03-18-2025 02:36 PM
Trying to get a config operational to support Avaya Remote Worker in our Azure tenant, behind an FTDv.
The existing configuration has (2) interfaces, call then OUTSIDE and INSIDE.
This existing config necessitates activating and configuring an additional interface, dedicated to this Avaya setup, call it TCOUTSIDE.
The FTDv in Azure, not having any L2, doesn't really let NATs work normally - Azure is assigning RFC1918 IPs to the interfaces via DHCP, and Azure is handling the translation of public IP to the interface of the FTDv.
As such, our NAT looks like:
nat (TCOUTSIDE,INSIDE) source static any-IP interface destination static interface AvayaRemoteWorker
Now, this functions most of the way. Traffic hits the TCOUTSIDE interface, and is NAT'd through to the AvayaRemoteWorker (SYN).
It responds (SYN-ACK), and it gets back to the FTDv, which then drops it due to no adjacency/no route to host.
This seems to be because the default route points to the OUTSIDE interface.
A static route, configured for testing, to the public IP of the originating Internet host, gets the SYN-ACK to it's destination, and everything works.
Unfortunately, because we're going to have hundreds, if not thousands of dynamic clients hitting this, we can't create static routes, and even if we could, this would break items hosted via the OUTSIDE interface, which we can't do.
Shouldn't the firewall be able to send this traffic back to the TCOUTSIDE interface, due to it being stateful, and the fact that the NAT has the source interface configured?
TAC has not been of any assistance with this, and is at the stage of giving up without any satisfactory resolution.
Surely we can't be the only entity who's wanted to do something like this?
03-18-2025 04:09 PM
Yeah the firewall shouldn't rely on the routing table in that case and it should determine the egress interface based on the NAT rule you created. If you try to flip the NAT rule to something like the below does it make any difference?
nat (INSIDE,TCOUTSIDE) source static interface AvayaRemoteWorker destination static any-IP interface
03-19-2025 09:14 AM
Thank you for the response!
So, flipping the NAT looks like:
nat (INSIDE, TCOUTSIDE) source static AvayaRemoteWorker interface destination static interface any-IP
The GUI won't let me NATin the order if interface/AvayaRemoteWorker and any-IP/interface
The NAT looks to work as the original, so better than the TAC recommendations - it makes it from the outside, to the endpint, and back to the firewall, but the asp-drop capture isn't showing a drop reason:
2394: 16:12:16.072368 2.2.2.2.5061 > 1.1.1.1.54776: S 1933187308:1933187308(0) ack 1896426580 win 29200 <mss 1380,nop,nop,sackOK,nop,wscale 9>
03-19-2025 09:16 AM
Update, found a drop reason, same as before
Drop-reason: (no-adjacency) No valid adjacency, Drop-location: frame 0x00005650e3750c1e flow (NA)/NA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide