Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
1
Helpful
3
Replies

Help with a NAT issue

Go to solution
WillDudeGuy
Level 1
Level 1

‎12-20-2023 04:46 PM

Hello Community,

I need your collective brains with a situation I'm trying to solve.

I currently have a couple of hundred endpoints that I can remotely manage, these endpoints traverse through a firepower to reach the management system I manage them with. Recently we went through a transition where the management network IP range was changed, to ensure the endpoints could still connect we configured a NAT on the firepower to change the endpoints peer address to the new management IP network address. This was successful, but now that I can remote manage them again I want to change the peer address to the new IP of the system. I tested doing this on a test device and ran into the issue of an asymmetric NAT. Initially I thought that's ok, I will simply remove the NAT once I make the config change. The problem with this is that I can't remove the NAT until all devices receive the new config and they wont do that until they come online. This will obviously put me in a situation where endpoints that receive their new configs will fail to connect until the NAT is removed, this is not an option.

So can anyone think of a way I can have a bidirectional NAT employed that will only NAT return traffic if it was NATTED on the way in?

Or any other way I can achieve this?

1 Accepted Solution

Accepted Solutions

Go to solution
WillDudeGuy
Level 1
Level 1

‎01-23-2024 09:25 PM

For anyone who comes across this query and is struggling with something similar, i worked out a way to do it,. simply have another NAT(transition nat) that will match in the NEW IP and also the ephemeral range of source ports, do PAT to change these ports to a range of your choice and place this rule above the current NAT. then amend the existing NAT to match on the ephemeral range as well but dont translate it. this will mean that return traffic will match the new rule first only if the ports match something outside the ephemeral range and be forwarded, otherwise it will fall through to the old rule and then be forwarded. once traffic is no longer hitting the old NAT rule you can remove both NATS

View solution in original post

0 Helpful
3 Replies 3

Go to solution
MHM Cisco World
VIP
VIP

‎12-23-2023 12:54 PM

You change IP of endpoints did you also change the IP of management system? I think the managment system use tftp to push the config into endpoints

If yes then config no NAT for any traffic initiate from endpoints to old management systems and tftp server.

MHM

0 Helpful

Go to solution
WillDudeGuy
Level 1
Level 1
In response to MHM Cisco World

‎01-09-2024 06:06 PM

Thanks for your response but please take another look at my original message, the only IP that changed was that of the management system

0 Helpful

Go to solution
WillDudeGuy
Level 1
Level 1

‎01-23-2024 09:25 PM

For anyone who comes across this query and is struggling with something similar, i worked out a way to do it,. simply have another NAT(transition nat) that will match in the NEW IP and also the ephemeral range of source ports, do PAT to change these ports to a range of your choice and place this rule above the current NAT. then amend the existing NAT to match on the ephemeral range as well but dont translate it. this will mean that return traffic will match the new rule first only if the ports match something outside the ephemeral range and be forwarded, otherwise it will fall through to the old rule and then be forwarded. once traffic is no longer hitting the old NAT rule you can remove both NATS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card