Filter
Top Products
23-33
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 23 Configuring Network Address Translation
NAT Policies on Security Devices
Two types of NAT rules are displayed in this table: “manual” rules added by you and any other users,
and “automatic” rules generated and applied by Security Manager when an object with NAT properties
is assigned to the device. These are referred to as “NAT rules” and “Network Object NAT rules,”
respectively.
Some Features of the Translation Rules Table
This Translation Rules table is a standard Security Manager rules table, as described in Using Rules
Tables, page 12-7. For example, you can move, show and hide columns; you can re-order the manual
rules; and you can right-click certain table cells to edit that parameter. In addition, the following features
are specific to this Translation Rules table:
• All rules are assigned to one of three pre-defined sections in the table:
–
NAT Rules Before – These are rules you or another user have “manually” defined on the device.
You can specify that a rule be added to this section by clicking the section heading before adding
the rule, although if you do not specify a section, the new rule will be added to this section by
default.
–
Network Object NAT Rules – These are rules generated and ordered automatically by Security
Manager when network objects that include NAT properties are assigned to the device. See Add
or Edit Network/Host Dialog Box: NAT Tab, page 23-41 for information about assigning NAT
properties to objects. See the section “The NAT Table” in About “Simplified” NAT on ASA 8.3+
Devices, page 23-3 for information about how these rules are ordered.
Note This section is not displayed in the Translation Rules table in Policy View because these
rules are device-specific.
–
NAT Rules After – These also are rules you or another user have manually defined on the
device. You can specify that a rule is added to this section by clicking the section heading before
adding the rule.
The NAT rules listed in this table are processed on a first-match basis; therefore, order is important.
Providing a manual section both before and after the automatic rules lets you ensure all your rules
are in the appropriate order, since you can re-order rules only within their section. The rules in each
section take precedence over the rules in the section below it. For example, the rules in the top,
“Before” section take precedence over the rules in the Network Object NAT section, and so on.
• The type of each rule—Static, Dynamic PAT, or Dynamic NAT and PAT— is indicated visually in
the table by presenting (S), (DP), or (DNP) in blue following the Source parameter in the
“Translated” column.
• A Bi-directional rule is a static rule that actually consists of two paired rules, one each for outgoing
and incoming translation of the specified source and destination values. Each Bi-directional rule
entry in the rules table is presented as two lines.
For example, if Bi-directional is chosen when you create a static rule with Host1 in the Source field
and Host2 in the Translated field, two lines are added to the rules table: one with Host1 being
translated to Host2, and one with Host2 being translated to Host1.
Related Topics
• NAT Policies on Security Devices, page 23-15
• About “Simplified” NAT on ASA 8.3+ Devices, page 23-3
• Standard rules table topics:
–
Using Rules Tables, page 12-7