Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
493
Views
0
Helpful
1
Replies

FTD ARP From NATed IP

Zac576
Level 1
Level 1

‎11-01-2022 09:34 AM - edited ‎11-01-2022 09:50 AM

Hi all:

I am having an issue with a 1:1 NAT on an FTD.  I have two FTDs (both managed by an FMC), and they both have 1:1 NATs.  The NATs are working on one FTD, but not on the other.  They have different flavors of internet, and the problem is related to the connection.

Referring to the FTD with NATs that are not working, there are several static IPs on that internet service.  I verified with the ISP that they are configured on the circuit, and one of the other IPs was on the FTD's WAN interface before I changed it to what the IP is now.  The IPs are in the same subnet.  I talked to the ISP about this fiber connection, and was told that the session for each static IP isn't static, it's dynamically built.  What triggers the building of the session is when the gateway (the ISP) receives an ARP from the static IP.  That sets off a series of events that builds the session for that particular static IP.

The IP on the FTDs WAN interface is working because the FTDs ARP for the gateway's MAC would have had its interface IP.  I see in a packet capture that it's sending out packets which are sourced from the second static IP, but there's no return traffic.  No session was built for the second static IP because the FTD won't send an ARP containing the second static IP.  That makes sense to me because the FTD already knows the MAC of the gateway.  It doesn't see a reason to ARP for it again.

I realize that this is likely not possible, but I'll ask anyway.  Is it possible to have the FTD periodically send an ARP with an IP other than the interface IP?  I see no way to do this in the FMC.  I consoled in to the FTD and saw that 'arping' is in Expert mode, but I can't source ARPs from the WAN interface.  It's not listed in an 'ip addr'.  I assume that's because the FTD part of the box has control of that.  Is there another way to address this problem?

0 Helpful
1 Reply 1

Aref Alsouqi
VIP
VIP

‎11-01-2022 09:50 AM

I can't see why you would need to do that. As per your FTD config, when the traffic is sent out with the secondary (NAT) IP the ISP router should know that it needs to throw that traffic back out of the interface connected to the FTD WAN interface, and then the FTD will use its proxy ARP to take ownership of delivering the traffic back to the internal host. If the ISP router and the FTD WAN connection is using a different subnet than the one that is being used for NAT'ing then the ISP router should have a static route back to the FTD WAN interface for any traffic destined to the NAT'ed IP addresses.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card