Cisco Cisco Firepower Management Center 4000
12-25
FireSIGHT System User Guide
Chapter 12 Using NAT Policies
Working with Different Types of Conditions in NAT Rules
Note
In a static NAT rule, you can add only source zones. In a dynamic NAT rule, you can add both source
and destination zones.
and destination zones.
The following procedure explains how to add source and destination zone conditions while adding or
editing a NAT rule. See
editing a NAT rule. See
for
more detailed information.
To add zone conditions to a NAT rule:
Access:
Admin/Network Admin
Step 1
Select the
Zones
tab on the rule Edit page.
The Zones page appears.
Step 2
Optionally, click the
Search by name
prompt above the
Available Zones
list, then type a name or value.
The list updates as you type to display matching conditions. See
for more information.
Step 3
Click a zone or interface in the
Available Zones
list. Use the Shift and Ctrl keys to select multiple
conditions, or right-click and then click
Select All
.
Conditions you select are highlighted.
Step 4
You have the following choices:
•
To match traffic by source zone, click
Add to Source
.
•
To match traffic by destination zone, click
Add to Destination
.
Optionally, you can drag and drop selected conditions into the
Source Zones
or
Destination Zones
lists.
Selected conditions are added. Note that while you can add disabled interfaces to a NAT rule, the rule
does not provide any translation.
does not provide any translation.
Note
You can add only source zones to static NAT rules.
Step 5
Save or continue editing the rule.
You must apply the NAT policy for your changes to take effect; see
.
Adding Source Network Conditions to Dynamic NAT Rules
License:
Any
You configure the matching values and translation values of the source IP address for packets. If the
original source network is not configured, then any source IP address matches the dynamic NAT rule.
Note that you cannot configure source networks for static NAT rules. If a packet matches the NAT rule,
the system uses the values in the translated source network to assign the new value for the source IP
address. For dynamic rules, you must configure a translated source network with at least one value.
original source network is not configured, then any source IP address matches the dynamic NAT rule.
Note that you cannot configure source networks for static NAT rules. If a packet matches the NAT rule,
the system uses the values in the translated source network to assign the new value for the source IP
address. For dynamic rules, you must configure a translated source network with at least one value.