There's a good chance I'm doing this wrong, but when I try to forward more than one port on my FTD box, it gives me the following error:
Here's the current rule in CLI:
nat (LAN-Side,ISP-Side) static interface service tcp ssh ssh
Any idea why it won't let me add another PAT entry?
I attempted that by using the manual NAT entry, but continued having the same issue. See the error below after adding the object group.
You can do it with two rules. They should be Manual NAT ("NAT Rules Before") and not Auto NAT. The source port should be "any" since a client will use a random ephemeral port.
Also remember to allow the traffic with an ACL. You can use the group for that to keep it simple.
Here's the running-config, the first two lines reflect your NAT use case:
> show running-config nat nat (Outside-Home,Inside-Lab) source static any any destination static Outside_interfrace Jump_server service SVC_158913793770 SVC_158913793770 nat (Outside-Home,Inside-Lab) source static any any destination static Outside_interfrace Jump_server service SVC_158913793771 SVC_158913793771 nat (Inside-Lab,Outside-Home) source static Lab_net Lab_net destination static VPN_Pool VPN_Pool description NAT Exemption nat (Inside-Lab,Outside-Home) source static Lab_net Lab_net destination static FTDv-2_DMZ FTDv-2_DMZ no-proxy-arp nat (Outside-Home,Inside-Lab) source static Condo_net Condo_net destination static Lab_net Lab_net ! object network Lab_net nat (Inside-Lab,Outside-Home) dynamic interface >
