Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
4
Replies

PBR & NAT

dcanady55
Level 1
Level 1

‎10-19-2023 06:00 AM

Hello,

FTD 7.3

 

If there's a better way to do the following, please let me know.

Current setup. I have a static route on our FTD that sends traffic A to a gateway off our DMZ interface. The traffic hits this third-party gateway, and then they NAT this before sending it out.

A third party asked if we could take on the NAT, but the IP after translation is something we use for traffic B. I've got two different types of traffic going to the same IP address now but using different ports. I need traffic A to go out of the DMZ interface and traffic B to go out of another interface, M-DMZ.

I created a PBR to accomplish the FTD, sending the traffic out its perspective interfaces based on an ACL matching the destination and port. A traffic to DMZ and B traffic to M-DMZ When tested, the B traffic worked fine, but the A traffic comes into the FTD using a destination of 1234, and I need to NAT this to 5678.

My question is: does NAT happen first before PBR, or should it go PBR, NAT, then ACL? During my test, my NAT counters never increased on my rule, so I'm thinking NAT might take place first, which would then make my PBR invalid as I setup my PBR with the original Destination IP vs. the new IP after NAT.

Thanks

Labels:
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎10-19-2023 06:30 AM

PBR before NATing' NAT command have two interface pbr specify outbound interface then NAT have inbound and outbound interface it can NATing traffic.

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎10-19-2023 08:08 AM

Can I see FDM/FMC NAT you use 

0 Helpful

dcanady55
Level 1
Level 1
In response to MHM Cisco World

‎10-23-2023 12:19 PM

I did some further testing over the weekend with no luck and found a trouble shooting FTD routing guide which I didn't come across before and that document has the following order of operations. If NAT comes first then my NAT and PBR config is incorrect and will reverse my config in tonight's test and let you know how it goes. 

The table summarizes how the FTD forwards packets in the data plane based on the interface mode. The forwarding mechanisms are listed in order of preference:

dcanady55_0-1698088591068.jpeg

 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to dcanady55

‎12-02-2023 05:53 PM

Are this issue solved?

MHM

0 Helpful
Customers Also Viewed These Support Documents