Filter
Top Products
23-29
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 23 Configuring Network Address Translation
NAT Policies on Security Devices
Field Reference
Table 23-12 Advanced NAT Options Dialog Box
Element Description
Translate the DNS replies
that match the translation
rule
If checked, the security appliance rewrites DNS replies so an outside
client can resolve the name of an inside host using an inside DNS
server, and vice versa. For instance, if your NAT rule includes the real
address of a host with an entry in a DNS server, and the DNS server is
on a different interface from a client, then the client and the DNS server
need different addresses for the host: one needs the mapped address and
one needs the real address. This option rewrites the address in the DNS
reply to the client.
As an example, assume an inside web server, www.example.com, has
the IP address 192.168.1.1, which is translated to 10.1.1.1 on the
outside interface of the appliance. An outside client sends a DNS
request to an inside DNS server, which will resolve www.example.com
to 192.168.1.1. When the reply comes to the security appliance with
DNS Rewrite enabled, the security appliance will translate the IP
address in the payload to 10.1.1.1, so that the outside client will get the
correct IP address.
Note that the mapped host needs to be on the same interface as either
the client or the DNS server. Typically, hosts that need to allow access
from other interfaces use a static translation, so this option is more
likely to be used with a static rule.
Max TCP Connections per
Rule
Enter the maximum number of TCP connections allowed; valid values
are 0 through 65,535. If this value is set to zero, the number of
connections is unlimited.
Max UDP Connections per
Rule
Enter the maximum number of UDP connections allowed; valid values
are 0 through 65,535. If this value is set to zero, the number of
connections is unlimited.
Max Embryonic Connections Enter the number of embryonic connections allowed to form before the
security appliance begins to deny these connections. An embryonic
connection is a connection request that has not finished the necessary
handshake between source and destination. Set this limit to prevent
attack by a flood of embryonic connections. Valid values are 0 through
65,535. If this value is set to zero, the number of connections is
unlimited.
Any positive value enables the TCP Intercept feature. TCP Intercept
protects inside systems from a DoS attack perpetrated by flooding an
interface with TCP SYN packets. When the embryonic limit has been
surpassed, the TCP Intercept feature intercepts TCP SYN packets from
clients to servers on a higher security level. SYN cookies are used
during the validation process and help to minimize the amount of valid
traffic being dropped. Thus, connection attempts from unreachable
hosts will never reach the server.