You are here
SEC0242 - FTD 6.1 Network Address Translation (NAT) (Part 1)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video runs through various NAT scenarios on Cisco FTD 6.1. We will be going over structure of NAT policy and covering the majority of common NAT use-cases including static NAT, dynamic NAT, PAT, and Identity NAT using both Twice NAT and Object NAT. We will also configure NAT64 to allow internet access to our IPv6 environment we configured in the previous video.
Part 1 of this video covers NAT policy and static NAT
Topic:
- Null Route
- Interface Group
- NAT Policy
-
Static NAT
- Host-to-Host
- Subnet-to-Subnet
- Static PAT
- Dynamic NAT
- Dynamic PAT
- PAT Pool
- Destination NAT
- Identity NAT
- NAT64
7 comments
NAT in FTD version 6.6.5
NAT intro in this video is interesting. We work with FTD 1010s and we don't use NAT configuration, only the access control policy and we require static NAT. Is NAT really not required in 6.6.+? Things are working well without NAT so I'm not sure what's going on here.
NAT in FTD version 6.6.5
By default there is no NAT. Unless you have a match-all rule at the bottom of the NAT table, traffic that does not match one of the NAt rules will not be NAT. This is always the behavior on FTD.
NAT in FMC version 7.1.0
Hi there,
I saw your SEC0242 videos, so far I learned a few interesting things. I'm implementing port forwarding on FMC but I been unable to do it.
I have a "ISP Modem", then a "Cisco Router 4431", then a "Cisco Firewall 1120", then the servers, from Modem I did port forwarding to Router, then from Router did port forwarding to Firewall, which is working, but when I try to do port forwarding from Firewall to server 192.168.150.46 the issue appears.
This are my interfaces: https://imgur.com/a/07xV54B
This is my NAT Policy: https://imgur.com/a/anz8aQv
And this is my Access Control Policy: https://imgur.com/a/pX6cvQA
Any ideas why this is happening? Thank you a lot for all for time!
NAT in FMC version 7.1.0
Assuming the ISP modem is a true modem and not a router, the public IP would be on the router and this is where you should perform port forwarding from public IP to the true server private IP. The FW at this point should only route with no NAT. Try to avoid multiple port-forwarding if you can.
Thanks!
It works, thank you so much.
very helpful
Just got a Firepower1140 coming from ASA, this video was extremely helpful, thank you!
very helpful
Thank you Derrick for you feedback.