Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2489
Views
13
Helpful
18
Replies

What would be the translated sources in NAT rule on Cisco FMC for FTD?

Go to solution
CiscoBrownBelt
Level 6
Level 6

‎07-15-2024 11:48 AM

Just want to be sure. So If establishing connection from internet to private internal server, the translated source would be the private IP want to nat the public IP to? The Translated destination would be the IP of the internal server?

 

CiscoPurpleBelt_0-1721069283015.png

 

0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to CiscoBrownBelt

‎07-17-2024 02:19 AM

How you set up NAT is really up to you, with regard to where you specify the source and destination.  Some prefer to have the internet / external network as the source (I suppose for visualization purposes) and others like the source to be the internal network (this is my preference). You can also limit the NAT rule to a specific port and if you are using the FTD Outside / external interface for this connection then you will need to do that or you will possibly break other connections.

Just keep in mind that static manual NAT are bi-directional by default which is why source and destination are interchangeable and will work if set up correctly.

You will also need access rules on the Outside / external interface on the FTD allowing access from the remote public IP to the internal private IP of the server.

Screenshot 2024-07-17 at 11.15.56.png

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Go to solution
MHM Cisco World
VIP
VIP
In response to CiscoBrownBelt

‎07-17-2024 02:27 AM

You are saying just enter NAT in same fashion but enter the external host as the destination? <<- in my previous comment I never mention that we need NATing the destination
I think I know what you confuse about 
static NAT for server from private to public IP can config in two way
1- IN OUT <<- interface
the source is private IP of server and it NATing to public IP 
2- OUT IN <<- interface
the destination is Public IP of server and it NATing to private IP 

there is no different since as I mention before it bidirectional NAT 

if you have more Q please ask 
thanks 

MHM 

View solution in original post

Go to solution
MHM Cisco World
VIP
VIP
In response to CiscoBrownBelt

‎07-17-2024 05:38 AM

Yes all list below is correct 

NAT = static
Source Int Obj = Outside
Desination Int Obj = Inside
Original Source = my public host IP that wants access to internal server
Original Destination = Public IP/GW for internal server
Original Services = say https
Translated Sources = my public host IP that wants access to internal server
Translated Destination = actual real private IP of internal server need access for

Apply  it and dont forget add acl to allow traffic.

Goodluck friend 

MHM

View solution in original post

Go to solution
MHM Cisco World
VIP
VIP
In response to CiscoBrownBelt

‎07-18-2024 11:45 AM

Yes it show that 
can I see the last NAT you use 
thanks 

MHM

View solution in original post

18 Replies 18

Go to solution
MHM Cisco World
VIP
VIP

‎07-15-2024 11:53 AM

OUT (internet)- FTD -IN 

the static NAT is bidirectional 
you can use 
IN

OUT

private IP

port X

ANY

interface 

port X

Any 

this how NAT need to config 

MHM 

0 Helpful

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to MHM Cisco World

‎07-15-2024 11:59 AM

Not sure if I am tracking. So to the translated source would be the private IP I want to use for the external public IP/device trying to access internal server? The Translated destination would be the actual private IP of the internal server?

Go to solution
MHM Cisco World
VIP
VIP
In response to CiscoBrownBelt

‎07-15-2024 12:03 PM - edited ‎07-15-2024 12:04 PM

The traffic initiate from OUT (internet) client to server 

The source is client public IP

The destiantion will be public IP (mapped IP of server)

Since the NAT config IN to OUT 

The destiantion public IP (server mapped IP) NATing to private IP (real server IP)

Source client public IP not NATing since we use any to any.

MHM

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to MHM Cisco World

‎07-15-2024 12:09 PM

So per my screen shot, the Translated Sources is the internal private IP I want to NAT the public/Out host IP to? And the translated destination is the actual internal IP of the server?

0 Helpful

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to MHM Cisco World

‎07-15-2024 12:16 PM

So source = static
Source Int Obj = Outside
Desination Int Obj = Inside
Original Source = my public host IP that wants access to internal server
Original Destination = Public IP/GW for internal server
Original Services = say https
Translated Sources = my public host IP that wants access to internal server
Translated Destination = actual real private IP of internal server need access for

0 Helpful

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to MHM Cisco World

‎07-16-2024 04:02 AM

This is for connection from an external outside host to internal server that has private IP. Are you referencing from internal server to external host connection?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to CiscoBrownBelt

‎07-16-2024 04:35 AM

This NAT since it static it bidirectional

It NATing 

From server to client 

From client to server 

MHM

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to MHM Cisco World

‎07-16-2024 05:00 AM

I only want the server reachable from one external host out in internet. Internal private IP subnet server is on already has internet access (so from internal to external of course). You are saying just enter NAT in same fashion but enter the external host as the destination?

Go to solution
Marius Gunnerud
VIP
VIP
In response to CiscoBrownBelt

‎07-17-2024 02:19 AM

How you set up NAT is really up to you, with regard to where you specify the source and destination.  Some prefer to have the internet / external network as the source (I suppose for visualization purposes) and others like the source to be the internal network (this is my preference). You can also limit the NAT rule to a specific port and if you are using the FTD Outside / external interface for this connection then you will need to do that or you will possibly break other connections.

Just keep in mind that static manual NAT are bi-directional by default which is why source and destination are interchangeable and will work if set up correctly.

You will also need access rules on the Outside / external interface on the FTD allowing access from the remote public IP to the internal private IP of the server.

Screenshot 2024-07-17 at 11.15.56.png

--
Please remember to select a correct answer and rate helpful posts

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Marius Gunnerud

‎07-17-2024 06:13 AM - edited ‎07-17-2024 06:28 AM

Right thanks and yes aware about rules. So for internal server host, there is already a NAT rule for the entire subnet it is on to reach internet. If entering the statement as In to Out instead, basically the FTD would know to NAT the public host when it tries to connect based on this and the specified port? Placement of this rule does not matter if there is already a NAT statement for In to Out for the entire internal subnet correct?

Also, if you leave Original Source Port/Services blank than that could be ANY? Original Destination Port and Translated Destination Port would be the port you want to use for the connection let's say just want to allow https connection? Basically how do I enter it?

CiscoPurpleBelt_0-1721222909089.png

 

0 Helpful

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Marius Gunnerud

‎07-18-2024 11:30 AM

I entered it in that fashion, show xlate shows the internal IP natted to public ip but the public host has the following in show xlate. Shouldn't the Inside IP (changed IP text for private purposes) be the internal host?

TCP PAT from Outside:1.1.1.1 443 to Inside:1.1.1.1 443
flags srT idle 1:08:50 timeout 0:00:00

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to CiscoBrownBelt

‎07-18-2024 11:53 AM

in the xlate the inside IP should be the private IP of the server, the Outside IP should be the NAT / PAT public IP.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to CiscoBrownBelt

‎07-17-2024 02:27 AM

You are saying just enter NAT in same fashion but enter the external host as the destination? <<- in my previous comment I never mention that we need NATing the destination
I think I know what you confuse about 
static NAT for server from private to public IP can config in two way
1- IN OUT <<- interface
the source is private IP of server and it NATing to public IP 
2- OUT IN <<- interface
the destination is Public IP of server and it NATing to private IP 

there is no different since as I mention before it bidirectional NAT 

if you have more Q please ask 
thanks 

MHM 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card