cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2693
Views
0
Helpful
3
Replies

Static NAT for FTD?

andrew.er.brown
Level 1
Level 1

Hey everyone,

I have been attempting to find documentation that shows how to create a static 1:1 NAT statement in FTD for a server that needs to be accessible on the Internet.

The only documentation I can find talks about how NAT works in FTD but does not give a step by step procedure of how to do so in the FMC.

For example, in my lab, I have a web server that needs to be accessible on port 80.

Private IP address: 192.168.254.3

Public IP address: 10.13.1.3

Port opening: TCP/80

Does anyone have a cut and dry method for doing this?

3 Replies 3

Pranay, thanks for your response, however this is the part of the document that creates confusion;

Configure the basic rule options:

• Source Interface, Destination Interface—(Required for bridge group member interfaces.) The interfaces where this NAT rule applies. Source is the real interface, the one through which the traffic enters the device. Destination is the mapped interface, the one through which traffic exits the device. By default, the rule applies to all interfaces (Any) except for bridge group member interface.

Here inlines the problem. In an ASA, the "real interface" would typically be the "inside interface" where the actual host with the private IP address resides. However, it describes the "real interface" as "one through which the traffic enters the device."

For a publicly accessible server I would expect my unsolicited traffic would be entering from the "outside" or "mapped interface"

thoughts?

Hi Andrew,

In my opinion both you and the document is correct. NAT is always configured from the perspective of where the host resides. See in below example

                             (Inside)

            Server A  ----------  FTD

(192.168.75.14)                  |  (DMZ)

                                            |

                                      Host B (192.168.76.14)

Host B wants to access the server on IP 192.168.76.100

The rule that I will create is on firepower is

firepower# show run nat

nat (inside,dmz) source static Host-A Host-B

Where the object is

firepower# show run object

object network Host-A

host 192.168.75.14

object network Host-B

host 192.168.76.100

So on firepower while creating the rule,the source interface is "inside" and destination interface is "dmz". However this is because if we assume that traffic is bidirectional then traffic going from inside to DMZ is source NAT and in this case source interface is inside and destination is DMZ. If we reverse the traffic then it is destination NAT (destination address is translating) which we need in case of servers. But the rule that we created is from inside perspective.

Thanks

Pranay

Review Cisco Networking for a $25 gift card