03-08-2019 05:17 PM
There's a good chance I'm doing this wrong, but when I try to forward more than one port on my FTD box, it gives me the following error:
Here's the current rule in CLI:
nat (LAN-Side,ISP-Side) static interface service tcp ssh ssh
Any idea why it won't let me add another PAT entry?
03-08-2019 07:01 PM
Make the services (ports) you want to allow part of a service group (via Object Management) and then use that group in the (single) NAT rule.
03-09-2019 08:44 AM
I attempted that by using the manual NAT entry, but continued having the same issue. See the error below after adding the object group.
03-11-2019 07:45 AM
You can do it with two rules. They should be Manual NAT ("NAT Rules Before") and not Auto NAT. The source port should be "any" since a client will use a random ephemeral port.
Also remember to allow the traffic with an ACL. You can use the group for that to keep it simple.
Here's the running-config, the first two lines reflect your NAT use case:
> show running-config nat nat (Outside-Home,Inside-Lab) source static any any destination static Outside_interfrace Jump_server service SVC_158913793770 SVC_158913793770 nat (Outside-Home,Inside-Lab) source static any any destination static Outside_interfrace Jump_server service SVC_158913793771 SVC_158913793771 nat (Inside-Lab,Outside-Home) source static Lab_net Lab_net destination static VPN_Pool VPN_Pool description NAT Exemption nat (Inside-Lab,Outside-Home) source static Lab_net Lab_net destination static FTDv-2_DMZ FTDv-2_DMZ no-proxy-arp nat (Outside-Home,Inside-Lab) source static Condo_net Condo_net destination static Lab_net Lab_net ! object network Lab_net nat (Inside-Lab,Outside-Home) dynamic interface >
03-14-2019 07:26 AM
Thanks for your Marvin! I will give this a shot and let you know if it works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide