Filter
Top Products
23-44
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 23 Configuring Network Address Translation
NAT Policies on Security Devices
Service Translation
Use the options in this section of the Advanced panel to configure static port address translation:
(Available for Static rules only.)
Note Service Translation and the Translate DNS replies that match this rule option cannot be used
together.
Protocol Whether a TCP or UDP port.
Original Port The port on which the traffic enters the device.
Translated Port The port number which is to replace the original port number.
Options
Translate DNS replies that
match this rule
When checked, addresses embedded in DNS replies that match this rule
are rewritten.
For DNS replies traversing from a mapped interface to a real interface,
the Address (or “A”) record is rewritten from the mapped value to the
real value. Conversely, for DNS replies traversing from a real interface
to a mapped interface, the A record is rewritten from the real value to
the mapped value. Note that DNS inspection must be enabled to support
this functionality.
Note This option and Service Translation cannot be used together.
Fallthrough to Interface PAT
(Destination Interface)
When checked, dynamic PAT back-up is enabled. When the pool of
dynamic NAT addresses is depleted, port address translation is
performed, using the address pool specified in the Use Address field.
This option is available only when Dynamic NAT and PAT is the chosen
Type on devices operating in routed mode.
IPv6 When selected, the IPv6 address of the interface is used.
Net to net mapping of IPv4 to
IPv6
When checked, translates the first IPv4 address to the first IPv6
address, the second to the second, and so on. Without this option, the
IPv4-embedded method is used where the 32-bits of the IPv4 address is
embedded after the IPv6 prefix. For a one-to-one translation, you must
select this option.
Do not proxy ARP on
Destination Interface
Check this box to disable proxy ARP on the specified Destination
Interface. This option is available only when Static is the chosen rule
Type.
By default, all NAT rules include proxy ARP on the egress interface. A
NAT Exempt rule is used to bypass NAT for both ingress and egress
traffic, relying on route look-up to locate the egress interface. Thus,
Proxy ARP should be disabled for NAT Exempt rules. (The NAT
Exempt rules always take priority and appear above all other NAT rules
in the Translation Rules table.)
Note You also can disable Proxy ARP on individual interfaces, as
described in Configuring No Proxy ARP, page 54-1.
Table 23-15 Network/Host Dialog Box NAT Tab (Continued)
Element Description