Cisco Cisco Firepower Management Center 4000
12-2
FireSIGHT System User Guide
Chapter 12 Using NAT Policies
Planning and Implementing a NAT Policy
Planning and Implementing a NAT Policy
License:
Any
You can configure NAT policies in different ways to manage specific network needs. This section
provides information for some of the ways you can deploy NAT policies.
provides information for some of the ways you can deploy NAT policies.
Caution
In clustered configurations, only select an individual peer interface for a static NAT rule on a clustered
device if all networks affected by the NAT translations are private. Do not use this configuration for
static NAT rules affecting traffic between public and private networks.
device if all networks affected by the NAT translations are private. Do not use this configuration for
static NAT rules affecting traffic between public and private networks.
You can configure NAT to expose an internal server to an external network. In this configuration, you
define a static translation from an external IP address to an internal IP address so the system can access
an internal server from outside the network. Traffic sent to the server targets the external IP address or
IP address and port, and is translated into the internal IP address or IP address and port. Return traffic
from the server is translated back to the external address.
define a static translation from an external IP address to an internal IP address so the system can access
an internal server from outside the network. Traffic sent to the server targets the external IP address or
IP address and port, and is translated into the internal IP address or IP address and port. Return traffic
from the server is translated back to the external address.
You can configure NAT to allow an internal host or server to connect to an external application. In this
configuration, you define a static translation from an internal address to an external address. This
definition allows the internal host or server to initiate a connection to an external application that is
expecting the internal host or server to have a specific IP address and port. Therefore, the system cannot
dynamically allocate the address of the internal host or server.
configuration, you define a static translation from an internal address to an external address. This
definition allows the internal host or server to initiate a connection to an external application that is
expecting the internal host or server to have a specific IP address and port. Therefore, the system cannot
dynamically allocate the address of the internal host or server.
You can configure NAT to hide private network addresses from an external network by using a block of
IP addresses. This becomes useful if you want to obscure your internal network addresses and have
sufficient external IP addresses to satisfy your internal network needs. In this configuration, you create
a dynamic translation that automatically converts the source IP address of any outgoing traffic to an
unused IP address from your externally facing IP addresses.
IP addresses. This becomes useful if you want to obscure your internal network addresses and have
sufficient external IP addresses to satisfy your internal network needs. In this configuration, you create
a dynamic translation that automatically converts the source IP address of any outgoing traffic to an
unused IP address from your externally facing IP addresses.
You can configure NAT to hide private network addresses from an external network using a limited block
of IP addresses and port translation. This becomes useful if you want to obscure your internal network
addresses, but have an insufficient number of external IP addresses to satisfy your internal network
needs. In this configuration, you create a dynamic translation that automatically converts the source IP
address and port of outgoing traffic to an unused IP address and port from your externally facing IP
addresses.
of IP addresses and port translation. This becomes useful if you want to obscure your internal network
addresses, but have an insufficient number of external IP addresses to satisfy your internal network
needs. In this configuration, you create a dynamic translation that automatically converts the source IP
address and port of outgoing traffic to an unused IP address and port from your externally facing IP
addresses.
Configuring NAT Policies
License:
Control
Supported Devices:
Series 3
To configure a NAT policy, you must give the policy a unique name and identify the devices, or targets,
where you want to apply the policy. You can also add, edit, delete, enable, and disable NAT rules. After
you create or modify a NAT policy, you can apply the policy to all or some targeted devices.
where you want to apply the policy. You can also add, edit, delete, enable, and disable NAT rules. After
you create or modify a NAT policy, you can apply the policy to all or some targeted devices.
You can apply NAT policies to a device cluster, including clustered stacks, as you would a standalone
device. However, you can define static NAT rules for interfaces on individual clustered devices or the
entire cluster and use the interfaces in source zones. For dynamic rules, you can use only the interfaces
on the entire cluster in source or destination zones.
device. However, you can define static NAT rules for interfaces on individual clustered devices or the
entire cluster and use the interfaces in source zones. For dynamic rules, you can use only the interfaces
on the entire cluster in source or destination zones.