Re: NAT Question

keithcclark71 · ‎10-24-2022

Hey Guys I am replacing Firewall ASA NAT with Firepower based FTD can someone explain

1) In the below Auto NAT rule I cannot create a Duplicate rule to allow Destination Interface Backup. It will complain in Firepower that duplicate source cannot be used. How would I configure this same rule in Firepower to also be able to failover to Backup interface? Can someone maybe post screenshot examples in Firepower how I would create matching NAT in firepower based on below Screenshots?

2) In the below NAT why is it necessary for Disable Proxy lookup and Lookup route to egress interface ?

3) It is disabled intentionally but was enabled and why would this be created differently than the above and options greyed out?

See below here for auto nat rule that I cannot duplicate for the backup interface. How could I create the below to failover to also use backup interface in event of failover?

Divya Jain · ‎11-15-2022

Hello ,

1. For Nat - make use of Manual Nat rule. This gives you more option on translation. You can also use PAT pool for the same. Using Manual Static rule you can have same Source address but different destination address. It will not give you duplicate error. Here in the screenshot you can see simple example of the same.

2.Proxy ARP is a technique by which a proxy server on a given network answers the Address Resolution Protocol queries for an IP address that is not on that network. The proxy is aware of the location of the traffic's destination and offers its own MAC address as the destination. Because its NAT, you ideally disable proxy ARP to avoid this behaviour

3. Certain options are greyed out depending on the type of rule you are creating. Manual and Auto Nat rules ave some different options.

----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Regards

Divya Jain

Marius Gunnerud · ‎11-16-2022

1). Auto NAT is also known as Object NAT. So what you are doing when creating an Auto NAT rule is that you are associating a NAT statement with a given network object. So to create a duplicate rule you would need to create a duplicate network object and use that instead of the existing object.

2). Route-lookup is used when you want to use the routing table instead of what is defined in the NAT statement to identify which interface should be the egress interface.

As for proxy ARP, this should be used when an IP address that is not configured on the egress interface will be used for translation. So lets say your firewall has an outside interface IP of 193.193.193.254/29 but you want to NAT an internal server to 193.193.193.253 instead. So for the firewall to reply to requests sent to the .253 IP you would need to have proxy APR enabled. If you do not the firewall will not reply to ARP requests for this IP and the connection will not work.

3). Refer to my first explanation in question #2. Here you are specifying the destination interface and therefore there is no need to look into the routing table as the firewall already knows where to send the packet. If I remember correctly the ASA and FMC implement this in slightly different ways whereas to use route-lookup in the FMC you must be using identity NAT for this option to be available.

In your final picture you are receiving the error because you are using Auto NAT. Again referring to my reply to question #1.

--
Please remember to select a correct answer and rate helpful posts