Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1198
Views
0
Helpful
3
Replies

VPN and NAT

Go to solution
gcook0001
Level 1
Level 1

‎04-20-2021 06:55 AM

I am fairly new with the Firepower firewalls.  I was wondering if this is possible.

 

I want one profile to use split tunneling.  So I have nat(inside,outside) after-auto source static inside inside destination inside inside

I want one profile to send all traffic over the VPN.   So from what I understand I need to add the following nat(outside, outside) after-auto source static outside outside destination outside outside

I don't have a way to test this except on production so I am hoping for some feedback.

Is the second nat correct

Can I have both nats or will they interfere with each other.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to gcook0001

‎04-21-2021 08:58 AM

I am just wondering if the two NATs would conflict with each other.

Well, no they would not conflict with each other, as long as you are defining the subnets correctly for the inside,outside NAT statement and not using "any" as the inside subnet

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marius Gunnerud
VIP
VIP

‎04-20-2021 07:20 AM

Just out of curiosity, is there any reason why you are placing these NAT statements in the after-auto section?  It is more common to see these type of NAT statements in manual NAT section.

If the Firepower device is the only gateway to the internet then yes, you would need to add a NAT statement that references the ingress and egress interfaces as outside outside.

Here is a guide for your reference: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215875-configure-anyconnect-vpn-client-on-ftd.pdf

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
gcook0001
Level 1
Level 1
In response to Marius Gunnerud

‎04-21-2021 08:04 AM

I actually didn't create the NAT.  TAC did.  

I am just wondering if the two NATs would conflict with each other.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to gcook0001

‎04-21-2021 08:58 AM

I am just wondering if the two NATs would conflict with each other.

Well, no they would not conflict with each other, as long as you are defining the subnets correctly for the inside,outside NAT statement and not using "any" as the inside subnet

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card