is for impliment NAT 0 or identity NAT. where there is no NAT at all for the public address... But I m not getting that all .  

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to cm

‎03-04-2022 07:14 AM

Can you explain in more detail what you are trying to do? NAT 0 is typically used when the host(s) need to traverse a VPN and not be NATted (NAT exemption).

Go to solution
cm
Level 1
Level 1
In response to Marvin Rhoads

‎03-04-2022 08:23 AM

@Marvin Rhoads  I want to protect my mail and other servers with public addresses  , But I don't want to change the IP Address on the servers.  So I m using FDM to deploy not FMC. 

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to cm

‎03-05-2022 07:58 PM

So you want something like this example?

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/nat-reference.html#ID-2091-00000009

That's on ASA but the concept is the same. You might also take a look at this free Labminutes video for a demonstration on how to setup static NAT using FDM:

http://www.labminutes.com/sec0232_ftd_61_firepower_device_manager_configuration_1

Go to solution
cm
Level 1
Level 1
In response to Marvin Rhoads

‎03-09-2022 07:40 AM

Thanks  i got it

Thanks I got it ... I I think  interpreted wrong. 

Go to solution
Karsten Iwen
VIP
VIP

‎03-03-2022 06:35 AM

Adding to Marvins answer: Your Firepower uses completely outdated software. You really should update to a recent version. But this is not related to your problem.

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-03-2022 07:04 AM

contact same TAC case it was before and re-open to help you with cisco technician.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card