Filter
Top Products
23-12
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 23 Configuring Network Address Translation
NAT Policies on Cisco IOS Routers
Translated Address Use the options in this section of the dialog box to specify the method and
address(es) used for dynamic translation:
• Use Interface IP – Select this option to specify that the globally
registered IP address assigned to a particular interface be used as the
translated address; port addressing ensures each translation is unique.
(The Enable Port Translation (Overload) option is checked
automatically when you select Use Interface IP.)
Enter or Select the name of the desired Interface. This is typically the
interface from which translated packets leave the router, meaning the
interface or interface role must represent an outside interface on the
router (see NAT Page: Interface Specification, page 23-6).
• Address Pool – Select this option to base address translation on the
addresses you specify in the Network Ranges pool.
Enter one or more address ranges, including the prefix, using the format
min1-max1/prefix (in CIDR notation), where “prefix” represents a
valid netmask. For example,
172.16.0.0-172.31.0.223/12.
You can add as many address ranges to the address pool as required, but
all ranges must share the same prefix. Separate multiple entries with
commas.
Settings This section contains two options
• Enable Port Translation (Overload) – When selected, the router uses
port addressing (PAT) if supply of global addresses in the address pool
is depleted; when deselected, PAT is not used.
Note When you use select Use Interface IP in the Translated Address
section, this box is checked automatically; it cannot be changed.
• Do Not Translate VPN Traffic (Site-to-Site VPN only) – Deselect this
option to allow address translation on traffic intended for a site-to-site
VPN.
When selected, address translation is not performed on VPN traffic.
When deselected, the router performs address translation on VPN traffic
in cases of overlapping addresses between the NAT ACL and the crypto
ACL.
Note We strongly recommend that you not deselect this option, or any
traffic defined in both the NAT ACL and the crypto ACL will be sent
unencrypted. When you perform NAT into IPsec, we also
recommend that you leave this option selected; it does not interfere
with the translation of addresses arriving from overlapping networks.
This setting applies only in situations where the NAT ACL overlaps the
crypto ACL used by the site-to-site VPN. Because the interface
performs NAT first, any traffic arriving from an address within this
overlap would get translated, causing the traffic to be sent unencrypted.
Leaving this box checked prevents that from happening.
Note This option does not apply to remote access VPNs.
Table 23-3 NAT Dynamic Rule Dialog Box (Continued)
Element Description