Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
850
Views
1
Helpful
8
Replies

NAT not working when the Public IP isnt in the same subnet as WAN IP

Go to solution
Cisco3105
Level 1
Level 1

‎11-23-2023 12:01 AM

My WAN IP address is 72.X.X.X and the public IP addresses provided by the ISP is 200.X.X.X subnet

My secondary ISP WAN IP is 33.X.X.X and the public IP addresses are in the same subnet

There is a web server in the DMZ, which does not work when I set the IP from the 200.X.X.X but works fine if I set the IP from 33.X.X.X

NAT for both ISP exists.

How do I ensure that the website will load if I switch the IP to 200.X.X.X?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎11-23-2023 02:01 AM - edited ‎11-23-2023 08:39 AM

If 200.x.x.x is route via primary then 

In nat dont check nat route lookup

The egress interface is done via NAT and that we dont want to. 

Also you access server the return back traffic how it route? I think you have asymmetric traffic' ftd drop asymmetric traffic.

Can you confirm defualt route via which isp primary or backup?

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Karsten Iwen
VIP
VIP

‎11-23-2023 12:26 AM - edited ‎11-23-2023 12:26 AM

There are two ways to solve this:

1) Let your ISP route the 200 subnet to your firewalls IP. This is the better solution but only works when no other device on this subnet uses IPs from this pool.

2) Push "arp permit-nonconnected" to the firewall with flex-config.

Go to solution
Cisco3105
Level 1
Level 1
In response to Karsten Iwen

‎11-23-2023 04:45 AM

Hello @Karsten Iwen 

The ISP is routing the 200 subnet to the firewall. I ti was working on the ASA but not in FTD

I added "arp permit-nonconnected" but that didnt help

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Cisco3105

‎11-23-2023 05:07 AM

In this case the "arp ..." is not needed, and it should work out of the box. I assume you somehow messed up your NAT and/or your access control. What does packet-tracer tell you about the desired traffic?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎11-23-2023 02:01 AM - edited ‎11-23-2023 08:39 AM

If 200.x.x.x is route via primary then 

In nat dont check nat route lookup

The egress interface is done via NAT and that we dont want to. 

Also you access server the return back traffic how it route? I think you have asymmetric traffic' ftd drop asymmetric traffic.

Can you confirm defualt route via which isp primary or backup?

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎11-23-2023 06:24 AM

How the web server NAT rule looks like? do you have proxy ARP enabled?

0 Helpful

Go to solution
Cisco3105
Level 1
Level 1
In response to Aref Alsouqi

‎11-23-2023 08:35 AM

Hello @Aref Alsouqi 

Do not proxy ARP on Destination Interface is not checked

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to Cisco3105

‎11-23-2023 08:59 AM

If it's not checked it means proxy ARP is enabled. Please share the NAT rule you created for review.

0 Helpful

Go to solution
Cisco3105
Level 1
Level 1
In response to Aref Alsouqi

‎11-23-2023 11:31 AM

Auto Nat Rule
Static
Source Interface Objects - DMZ
Destination Interface Objects - ISP
Original source - private IP address
Translated source - ISP provided address in 200.X.X.X range

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card