Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
342
Views
3
Helpful
3
Replies

How would FTD decide which interface to use to perform NAT?

Go to solution
SIMMN
Spotlight
Spotlight

‎12-16-2025 12:47 PM

I have configured a Security Zone or Interface Group that contains multiple interfaces (each has its own unique IP/subnet). When I use either the Security Zone or Interface Group as the destination interface object in a NAT rule. How would I know which interface within the Security Zone or Interface Group would be used by FTD to perform NAT?

Is it going to be randomly selected OR round robin OR lower port#/IP/MAC first OR some other machinism?

The FTD in question is running v7.2.7.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Royalty
Spotlight
Spotlight

‎12-16-2025 05:44 PM - edited ‎12-16-2025 05:45 PM

Hi @SIMMN,

It creates multiple internal rules within the LINA engine for NAT configuration referencing a Security Zone / Interface Group with multiple interfaces, one for each interface. I'm not sure on your topology or desired outcome but it could be worth considering the option to leave out the Destination Interface object and use 'any' which will let the routing table decide, as opposed to explicitly setting the destination interface.

It was discussed in this reddit thread previously, however, it is not a bug.

https://www.reddit.com/r/Cisco/comments/qpnpo3/fmcftd_destination_nat_with_security_zones/

Please see the following excerpts from the FTD Configuration Guides. Doesn't matter which version, it's been like this for some time and still is even in the latest releases.

  • If more than one interface in an interface object exists on a given device, identical rules are created for each interface. This can become an issue for static NAT rules that include destination translation. Because NAT rules are applied based on first hit rule, only the rule created for the first interface configured for the object matches traffic. When configuring static NAT with destination translation, use interface objects that include at most one interface per device assigned to the NAT policy to ensure you are getting the desired results.

  • When sending packets, the device uses the destination interface if you specify one, or a routing table lookup if you do not, to determine the egress interface. For identity NAT, you have the option to use a route lookup even if you specify a destination interface.

 

Hope that helps somewhat

View solution in original post

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-16-2025 05:52 PM

its all based on 

Cisco Firepower Threat Defense (FTD), the device decides which interface to use for NAT based on the specific NAT rule parameters and the device's routing table

 

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

3 Replies 3

Go to solution
Royalty
Spotlight
Spotlight

‎12-16-2025 05:44 PM - edited ‎12-16-2025 05:45 PM

Hi @SIMMN,

It creates multiple internal rules within the LINA engine for NAT configuration referencing a Security Zone / Interface Group with multiple interfaces, one for each interface. I'm not sure on your topology or desired outcome but it could be worth considering the option to leave out the Destination Interface object and use 'any' which will let the routing table decide, as opposed to explicitly setting the destination interface.

It was discussed in this reddit thread previously, however, it is not a bug.

https://www.reddit.com/r/Cisco/comments/qpnpo3/fmcftd_destination_nat_with_security_zones/

Please see the following excerpts from the FTD Configuration Guides. Doesn't matter which version, it's been like this for some time and still is even in the latest releases.

  • If more than one interface in an interface object exists on a given device, identical rules are created for each interface. This can become an issue for static NAT rules that include destination translation. Because NAT rules are applied based on first hit rule, only the rule created for the first interface configured for the object matches traffic. When configuring static NAT with destination translation, use interface objects that include at most one interface per device assigned to the NAT policy to ensure you are getting the desired results.

  • When sending packets, the device uses the destination interface if you specify one, or a routing table lookup if you do not, to determine the egress interface. For identity NAT, you have the option to use a route lookup even if you specify a destination interface.

 

Hope that helps somewhat

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-16-2025 05:52 PM

its all based on 

Cisco Firepower Threat Defense (FTD), the device decides which interface to use for NAT based on the specific NAT rule parameters and the device's routing table

 

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-16-2025 06:19 PM

To add to the already excellent inputs: You can always check the behavior / config after deployment but using the CLI commands such as: 

  • show run nat
  • packet-tracer
  • show xlate

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card