23-16
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 23 Configuring Network Address Translation
NAT Policies on Security Devices
• (Policy view) Select NAT (PIX/ASA/FWSM) > Translation Options from the Policy Type
selector. Select an existing policy from the Shared Policy selector, or right-click Translation
Options to create a new policy.
Related Topics
• NAT Policies on Security Devices, page 23-15
Field Reference
Table 23-5 Translation Options Page
Element Description
Enable traffic through the
firewall without address
translation
When selected, lets traffic pass through the security appliance without
address translation. If this option is not selected, any traffic that does
not match a translation rule will be dropped.
Note This option is available only on PIX 7.x, FWSM 3.x, and ASA
devices.
Enable xlate bypass When selected, establishment of NAT sessions for untranslated traffic
is disabled (this feature is called “xlate bypass”).
Note This option is available only on FWSM 3.2 and higher.
By default, the FWSM creates NAT sessions for all connections even if
NAT is not used. For example, a session is created for each untranslated
connection even if NAT control is not enabled, if NAT exemption or
identity NAT is used, or if you use same-security interfaces and do not
configure NAT. Because there is a maximum number of NAT sessions
(266,144 concurrent), these kinds of NAT sessions might cause you to
run into the limit. To avoid reaching the limit, enable xlate bypass.
If you disable NAT control and have untranslated traffic or use NAT
exemption, or if you enable NAT control and use NAT exemption, then
with xlate bypass, the FWSM does not create a session for those types
of untranslated traffic. However, NAT sessions are still created in the
following instances:
• You configure identity NAT (with or without NAT
control)—identity NAT is considered to be a translation.
• You use same-security interfaces with NAT control. Traffic
between same-security interfaces create NAT sessions even when
you do not configure NAT for the traffic. To avoid NAT sessions in
this case, disable NAT control, or use NAT exemption as well as
xlate bypass.
Do not translate VPN traffic When selected, VPN traffic passes through the security appliance
without address translation.
Clear translates for existing
connections
When selected, the translation slots assigned to dynamic translations
and any associated connections are cleared following each session.
Each session connecting through the security appliance, and
undergoing some form of NAT or PAT, is assigned a translation slot
known as an “xlate.” These translation slots can persist after the session
is complete, which can lead to a depletion of translation slots,
unexpected traffic behavior, or both.