Support User Manuals

Cisco Systems CL-28826-01 Security Camera User Manual

Open as PDF

of 2616

23-30

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 23 Configuring Network Address Translation

NAT Policies on Security Devices

General Tab

Use the General tab of the Translation Rules page to view a summary of all translation rules defined for

the current device or shared policy. The translation rules are listed in the order that they will be evaluated

on the device.

Note The General tab is only visible for PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices

in transparent mode. Other devices in transparent mode support only static translation rules and do not

need to display summary information.

Navigation Path

You can access the General tab from the Translation Rules page. See Translation Rules: PIX, FWSM,

and pre-8.3 ASA, page 23-18 for more information.

Related Topics

• Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 23-17

• Translation Exemptions (NAT 0 ACL), page 23-19

• Dynamic Rules Tab, page 23-21

• Policy Dynamic Rules Tab, page 23-23

• Static Rules Tab, page 23-25

Timeout For PIX 6.x devices, enter a timeout value for this translation rule, in

the format hh:mm:ss. This value overrides the default translation

timeout specified in Platform > Security > Timeouts, unless this value

is 00:00:00, in which case translations matching this rule use the

default translation timeout (specified in Platform > Security >

Timeouts).

Randomize Sequence

Number

If checked, the security appliance randomizes the sequence numbers of

TCP packets. Each TCP connection has two Initial Sequence Numbers

(ISNs): one generated by the client and one generated by the server. The

security appliance randomizes the ISN of the TCP SYN in both the

inbound and outbound directions. Randomizing the ISN of the

protected host prevents an attacker from predicting the next ISN for a

new connection and potentially hijacking the new session.

Disable this feature only if:

• Another in-line security appliance is also randomizing initial

sequence numbers and data is being scrambled.

• You are using eBGP multi-hop through the security appliance, and

the eBGP peers are using MD5. Randomization breaks the MD5

checksum.

• You are using a WAAS device which requires that the security

appliance not randomize the sequence numbers of connections.

Disabling this option opens a security hole in the security appliance.

Table 23-12 Advanced NAT Options Dialog Box (Continued)

Element Description

previous next