cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

626
Views
5
Helpful
6
Replies
Highlighted

Firepower NAT confusion

Hi All,

 

I'm currently writing a migration document to move from SOPHOS UTM to Firepower and i'm getting a little confused with Firepower NAT.

Lets say i want to configure what i used to call a "masquerading" rule (NAT Overload or PAT)

I create a Dynamic Auto NAT Rule, select the original source of the traffic to be translated, all good

 

If i want to set the translated source to the outgoing physical interface, i set "translated source" to "Destination Interface IP"

 

If i want to hardset a different single IP on the outside i can configure a host object and select it there also....but;

 

What if i want to select a pool of addresses? It seems i can do that two ways?

 

In the "Translated Source" field below, i can set a range of addresses....isn't that essentially what happens on the next Tab? PAT Pool?

Are they essentially the same thing? (with a couple more options under PAT Pool)

 

Thanks in advance guys and gals ;-)

 

12-06-2019 7-47-36 AM.jpg

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Guru

Re: Firepower NAT confusion

The configuration in your original post's screenshot is not PAT. It will dynamically assign the source addresses 1-1 NAT entries as long as there are addresses available in the pool or translated addresses. As the FMC Configuration Guide notes, "Many-to-few or many-to-one NAT is not PAT."

Using the PAT Pool tab will allow you to configure dynamic PAT in a many-many scenario such as you describe. The PAT will use the IPs in the pool sequentially - when the available source ports are exhausted for one address it will move on to the next available one, for all of the tcp connections or udp flows through the firewall.

View solution in original post

6 REPLIES 6
Highlighted
VIP Engager

Re: Firepower NAT confusion

Firepower NAT and ASA NAT is the same. if you understand the ASA NAT you could easily do Firepower NAT too.

 

here is the link would help you what you want to acheive.

 

https://community.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

please do not forget to rate.
Highlighted

Re: Firepower NAT confusion

Thanks for the link Sheraz,

Unfortunately, it doesn't really help me or answer my questions, as i am not familiar with ASA or Firepower NAT, i have worked with PA, Fortigate and Sophos NAT but not Cisco, i'm a Cisco route/switch guy after a quick explanation if possible, i would have thought it was a fairly easy question for someone who is familiar with the Firepower GUI...

Thanks again
Highlighted
Hall of Fame Guru

Re: Firepower NAT confusion

The configuration in your original post's screenshot is not PAT. It will dynamically assign the source addresses 1-1 NAT entries as long as there are addresses available in the pool or translated addresses. As the FMC Configuration Guide notes, "Many-to-few or many-to-one NAT is not PAT."

Using the PAT Pool tab will allow you to configure dynamic PAT in a many-many scenario such as you describe. The PAT will use the IPs in the pool sequentially - when the available source ports are exhausted for one address it will move on to the next available one, for all of the tcp connections or udp flows through the firewall.

View solution in original post

Highlighted

Re: Firepower NAT confusion

Thanks so much Marvin, this answered my question perfectly!
Highlighted

Re: Firepower NAT confusion

Hi Marvin,

 

Just one last question, for this conversation anyway :-)

 

I now understand the 1:1 nature of the pool defined under "Translated Packet"but;

 

Is the below PAT?

 

NAT99.png

Highlighted
Hall of Fame Guru

Re: Firepower NAT confusion

Yes, I believe that one will be PAT. It's a bit confusing/misleading how they reflect it in the GUI.