NAT, PAT one or other, or both?

AStaUK · ‎03-23-2025

I'm starting to set up some new servers in a Data Center using a Firepower 1140 (FTD) configured via Cloud FMC.

The servers are connected to some L3 switches which in turn connect to the Firepower via Port Channels. I have 3 port channels configured, an inside, secondary interface (GW on 1140. multiple hosts) and a tertiary interface (GW on 1140, single host). Inside can ping the internet and other connected devices on the same network, but a server I have connected to the secondary interface is unable to ping either the internet or the inside network, despite getting a DHCP address from a DHCP server connected to the inside interface so clearly something is able to communicate.

On the 1140 I have for the secondary interface configured an access policy which allows outbound traffic from the secondary interface/network to any network using http/https/icmp. I've also configured an access policy to allow any traffic from secondary interface/network to inside interface/network.

With this setup I can ping the GW address configured for the secondary interface on the 1140 but nothing on the internet or inside network.

While I do have a network engineer or Cisco Support I can turn to for answers I'd like to see if I can get this working for myself as a learning experience.

So I believe the reason I can't ping the internet is because I'm simply missing the NAT rule for the secondary interface, but I'm at a loss as to why I can't ping any device on the inside network, does the access policy need to be configured two way, secondary/inside <> inside/secondary and is it okay as they're internal networks to configure them using the same rule as one.

In addition to the above I'm not sure if I need to configure a dynamic PAT rule for the secondary interface, there is one for inside>outside but should I also have one for the secondary and tertiary interfaces?

Thanks in advance.

cybergeezer · ‎03-23-2025

FTDs are stateful - so only one direction for the ACL is needed for normal production traffic - as for your test, since the server is initiating the traffic
You might have to allow the icmp traffic but I think it may be something else - I'm not being condescending, but have you checked the config of the server? Can you ping it's GW? Is the GW configured correctly? I've had simple issues like this cause me a lot of frustration .

This issue may already be fixed already. But I thought I would give my two cents.

cybergeezer · ‎03-23-2025

Whelp - I reread your initial query and now see you did pingify the gatewidget thingy -my bad

I'll be in the corner with my crayons and coloring books -

hopefully everyone is watching sportsball on the tv since its that time of year when everyone is crazy about the orange sportsball thing that happens with the brackets and such and will not notice my gaff.
I eagerly await the solution to this technundrum

AStaUK · ‎03-24-2025

So my first problem with not being able to ping the internet was indeed that I was missing a PAT rule, not NAT. I initially thought I needed a NAT but once I applied the config I was still unable to ping the internet, so I reconfigured it as a dynamic PAT rule and I can now ping the internet.

My issue with the internal network must have been as @cybergeezer alluded something wrong with my firewall configuration, after a night's sleep I removed it and redid the config and was able to get to the inside hosts without issue.

So my understanding here is that if I needed a single device to connect to the internet I'd use static NAT, but if I have multiple devices that I need to connect to the internet I should use a dynamic PAT rule which uses dynamic port translation for each device?

What I don't understand is on my much older ASA there was no dynamic PAT, is this a new concept used or more modern firewalls?