23-25
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 23 Configuring Network Address Translation
NAT Policies on Security Devices
Static Rules Tab
Use the Static Rules tab of the Translation Rules page to view and configure static translation rules for
a security appliance or shared policy. Rules are evaluated sequentially in the order listed. The row
number indicates the rule’s position in the ordering of the list. You can use the Up Row and Down Row
buttons to change the position of the selected rule.
With static translation, internal IP addresses are permanently mapped to a global IP address. These rules
map a host address on a lower security-level interface to a global address on a higher security-level
interface. For example, a static rule would be used for mapping the local address of a web server on a
perimeter network to a global address that hosts on the outside interface would use to access the web
server.
Caution The order of Static NAT rules on a security device is important, and Security Manager preserves this
ordering during deployment. However, security appliances do not support in-line editing of Static NAT
rules. This means that if you move, edit, or insert a rule anywhere above the end of the list, Security
Manager will remove from the device all Static NAT rules that follow the new or modified rule, and then
re-send the updated list from that point. Depending on the length of the list, this can require substantial
overhead, and may result in traffic interruption. Whenever possible, add any new Static NAT rules to the
end of the list.
The Add/Edit Static Rule dialog box is used to add and edit these rules. Refer to Add/Edit Static Rule
Dialog Box, page 23-26 for descriptions of the fields displayed in the table on this page.
The “Nailed”Column in the Static Rules Table
In addition to the columns representing parameters specified in the Add/Edit Static Rule Dialog Box,
page 23-26, the Static Rules table displays a column labeled “Nailed.” This value is a product of device
discovery; it cannot be changed in Security Manager.
The entry in the “Nailed” Column indicates whether TCP state tracking and sequence checking is
skipped for the connection: true or false.
Navigation Path
You can access the Static Rules tab from the Translation Rules page. See Translation Rules: PIX, FWSM,
and pre-8.3 ASA, page 23-18 for more information.
Note By default, only standard Static Rules elements are displayed in this table. Additional columns for
elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any
column heading. (All columns are displayed by default on the General Tab, page 23-30.)
Related Topics
• Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 23-17
Description Enter a description of the rule.
Advanced button Click to open the Advanced NAT Options Dialog Box, page 23-28 to
configure advanced settings for this rule.
Table 23-10 Add/Edit Policy Dynamic Rules Dialog Box (Continued)
Element Description