Customizing NAT Rules for Multiple Devices

Because the NAT policy is shared, you can assign a given policy to more than one device. However, you can configure at most one auto NAT rule for a given object. Thus, if you want to configure different translations for an object based on the specific device doing the translation, you need to carefully configure the interface objects (security zones or interface groups) and define network object overrides for the translated address.

The interface objects determine on which devices a rule gets configured. The network object overrides determine what IP addresses are used by a given device for that object.

Consider the following scenario:

  • FTD-A and FTD-B have inside networks 192.168.1.0/24 attached to the interface named “inside.”

  • On FTD-A, you want to translate all 192.168.1.0/24 addresses to a NAT pool in the 10.100.10.10 - 10.100.10.200 range when going to the “outside” interface.

  • On FTD-B, you want to translate all 192.168.1.0/24 addresses to a NAT pool in the 10.200.10.10 - 10.200.10.200 range when going to the “outside” interface.

To accomplish the above, you would do the following. Although this example rule is for dynamic auto NAT, you can generalize the technique for any type of NAT rule.

Procedure

Step 1

Create the security zones for the inside and outside interfaces.

  1. Choose Objects > Object Management.

  2. Select Interface Objects from the table of contents and click Add > Security Zone. (You can use interface groups instead of zones.)

  3. Configure the inside zone properties.

    • Name—Enter a name, for example, inside-zone.

    • Type—Select Routed for routed-mode devices, Switched for transparent mode.

    • Selected Interfaces—Add the FTD-A/inside and FTD-B/inside interfaces to the selected list.

  4. Click Save.

  5. Click Add > Security Zone and define the outside zone properties.

    • Name—Enter a name, for example, outside-zone.

    • Interface Type—Select Routed for routed-mode devices, Switched for transparent mode.

    • Selected Interfaces—Add the FTD-A/outside and FTD-B/outside interfaces to the selected list.

  6. Click Save.

Step 2

Create the network object for the original inside network on the Object Management page.

  1. Select Network from the table of contents and click Add Network > Add Object.

  2. Configure the inside network properties.

    • Name—Enter a name, for example, inside-network.

    • Network—Enter the network address, for example, 192.168.1.0/24.

  3. Click Save.

Step 3

Create the network object for the translated NAT pool and define overrides.

  1. Click Add Network > Add Object.

  2. Configure the NAT pool properties for FTD-A.

    • Name—Enter a name, for example, NAT-pool.

    • Network—Enter the range of addresses to include in the pool for FTD-A, for example, 10.100.10.10-10.100.10.200.

  3. Select Allow Overrides.

  4. Click the Overrides heading to open the list of object overrides.

  5. Click Add to open the Add Object Override dialog box.

  6. Select FTD-B and Add it to the Selected Devices list.

  7. Click Override and change Network to 10.200.10.10-10.200.10.200

  8. Click Add to add the override to the device.

    By defining an override for FTD-B, whenever the system configures this object on FTD-B, it will use the override value instead of the value defined in the original object.

  9. Click Save.

Step 4

Configure the NAT rule.

  1. Select Devices > NAT and create or edit the threat defense NAT policy.

  2. Click Add Rule.

  3. Configure the following properties:

    • NAT Rule = Auto NAT Rule.

    • Type = Dynamic.

  4. On Interface Objects, configure the following:

    • Source Interface Objects = inside-zone.

    • Destination Interface Objects = outside-zone.

    Note

    The interface objects control on which devices the rule is configured. Because in this example the zones contain interfaces for FTD-A and FTD-B only, even if the NAT policy were assigned to additional devices, the rule would be deployed to those 2 devices only.

  5. On Translation, configure the following:

    • Original Source = inside-network object.

    • Translated Source > Address= NAT-pool object.

  6. Click Save.

    You now have a single rule that will be interpreted differently for FTD-A and FTD-B, providing unique translations for the inside networks protected by each firewall.