Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1921
Views
5
Helpful
9
Replies

Possible to NAT traffic within a VPN tunnel on FTD?

Go to solution
Jeff Berntsen
Level 1
Level 1

‎11-15-2022 12:22 PM

I'm looking at replacing an older ASA firewall with a new Firepower unit, probably a 1010 or 1120, running FTD.  I've currently got a VPN setup to a supplier which requires me to NAT traffic from my internal IP addresses to an IP block they assigned before it goes through the tunnel to them.  That's fairly easy to set up on the ASA.

Is it possible to do the same in FTD software and, if so, what version does it require, how can it be done, and can it be done using only FDM and not FMC? 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎11-15-2022 12:29 PM

@Jeff Berntsen sure that's a standard NAT configuration, both FDM and FMC support it.

Create network objects to represent your local network, VPN NAT pool and remote networks.

Create a Manual NAT.

Original SRC (local network object)
Translated SRC (VPN NAT pool object)
Original DST (remote network object)
Translated DST (remote network object)

SRC interface (inside interface name)
DST interface (outside interface name)

View solution in original post

9 Replies 9

Go to solution
Rob Ingram
VIP
VIP

‎11-15-2022 12:29 PM

@Jeff Berntsen sure that's a standard NAT configuration, both FDM and FMC support it.

Create network objects to represent your local network, VPN NAT pool and remote networks.

Create a Manual NAT.

Original SRC (local network object)
Translated SRC (VPN NAT pool object)
Original DST (remote network object)
Translated DST (remote network object)

SRC interface (inside interface name)
DST interface (outside interface name)

Go to solution
qsscisco
Level 1
Level 1
In response to Rob Ingram

‎02-14-2024 12:25 PM

Hi Rob,

In the encryption domain i guess original local network (not VPN nat pool) and remote networks need to be defines, because that is trigger for establishing and sending traffic through tunnel. After that desicion NAT process happend right?

Best regards,

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to qsscisco

‎02-14-2024 12:38 PM

Hi @qsscisco you use the post NAT ip address in the crypt ACL that defines the interesting traffic.

0 Helpful

Go to solution
qsscisco
Level 1
Level 1
In response to Rob Ingram

‎02-14-2024 01:14 PM

Hi Rob,

Thnks for the answer. If i understand good, local sub exmpl 10.10.10.0/24, remote sub 20.20.20.0/24. Remote client request that traffic comes from 30.30.30.0/24. On the local side, we put in encryption domain for local side 30.30.30.0/24, for remote 20.20.20.0/24. Also we create NAT rule inside-outside, original source 10.10.10.0, original destination 20.20.20.0 and than translated source 30.30.30.0 , translated destination 20.20.20.0? 

If this is ok, i am just wonder what will trigger SA in phase 2 to bring up,because as per my understanding FTD will route traffic first, goes through crypto map trying to find match from 10.10.10.0 going to 20.20.20.0 because NAT is not happend yet.. maybe i am wrong and hope to see your advice.

Best regards,

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to qsscisco

‎02-14-2024 01:25 PM

@qsscisco the traffic is natted before encryption.

0 Helpful

Go to solution
qsscisco
Level 1
Level 1
In response to Rob Ingram

‎02-14-2024 01:34 PM

Hi @Rob Ingram 

Thank you, than all make sense. I have one question, i think it belongs to this community case. What if for example remote location need to access our app in our subnet, but problem is because remote location already use that same subnet in their site for other purpose (not access our resources from that subnet).

Can we choose for example x.x.x.x subnet and tell remote location that is our subnet. And they will use that subnet/ip to access our resoursces. When traffic on our side goes out from s2s vpn, we create nat rule and say all request to x.x.x.x ip(which doesnt exist anywhere) NAT to our original IP. Or if there is other better way i would like to hear your advice.

Best regards,

0 Helpful

Go to solution
qsscisco
Level 1
Level 1
In response to Rob Ingram

‎02-15-2024 08:54 AM

Hi @Rob Ingram 

So the order of processing on FTD,in this case per my understanding:

Routing-Route traffic to the remote network

NAT (nat original source network to the requested subnet)

ACP (allow from requested/nated subnet to remote network)

Encryption/VPN (ACL accept nated subnet to remote network to trigger encryption)

Please correct me if i'am wrong

Best regards,

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to qsscisco

‎02-15-2024 09:03 AM

@qsscisco no that is not correct.

RobIngram_0-1708016550379.jpeg

If you have a particular issue you wish to troubleshoot please create a new thread.

0 Helpful

Go to solution
Jeff Berntsen
Level 1
Level 1

‎11-15-2022 12:36 PM

So, pretty much the same way it's done on the ASA.  I've got plenty of ASA experience but almost no FTD experience and was hoping it would be that simple.  Thanks!

 

0 Helpful
Customers Also Viewed These Support Documents