Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
4
Replies

Firepower NAT Question

SecurityJumbo
Level 1
Level 1

‎08-31-2023 02:50 PM

Hello everyone,

I'm trying to understand how the Firepower and NAT are working together. I have Firepower is configured with static and default route. It is working fine if I have the NAT policy configured, but when I remove the NAT rule the Firepower inside interface (inside network) cannot reach out to the internet (outside network) anymore.

I have Allow any any for both directions ( inside to outside ) and (outside to inside)

route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.1 1 
route INSIDE 192.168.10.0 255.255.255.0 2.2.2.1 1

 

FTD1# traceroute 192.168.1.1 source 192.168.1.248 (Firepower outside interface)

Type escape sequence to abort.
Tracing the route to 192.168.1.1

1 192.168.1.1 3 msec 1 msec 1 msec

 

traceroute 192.168.1.1 source 2.2.2.2 (Firepower inside interface)

Type escape sequence to abort.
Tracing the route to 192.168.1.1

1 * * **

 

Does NAT required ? 

I don't thing the NAT is required to pass the traffic through the firewall, but how to fix/avoid need NAT for that ?

0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-01-2023 02:05 AM

You cannot source traffic from the firewall inside interface to an outside address. Instead, use packet-tracer to simulate traffic from some other inside address to the outside destination.

0 Helpful

SecurityJumbo
Level 1
Level 1
In response to Marvin Rhoads

‎09-02-2023 06:34 PM

Hello @Marvin Rhoads 

You are right about. I tried to ping from internal device and it failed. Anyway, I tried to issue "packet tracer" command on the FTD using the same internal device IP "192.168.10.1" and the result is "Allow" as shown in the screenshot, but the ping from the same device is failed (I tried different testing other than Ping as well).

SecurityJumbo_0-1693704585670.png

SecurityJumbo_1-1693704832181.png

 

If I enabled the NAT again, everything start working fine. when the NAT is disabled, the FTD not passing the traffic through.

I'm familiar with routing and Cisco firewall, but this NAT situation confused me and not sure what is going on.

IS there something need to turn off to resolve that ?

 

 

0 Helpful

Marius Gunnerud
VIP
VIP

‎09-01-2023 03:29 PM

The need for NAT depends on if the IPs on the outside interface are private, i.e. routable on the inside network, or if it is the internet / public IPs.  If they are public IPs on the outside and private IPs on the inside then you need NAT. 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

SecurityJumbo
Level 1
Level 1
In response to Marius Gunnerud

‎09-02-2023 06:37 PM

Hey @Marius Gunnerud 

I have static route and default route for the network on the FTD. Also, I have a default static route on the gateway device that is connected to the FTD firewall as they are L3 connectivity.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card