Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2761
Views
0
Helpful
4
Replies

firepower device manager NAT rule

GordonKao6335
Level 1
Level 1

‎07-19-2019 02:34 AM - edited ‎02-21-2020 09:19 AM

I wanna configure  a static NAT rule , from outside network (internet)  to access  inside switch (intranet)

using telnet protocol .  pls see below my setting ,but NAT didn't work , kindly advise right setting .

inside switch IP : 192.168.101.211

firepower outside interface IP : 192.168.0.20 

allow telnet protocol

 

FDM NAT rule.jpg

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-19-2019 08:15 PM

Make the NAT type static and source address "Any".

Also add an associated ACL allowing the incoming traffic.

I'm hoping this is only for lab/learning purpose - otherwise don't use telnet as it is insecure. Use ssh instead.

0 Helpful

GordonKao6335
Level 1
Level 1
In response to Marvin Rhoads

‎07-22-2019 12:19 AM

have done as you told me , but still no luck ,pls see my setting as attached ,

all I wanna is  outside hosts can make a telnet connection from outside to inside switch using telnet port 23 , 

NAT rule  translate  Firepwer outside interface IP  192.168.0.20  to  inside switch IP 192.168.101.211 

I choose " auto NAT " , type : static ,

 

firewall outside interface ip: 192.168.0.20 

firewall inside interface ip : 192.168.101.254 

switch vlan ip 192.168.101.211 

 

 

the  connection scenario  is : 

 

outside host : 192.168.0.4  --> FPR2110 outside interface (192.168.0.20 ) --> FPR2110 inside interface (192.168.101.254)--> inside switch 192.168.101.211 

 

Preview file
268 KB
Preview file
355 KB
0 Helpful

GordonKao6335
Level 1
Level 1
In response to GordonKao6335

‎07-22-2019 04:07 AM

while deploy NAT rule via firepower 2110 device manager console , I got the following error message 

 

pls  advise  how to resolve the outside interface overlaps issue .  tks . 

 

22 July, 2019 Deployment failed User(Admin) Trigger deployment

  • ERROR: Address 140.110.141.117 overlaps with outside interface address.
    ERROR: NAT Policy is not downloaded

    Config Error -- nat (inside,outside) static Switch_Public_IP service tcp 23 23

 

Preview file
338 KB
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to GordonKao6335

‎07-22-2019 09:08 PM - edited ‎07-22-2019 09:15 PM

Make your NAT rule type manual NAT instead of AutoNAT. Make sure it is above the AutoNAT rules an ASA 5506 generally has for inside-outside.

Since you are using the outside interface address make the translated address "interface" instead of the IP address of the interface.

I just set it up using FDM on my lab ASA 5506 with FTD (using ssh instead of telnet as my test protocol).

Here what the confirmed working config looks like in the GUI:

ACL EntryACL EntryNAT RuleNAT RuleObject definitionObject definition

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card