Cisco Cisco Firepower Management Center 4000

Page of 1844
 
12-25
FireSIGHT System User Guide
 
Chapter 12      Using NAT Policies
  Working with Different Types of Conditions in NAT Rules
Note
In a static NAT rule, you can add only source zones. In a dynamic NAT rule, you can add both source 
and destination zones.
The following procedure explains how to add source and destination zone conditions while adding or 
editing a NAT rule. See 
 for 
more detailed information.
To add zone conditions to a NAT rule:
Access: 
Admin/Network Admin
Step 1
Select the 
Zones
 tab on the rule Edit page.
The Zones page appears.
Step 2
Optionally, click the 
Search by name
 prompt above the 
Available Zones
 list, then type a name or value.
The list updates as you type to display matching conditions. See 
 for more information.
Step 3
Click a zone or interface in the 
Available Zones
 list. Use the Shift and Ctrl keys to select multiple 
conditions, or right-click and then click 
Select All
.
Conditions you select are highlighted.
Step 4
You have the following choices:
  •
To match traffic by source zone, click 
Add to Source
.
  •
To match traffic by destination zone, click 
Add to Destination
.
Optionally, you can drag and drop selected conditions into the 
Source Zones
 or 
Destination Zones
 lists.
Selected conditions are added. Note that while you can add disabled interfaces to a NAT rule, the rule 
does not provide any translation.
Note
You can add only source zones to static NAT rules.
Step 5
Save or continue editing the rule.
You must apply the NAT policy for your changes to take effect; see 
.
Adding Source Network Conditions to Dynamic NAT Rules
License: 
Any
You configure the matching values and translation values of the source IP address for packets. If the 
original source network is not configured, then any source IP address matches the dynamic NAT rule. 
Note that you cannot configure source networks for static NAT rules. If a packet matches the NAT rule, 
the system uses the values in the translated source network to assign the new value for the source IP 
address. For dynamic rules, you must configure a translated source network with at least one value.