Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
23-39
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 23 Configuring Network Address Translation
NAT Policies on Security Devices
Translate DNS replies that
match this rule
When checked, addresses embedded in DNS replies that match this rule
are rewritten.
For DNS replies traversing from a mapped interface to a real interface,
the Address (or “A”) record is rewritten from the mapped value to the
real value. Conversely, for DNS replies traversing from a real interface
to a mapped interface, the A record is rewritten from the real value to
the mapped value. Note that DNS inspection must be enabled to support
this functionality.
Fallthrough to Interface PAT
(Destination Interface)
When checked, dynamic PAT back-up is enabled. When the pool of
dynamic NAT addresses is depleted, port address translation is
performed, using the address pool specified in the Use Address field.
This option is available only when Dynamic NAT and PAT is the chosen
Type on devices operating in routed mode.
IPv6 When selected, the IPv6 address of the interface is used.
Net to net mapping of IPv4 to
IPv6
When checked, translates the first IPv4 address to the first IPv6
address, the second to the second, and so on. Without this option, the
IPv4-embedded method is used where the 32-bits of the IPv4 address is
embedded after the IPv6 prefix. For a one-to-one translation, you must
select this option.
Do not proxy ARP on
Destination Interface
Check this box to disable proxy ARP on the specified Destination
Interface. This option is available only when Static is the chosen rule
Type.
Note This option is available on ASA 8.4.2+ devices, only when
Bidirectional is the chosen Direction.
By default, all NAT rules include proxy ARP on the egress interface. A
NAT Exempt rule is used to bypass NAT for both ingress and egress
traffic, relying on route look-up to locate the egress interface. Thus,
Proxy ARP should be disabled for NAT Exempt rules. (The NAT
Exempt rules always take priority and appear above all other NAT rules
in the Translation Rules table.)
Note You also can disable Proxy ARP on individual interfaces, as
described in Configuring No Proxy ARP, page 54-1.
Perform route lookup for
Destination Interface
If this option is selected, the egress interface is determined using route
look-up instead of using the specified Destination Interface. Be sure
this box is checked for a NAT Exempt rule. This option is supported
only for Static Identity NAT.
Note This option is available on ASA 8.4.2+ devices, only when
Bidirectional is the chosen Direction. The option is not
available on devices operating in transparent mode.
Table 23-14 Add and Edit NAT Rule Dialog Boxes (Continued)
Element Description