Firepower 1140 ASA multicast DNAT support

Roy.Loohuis · ‎10-02-2023

Hey all,

Starting this discussion topic out of curiosity.
I am running a Cisco Firepower 1140 and would like to perform multicast destination port NAT and in the future multicast destination group address NAT.
The Firepower in my test setup is running the ASA software (Cisco Adaptive Security Appliance Software Version 9.16(4)14).
But I am having a hard time finding out if multicast NAT for both ports and addresses is officially supported by Cisco.
I've found forum posts like: https://community.cisco.com/t5/network-security/asa-nat-multicast/td-p/1150714
However these don't have a satisfying answer with a reference to e.g. official documentation.

So does anybody know or have an official answer/reference/etc from Cisco that can confirm this functionality is supported on the ASA software? and if this is also the case for FTD software?

I already got the PNAT working with:

Manual NAT Policies (Section 1)
1 (fw-test-side1) to (fw-test-side2) source static any any destination static MULTICAST_GROUP MULTICAST_GROUP service REAL_PORT MAPPED_PORT
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Destination - Origin: 239.1.2.3/32, Translated: 239.1.2.3/32
Service - Origin: udp destination eq 40000 , Translated: udp destination eq 22222

nat (fw-test-side1,fw-test-side2) source static any any destination static MULTICAST_GROUP MULTICAST_GROUP service REAL_PORT MAPPED_PORT

object service MAPPED_PORT
service udp destination eq 22222
description test object mapped port
object service REAL_PORT
service udp destination eq 40000
description test object real port

object network MULTICAST_GROUP
host 239.1.2.3
description test object group for multicast

Thanks!

urathod · ‎10-19-2023

Hello Roy,

Cisco Firepower Threat Defense (FTD) software, which runs on the Cisco Firepower 1140, does support multicast NAT. You can configure multicast destination port NAT and multicast destination group address NAT on the Firepower 1140 using the NAT policies.

The NAT configuration you provided in your question is correct for configuring multicast NAT on the Firepower 1140. The manual NAT policies you have set up should work as expected.

Please note that the Cisco Adaptive Security Appliance (ASA) software, which you mentioned is running on your Firepower 1140, may have limitations or differences in terms of multicast NAT support compared to Firepower Threat Defense (FTD) software. So, if you are specifically using ASA software, and facing some technical issue, it is recommended to contact Cisco support for the most accurate information on multicast NAT support in ASA software.

But generally speaking, multicast NAT is supported on the Firepower 1140 running FTD software.

If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.