11-01-2017 08:58 AM
Hey everyone,
I have been attempting to find documentation that shows how to create a static 1:1 NAT statement in FTD for a server that needs to be accessible on the Internet.
The only documentation I can find talks about how NAT works in FTD but does not give a step by step procedure of how to do so in the FMC.
For example, in my lab, I have a web server that needs to be accessible on port 80.
Private IP address: 192.168.254.3
Public IP address: 10.13.1.3
Port opening: TCP/80
Does anyone have a cut and dry method for doing this?
11-01-2017 09:31 AM
Below link has all the procedure of how you can create NAT
11-05-2017 12:26 PM
Pranay, thanks for your response, however this is the part of the document that creates confusion;
Configure the basic rule options:
• Source Interface, Destination Interface—(Required for bridge group member interfaces.) The interfaces where this NAT rule applies. Source is the real interface, the one through which the traffic enters the device. Destination is the mapped interface, the one through which traffic exits the device. By default, the rule applies to all interfaces (Any) except for bridge group member interface.
Here inlines the problem. In an ASA, the "real interface" would typically be the "inside interface" where the actual host with the private IP address resides. However, it describes the "real interface" as "one through which the traffic enters the device."
For a publicly accessible server I would expect my unsolicited traffic would be entering from the "outside" or "mapped interface"
thoughts?
11-05-2017 11:42 PM
Hi Andrew,
In my opinion both you and the document is correct. NAT is always configured from the perspective of where the host resides. See in below example
(Inside)
Server A ---------- FTD
(192.168.75.14) | (DMZ)
|
Host B (192.168.76.14)
Host B wants to access the server on IP 192.168.76.100
The rule that I will create is on firepower is
firepower# show run nat
nat (inside,dmz) source static Host-A Host-B
Where the object is
firepower# show run object
object network Host-A
host 192.168.75.14
object network Host-B
host 192.168.76.100
So on firepower while creating the rule,the source interface is "inside" and destination interface is "dmz". However this is because if we assume that traffic is bidirectional then traffic going from inside to DMZ is source NAT and in this case source interface is inside and destination is DMZ. If we reverse the traffic then it is destination NAT (destination address is translating) which we need in case of servers. But the rule that we created is from inside perspective.
Thanks
Pranay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide