Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
23-40
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 23 Configuring Network Address Translation
NAT Policies on Security Devices
PAT Pools and Round Robin Allocation
Adaptive Security Appliances, version 8.4.2 and later, include two features that let you alter how port
address translation (PAT) occurs: you can explicitly define a pool of IP addresses specifically for PAT,
and you can select a “round robin” algorithm for port allocation during PAT.
These features simplify configuration of large numbers of PAT addresses, and help prevent a large
number of connections from a single PAT address, which can appear to be part of a DoS attack.
Explicit PAT Pool Definition
Prior to version 8.4.2, when you defined a Dynamic NAT and PAT rule, you provided a “pool” of IP
addresses (in the Translated Source field of the Add/Edit NAT Rule dialog boxes) to be used for
translation. This pool could consist of individual IP addresses, ranges of addresses, Networks/Hosts
objects, or Network/Host group objects, and combinations thereof.
Ranges and objects with more than one IP address were considered to be in the “NAT Pool,” while
individual IP addresses and group objects consisting of one or more individual addresses were
considered to be part of the “PAT Pool.”
Address translation on the device would work its way through the NAT Pool until all available addresses
were exhausted. Port address translation would then begin using the PAT Pool—assigning ports on the
first IP address in the PAT Pool until all ports (approximately 64,000) are assigned, then assigning ports
on the next address in the pool, and so on. When all ports are fully subscribed on all IP addresses in the
PAT Pool, no further translation could occur.
On version 8.4.2 and later ASA devices, you can explicitly define a separate PAT Pool for a Dynamic
NAT and PAT rule. If you do so, the first collection of addresses (defined in the Translated Source field)
is considered the NAT Pool, while the PAT Pool addresses are specified in the PAT Pool Address
Translation field.
Note If you do not explicitly specify a PAT Pool, address translation takes place as described for pre-8.4.2
devices.
Unidirectional This feature lets you configure a static NAT rule in a single direction
only; or dual rules, one each for both directions (forward and reverse).
When selected, a single static NAT is created, as specified by the other
options in this dialog box. Dynamic rules are uni-directional by default.
If deselected, two linked static NAT rules are created, encompassing
both directions of the translation, as specified by the other options in
this dialog box. Note that each bi-directional rule entry in the rules
table consists of two lines.
Description (Optional) Provide a description of the rule.
Category (Optional) Choose a category to assign to the rule. Categories can help
you organize and identify rules and objects; see Using Category
Objects, page 6-12 for more information.
Note This option is not available when Dynamic NAT and PAT is the
chosen rule Type.
Table 23-14 Add and Edit NAT Rule Dialog Boxes (Continued)
Element Description