08-31-2023 02:50 PM
Hello everyone,
I'm trying to understand how the Firepower and NAT are working together. I have Firepower is configured with static and default route. It is working fine if I have the NAT policy configured, but when I remove the NAT rule the Firepower inside interface (inside network) cannot reach out to the internet (outside network) anymore.
I have Allow any any for both directions ( inside to outside ) and (outside to inside)
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.1 1
route INSIDE 192.168.10.0 255.255.255.0 2.2.2.1 1
FTD1# traceroute 192.168.1.1 source 192.168.1.248 (Firepower outside interface)
Type escape sequence to abort.
Tracing the route to 192.168.1.1
1 192.168.1.1 3 msec 1 msec 1 msec
traceroute 192.168.1.1 source 2.2.2.2 (Firepower inside interface)
Type escape sequence to abort.
Tracing the route to 192.168.1.1
1 * * **
Does NAT required ?
I don't thing the NAT is required to pass the traffic through the firewall, but how to fix/avoid need NAT for that ?
09-01-2023 02:05 AM
You cannot source traffic from the firewall inside interface to an outside address. Instead, use packet-tracer to simulate traffic from some other inside address to the outside destination.
09-02-2023 06:34 PM
Hello @Marvin Rhoads
You are right about. I tried to ping from internal device and it failed. Anyway, I tried to issue "packet tracer" command on the FTD using the same internal device IP "192.168.10.1" and the result is "Allow" as shown in the screenshot, but the ping from the same device is failed (I tried different testing other than Ping as well).
If I enabled the NAT again, everything start working fine. when the NAT is disabled, the FTD not passing the traffic through.
I'm familiar with routing and Cisco firewall, but this NAT situation confused me and not sure what is going on.
IS there something need to turn off to resolve that ?
09-01-2023 03:29 PM
The need for NAT depends on if the IPs on the outside interface are private, i.e. routable on the inside network, or if it is the internet / public IPs. If they are public IPs on the outside and private IPs on the inside then you need NAT.
09-02-2023 06:37 PM
Hey @Marius Gunnerud
I have static route and default route for the network on the FTD. Also, I have a default static route on the gateway device that is connected to the FTD firewall as they are L3 connectivity.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide