Filter
Top Products
23-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 23 Configuring Network Address Translation
Understanding Network Address Translation
All NAT rules on the device—static NAT, dynamic PAT, and dynamic NAT—are presented in a single
table, and essentially the same dialog box is used to configure all NAT rules. The NAT rules are interface
independent (that is, interfaces are optional), meaning the rules are independent of security levels also.
NAT rules are no longer dependent on security levels. A global address space consisting of all interfaces
is available, and is specified using the keyword “any.” All Interface fields default to any, so unless a
specific interface is provided, the rule is applicable to all interfaces.
Network Object NAT
You also can define NAT properties on Host, Address Range, and Network objects, such that
corresponding NAT rules are applied automatically to the designated security device. Using these objects
means you need enter the necessary IP addresses, services, ports, and optional interfaces only once.
These automatically generated, object-based rules are referred to as “Network Object NAT” rules. Note
that these rules cannot be created or deleted from the rules table; you must edit the appropriate objects
in the Policy Object Manager. You can, however, edit these rules from the rules table after they have been
defined for the network object. For more information, see Add or Edit Network/Host Dialog Box: NAT
Tab, page 23-41.
Note Network Object NAT rules are not displayed in the Translation Rules table in Policy View because these
rules are device-specific.
The NAT Table
As mentioned, all NAT rules on a device are presented in a single table, which is divided into three
sections: a “manual” section, the Network Object NAT rules section, and another manual-rules section.
You can add, edit and order rules in both manual sections; the Network Object NAT rules are added and
ordered automatically, and as mentioned, to edit these rules you must edit the related objects.
The NAT rules in the table are applied on a top-down, first-match basis. That is, a packet is translated
only when it matches a NAT rule, and as soon as a match is made, regardless of its location or section,
NAT rule processing stops.
You can use this table to organize and manage the manual rules—you can insert rules in any order, and
you can re-order them. The two sections of manual rules are provided to let you order manual rules both
before and after the automatic object rules.
Network Object NAT rules are automatically ordered such that static rules appear before dynamic rules.
These two types are each further ordered as follows:
• Fewest number of IP addresses – Rules for objects with one IP address are listed before those for
objects with two addresses, which are before those with three addresses, and so on.
• IP address numbers – For objects having the same number of IP addresses, the rules are arranged
such that the IP addresses themselves are in numerical order, from lower to higher. For example,
10.1.1.1 rules are listed before 11.1.1.1 rules.
• Object names – If the IP address is the same, the rules are ordered by alphabetizing the object names.
And remember, translation is based on the first matching rule.
Destination Translation
With manual static rules, in addition to source address translation, you also can configure destination
address translation. Source and destination translation are defined at the same time, in the same dialog
box. Again, while source translation can be static or dynamic, destination translation is always static,
and is only available with manual rules.