11-15-2022 12:22 PM
I'm looking at replacing an older ASA firewall with a new Firepower unit, probably a 1010 or 1120, running FTD. I've currently got a VPN setup to a supplier which requires me to NAT traffic from my internal IP addresses to an IP block they assigned before it goes through the tunnel to them. That's fairly easy to set up on the ASA.
Is it possible to do the same in FTD software and, if so, what version does it require, how can it be done, and can it be done using only FDM and not FMC?
Solved! Go to Solution.
11-15-2022 12:29 PM
@Jeff Berntsen sure that's a standard NAT configuration, both FDM and FMC support it.
Create network objects to represent your local network, VPN NAT pool and remote networks.
Create a Manual NAT.
Original SRC (local network object)
Translated SRC (VPN NAT pool object)
Original DST (remote network object)
Translated DST (remote network object)
SRC interface (inside interface name)
DST interface (outside interface name)
11-15-2022 12:29 PM
@Jeff Berntsen sure that's a standard NAT configuration, both FDM and FMC support it.
Create network objects to represent your local network, VPN NAT pool and remote networks.
Create a Manual NAT.
Original SRC (local network object)
Translated SRC (VPN NAT pool object)
Original DST (remote network object)
Translated DST (remote network object)
SRC interface (inside interface name)
DST interface (outside interface name)
02-14-2024 12:25 PM
Hi Rob,
In the encryption domain i guess original local network (not VPN nat pool) and remote networks need to be defines, because that is trigger for establishing and sending traffic through tunnel. After that desicion NAT process happend right?
Best regards,
02-14-2024 12:38 PM
Hi @qsscisco you use the post NAT ip address in the crypt ACL that defines the interesting traffic.
02-14-2024 01:14 PM
Hi Rob,
Thnks for the answer. If i understand good, local sub exmpl 10.10.10.0/24, remote sub 20.20.20.0/24. Remote client request that traffic comes from 30.30.30.0/24. On the local side, we put in encryption domain for local side 30.30.30.0/24, for remote 20.20.20.0/24. Also we create NAT rule inside-outside, original source 10.10.10.0, original destination 20.20.20.0 and than translated source 30.30.30.0 , translated destination 20.20.20.0?
If this is ok, i am just wonder what will trigger SA in phase 2 to bring up,because as per my understanding FTD will route traffic first, goes through crypto map trying to find match from 10.10.10.0 going to 20.20.20.0 because NAT is not happend yet.. maybe i am wrong and hope to see your advice.
Best regards,
02-14-2024 01:25 PM
@qsscisco the traffic is natted before encryption.
02-14-2024 01:34 PM
Hi @Rob Ingram
Thank you, than all make sense. I have one question, i think it belongs to this community case. What if for example remote location need to access our app in our subnet, but problem is because remote location already use that same subnet in their site for other purpose (not access our resources from that subnet).
Can we choose for example x.x.x.x subnet and tell remote location that is our subnet. And they will use that subnet/ip to access our resoursces. When traffic on our side goes out from s2s vpn, we create nat rule and say all request to x.x.x.x ip(which doesnt exist anywhere) NAT to our original IP. Or if there is other better way i would like to hear your advice.
Best regards,
02-15-2024 08:54 AM
Hi @Rob Ingram
So the order of processing on FTD,in this case per my understanding:
Routing-Route traffic to the remote network
NAT (nat original source network to the requested subnet)
ACP (allow from requested/nated subnet to remote network)
Encryption/VPN (ACL accept nated subnet to remote network to trigger encryption)
Please correct me if i'am wrong
Best regards,
02-15-2024 09:03 AM
@qsscisco no that is not correct.
If you have a particular issue you wish to troubleshoot please create a new thread.
11-15-2022 12:36 PM
So, pretty much the same way it's done on the ASA. I've got plenty of ASA experience but almost no FTD experience and was hoping it would be that simple. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide