Solved: Re: Firepower NAT confusion

Warren Sullivan - Corp · ‎06-11-2019

Hi All,

I'm currently writing a migration document to move from SOPHOS UTM to Firepower and i'm getting a little confused with Firepower NAT.

Lets say i want to configure what i used to call a "masquerading" rule (NAT Overload or PAT)

I create a Dynamic Auto NAT Rule, select the original source of the traffic to be translated, all good

If i want to set the translated source to the outgoing physical interface, i set "translated source" to "Destination Interface IP"

If i want to hardset a different single IP on the outside i can configure a host object and select it there also....but;

What if i want to select a pool of addresses? It seems i can do that two ways?

In the "Translated Source" field below, i can set a range of addresses....isn't that essentially what happens on the next Tab? PAT Pool?

Are they essentially the same thing? (with a couple more options under PAT Pool)

Thanks in advance guys and gals ;-)

Marvin Rhoads · ‎06-13-2019

The configuration in your original post's screenshot is not PAT. It will dynamically assign the source addresses 1-1 NAT entries as long as there are addresses available in the pool or translated addresses. As the FMC Configuration Guide notes, "Many-to-few or many-to-one NAT is not PAT."

Using the PAT Pool tab will allow you to configure dynamic PAT in a many-many scenario such as you describe. The PAT will use the IPs in the pool sequentially - when the available source ports are exhausted for one address it will move on to the next available one, for all of the tcp connections or udp flows through the firewall.

View solution in original post

Sheraz.Salim · ‎06-12-2019

Firepower NAT and ASA NAT is the same. if you understand the ASA NAT you could easily do Firepower NAT too.

here is the link would help you what you want to acheive.

https://community.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

please do not forget to rate.

Warren Sullivan - Corp · ‎06-12-2019

Thanks for the link Sheraz,

Unfortunately, it doesn't really help me or answer my questions, as i am not familiar with ASA or Firepower NAT, i have worked with PA, Fortigate and Sophos NAT but not Cisco, i'm a Cisco route/switch guy after a quick explanation if possible, i would have thought it was a fairly easy question for someone who is familiar with the Firepower GUI...

Thanks again

Marvin Rhoads · ‎06-13-2019

The configuration in your original post's screenshot is not PAT. It will dynamically assign the source addresses 1-1 NAT entries as long as there are addresses available in the pool or translated addresses. As the FMC Configuration Guide notes, "Many-to-few or many-to-one NAT is not PAT."

Using the PAT Pool tab will allow you to configure dynamic PAT in a many-many scenario such as you describe. The PAT will use the IPs in the pool sequentially - when the available source ports are exhausted for one address it will move on to the next available one, for all of the tcp connections or udp flows through the firewall.

Warren Sullivan - Corp · ‎06-13-2019

Thanks so much Marvin, this answered my question perfectly!

Warren Sullivan - Corp · ‎06-13-2019

Hi Marvin,

Just one last question, for this conversation anyway :-)

I now understand the 1:1 nature of the pool defined under "Translated Packet"but;

Is the below PAT?

Marvin Rhoads · ‎06-13-2019

Yes, I believe that one will be PAT. It's a bit confusing/misleading how they reflect it in the GUI.