Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1342
Views
2
Helpful
12
Replies

FMC Only 1 NAT rule working

Go to solution
s_SiD_s
Level 5
Level 5

‎03-23-2026 12:30 AM - edited ‎03-23-2026 03:14 AM

Goog day!
FMC  7.6.5 (build 106)

NAT from local net working fine.
Need to NAT server from another vlan to another public IP, not on FTDv OUTSIDE interface ip.

on ASA5550 this works by 

nat (inside,outside) source dynamic NAT-SOURCE-SRV NAT-PUB-SRV

I have made same on FMC
> show running-config nat
nat (INSIDE,OUTSIDE) source dynamic NAT-SOURCE-SRV NAT_PUBLIC_SRV

i see xlates to another public ip, also see connections.
but no interfnet on PC....ERR_CONNECTION_TIMED_OUT
no ping outside...

looks like I forgot something..somewhere...

Screenshot_1.png

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
s_SiD_s
Level 5
Level 5
In response to Marvin Rhoads

‎03-24-2026 12:02 AM

there was:
sysopt noproxyarp OUTSIDE
sysopt noproxyarp INSIDE
sysopt noproxyarp management

so I have made a Flexconfig to disable it.
then removed the route and NAT starts to work.
Someone switched off same setting on ASA5550, that's why same config works on asa.

And it is strange, that settings in NAT does not work, untill proxyarp globally disabled.
Screenshot_7.png

View solution in original post

0 Helpful
12 Replies 12

Go to solution
s_SiD_s
Level 5
Level 5

‎03-23-2026 01:19 AM - edited ‎03-23-2026 01:20 AM

FTDv CLI, we see that NAT is going to be .60.40 that is the goal. IP add 60.126 it is ip of FTDv OUTSIDE interface.

But no internet.

packet-tracer shows all "as green and passed"

Screenshot_2.png

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to s_SiD_s

‎03-23-2026 01:43 AM

@s_SiD_s I assume 10.201.213.249 is NAT-SOURCE-SRV? Is 60.40 in the same network as the outside IP address of the FTD - therefore the upstream router has a route back via the FTD?

Can you run packet tracer from the CLI and provide the full output (mask your public IP addresses) but provide the full output.

0 Helpful

Go to solution
s_SiD_s
Level 5
Level 5

‎03-23-2026 01:59 AM

I see now...

APR on border main GW shows

60.40 0026.0b31.64df   (MAC is OUTSIDE int of ASA5550)
and 60.51 (ip add of OUTSIDE ASA5550) address ARP shows 0026.0b31.64df
that is why NAT 60.40 doesn't work on FTDv? 
i have tried another IP, which is free 60.125 , but same result

 

packet-tracer.txt
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to s_SiD_s

‎03-23-2026 02:27 AM

@s_SiD_s Is proxy arp disabled on that nat rule?

Run "show nat detail" and provide the output.

Go to solution
s_SiD_s
Level 5
Level 5
In response to Rob Ingram

‎03-23-2026 03:08 AM - edited ‎03-23-2026 03:13 AM 

> show nat detail
Manual NAT Policies Implicit (Section 0)
1 (nlp_int_tap) to (INSIDE) source static nlp_server__snmp_32_10.201.213.11_intf3 interface  destination static 0_10.201.213.11_2 0_10.201.213.11_2 service udp snmp snmp 
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 169.254.1.2/32, Translated: 10.201.98.101/29
    Destination - Origin: 10.201.213.11/32, Translated: 10.201.213.11/32
    Service - Protocol: udp Real: snmp Mapped: snmp 
2 (nlp_int_tap) to (OUTSIDE) source static nlp_server__ssh_10.129.0.0_intf2 interface  destination static 0_10.129.0.0_3 0_10.129.0.0_3 service tcp ssh ssh 
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 169.254.1.2/32, Translated: xx.xx.60.126/25
    Destination - Origin: 10.129.0.0/16, Translated: 10.129.0.0/16
    Service - Protocol: tcp Real: ssh Mapped: ssh 
3 (nlp_int_tap) to (INSIDE) source static nlp_server__ssh_10.129.0.0_intf3 interface  destination static 0_10.129.0.0_5 0_10.129.0.0_5 service tcp ssh ssh 
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 169.254.1.2/32, Translated: 10.201.98.101/29
    Destination - Origin: 10.129.0.0/16, Translated: 10.129.0.0/16
    Service - Protocol: tcp Real: ssh Mapped: ssh 
4 (nlp_int_tap) to (INSIDE) source static nlp_server__ssh_10.201.64.0_intf3 interface  destination static 0_10.201.64.0_4 0_10.201.64.0_4 service tcp ssh ssh 
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 169.254.1.2/32, Translated: 10.201.98.101/29
    Destination - Origin: 10.201.64.0/24, Translated: 10.201.64.0/24
    Service - Protocol: tcp Real: ssh Mapped: ssh 
5 (nlp_int_tap) to (OUTSIDE) source dynamic nlp_client_0_10.129.0.0_6proto22_intf2 interface  destination static nlp_client_0_ipv4_2 nlp_client_0_ipv4_2 service nlp_client_0_6svc22_1 nlp_client_0_6svc22_1
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 169.254.1.2/32, Translated: xx.xx.60.126/25
    Destination - Origin: 10.129.0.0/16, Translated: 10.129.0.0/16
    Service - Origin: tcp destination eq ssh , Translated: tcp destination eq ssh 
6 (nlp_int_tap) to (INSIDE) source dynamic nlp_client_0_10.129.0.0_6proto22_intf3 interface  destination static nlp_client_0_ipv4_6 nlp_client_0_ipv4_6 service nlp_client_0_6svc22_5 nlp_client_0_6svc22_5
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 169.254.1.2/32, Translated: 10.201.98.101/29
    Destination - Origin: 10.129.0.0/16, Translated: 10.129.0.0/16
    Service - Origin: tcp destination eq ssh , Translated: tcp destination eq ssh 
7 (nlp_int_tap) to (INSIDE) source dynamic nlp_client_0_10.201.64.0_6proto22_intf3 interface  destination static nlp_client_0_ipv4_4 nlp_client_0_ipv4_4 service nlp_client_0_6svc22_3 nlp_client_0_6svc22_3
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 169.254.1.2/32, Translated: 10.201.98.101/29
    Destination - Origin: 10.201.64.0/24, Translated: 10.201.64.0/24
    Service - Origin: tcp destination eq ssh , Translated: tcp destination eq ssh 

Manual NAT Policies (Section 1)
1 (INSIDE) to (OUTSIDE) source dynamic VLAN_213 NAT_125  dns
    translate_hits = 371, untranslate_hits = 0
    Source - Origin: 10.201.213.0/24, Translated: xx.xx.60.125/32

Auto NAT Policies (Section 2)
1 (INSIDE) to (OUTSIDE) source dynamic SPB_BELL_NETWORK interface 
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.206.64.0/24, Translated: xx.xx.60.126/25
2 (INSIDE) to (OUTSIDE) source dynamic NAT_BELL_NETWORK interface 
    translate_hits = 90770, untranslate_hits = 10777
    Source - Origin: 10.201.0.0/16, Translated: xx.xx.60.126/25
> 
> 
>

Proxy ARP is grayed out on that NAT rule

Screenshot_4.pngScreenshot_5.png

 

 

0 Helpful

Go to solution
s_SiD_s
Level 5
Level 5

‎03-23-2026 05:18 AM

packet capture/
no reply ...

> capture CAPI trace interface INSIDE match ip host 10.201.213.249 host 77.88.8.8
> capture CAPO interface OUTSIDE match ip any host 77.88.8.8
>
> show capture CAPI
   1: 12:08:46.342755       10.201.213.249 > 77.88.8.8 icmp: echo request 
   2: 12:08:51.339582       10.201.213.249 > 77.88.8.8 icmp: echo request 
   3: 12:08:56.343106       10.201.213.249 > 77.88.8.8 icmp: echo request 
   4: 12:09:01.340726       10.201.213.249 > 77.88.8.8 icmp: echo request 
   5: 12:09:06.341031       10.201.213.249 > 77.88.8.8 icmp: echo request 
   6: 12:09:11.345593       10.201.213.249 > 77.88.8.8 icmp: echo request 
> 
> show capture CAPO
   1: 12:08:56.343457       xx.xx.60.125 > 77.88.8.8 icmp: echo request 
   2: 12:09:01.341062       xx.xx.60.125 > 77.88.8.8 icmp: echo request 
   3: 12:09:06.341397       xx.xx.60.125 > 77.88.8.8 icmp: echo request 
   4: 12:09:11.346005       xx.xx.60.125 > 77.88.8.8 icmp: echo request 
   5: 12:09:16.352246       xx.xx.60.125 > 77.88.8.8 icmp: echo request 
   6: 12:09:21.355480       xx.xx.60.125 > 77.88.8.8 icmp: echo request 
> no capture /all
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-23-2026 09:36 AM

Is your outside network a /24? Just asking to confirm that the various addresses you have tested are indeed in the same subnet.

0 Helpful

Go to solution
s_SiD_s
Level 5
Level 5
In response to Marvin Rhoads

‎03-23-2026 10:06 AM - edited ‎03-23-2026 10:27 AM

public network /25

I think proxy arp does not working at all on FMC\FTDv
I have added static route to Border GW  - xx.xxx60.125 255.255.255.255 xx.xx.60.126

poiting that .125 in behind OUTSIDE int of FTDv

now, NAT with .125 working as per config.
it is odd...

Screenshot_6.png

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to s_SiD_s

‎03-23-2026 07:23 PM

Check your running config for potentially hidden sysopt proxyarp commands:

show running-config all | include sysopt

Go to solution
s_SiD_s
Level 5
Level 5
In response to Marvin Rhoads

‎03-24-2026 12:02 AM

there was:
sysopt noproxyarp OUTSIDE
sysopt noproxyarp INSIDE
sysopt noproxyarp management

so I have made a Flexconfig to disable it.
then removed the route and NAT starts to work.
Someone switched off same setting on ASA5550, that's why same config works on asa.

And it is strange, that settings in NAT does not work, untill proxyarp globally disabled.
Screenshot_7.png

0 Helpful

Go to solution
s_SiD_s
Level 5
Level 5

‎03-24-2026 02:28 AM

yeap)
after that, i see a lot of tries or sniff high tcp port on ip .60.125 )
how to stop this nightmare?

Screenshot_1.png

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card