FMC-FTD NAT

Denis Negik · ‎08-08-2025

Good day. Remote FTD has a public IP. FMC is in another office and has an internal IP. I am trying to make a NAT translation of TCP port 8305 on FTD behind which FCM is located.

I created auto nat rule – static. InterfaceObjects: Source-any, Destination-outside. Translation: OriginalSource-local IP FMC, Port TCP 8305. Translated Packet: Destination Interface IP, Port 8305.

In ACL:

Source-Zone Inside, Network - public IP of remote FTD, port 8305.

Destination-Zone Outside, Network local ip FMC, port 8305

I cannot connect FTD with this configuration. Tell me where the error is.

MHM Cisco World · ‎08-08-2025

check below

MHM

Denis Negik · ‎08-08-2025

Change on remote FTD? There is no my script on the link. Or on FTD which is under FMC?

MHM Cisco World · ‎08-08-2025

check below

Denis Negik · ‎08-08-2025

I drew it as is

MHM Cisco World · ‎08-08-2025

You want to config FTD in which FMC is behind ? not remote FTD ?
if FTD in which FMC behind
1- you need prefilter config of ACL allow traffic between remote FTD and FMC bypass Snort inspect

2- and need to swapping zone, the traffic is initiate from outside

MHM

Rob Ingram · ‎08-08-2025

@Denis Negik the ACL you refer to is on the FTD in front of the FMC? The rule is for traffic from the remote FTD to the FMC which is on the inside of the FTD. In which case, surely the Source Zone should be OUTSIDE and destination should be INSIDE?

If you still have a problem run system support firewall-engine-debug apply a filter and generate traffic.

Denis Negik · ‎08-08-2025

system support firewall-engine-debug

after specifying all the data, nothing shows. Or does it not work via ssh? of course the problem remains

Rob Ingram · ‎08-08-2025

@Denis Negik are the zones correct though? Provide screenshot if you wish us to confirm.

You SSH to the FTD you've applied the firewall rule to (the FTD in front of the FMC), just filter on the source IP address and generate some traffic to generate some output.

Denis Negik · ‎08-08-2025

that's how it's set up

MHM Cisco World · ‎08-08-2025

FTD WAN remote IP ? that again confuse me
let make it more simple
FTD1-ISP-FTD2-FMC
in FMC2
you need to config NAT using FMC real IP and FTD2 WAN IP
confirm you do that ?

if Yes then from FMC access to FTD2 and use capture to see if FTD1 send traffic or not

Denis Negik · ‎08-08-2025

FTD WAN remote IP ? - public IP address of the FTD1 port manager according to the scheme FTD1-ISP-FTD2-FMC

MHM Cisco World · ‎08-08-2025

but FMC behind FTD2 and NAT config in FTD2 why you use FTD1 WAN IP in NAT config in FDT2?

that wrong

-FTD1 must config mgmt using FTD2 WAN IP

-FTD2 have ACL allow traffic between FTD1 and FMC

-FTD2 have NAT between FMC private IP and FTD2 WAN public IP

MHM

Denis Negik · ‎08-08-2025

I don't want to use wan port now. Is it a necessary condition? I assigned public ip for the manager port.

MHM Cisco World · ‎08-08-2025

Remember this for NAT

You want to use FTD2 public IP not FTD2 WAN port ?

If that your Q' yes you can use public IP of FTD2.

MHM