Cisco Cisco Firepower Management Center 4000
12-28
FireSIGHT System User Guide
Chapter 12 Using NAT Policies
Working with Different Types of Conditions in NAT Rules
The list updates as you type to display matching conditions. See
for more information.
Step 3
Click a condition in the
Available Networks
list. Use the Shift and Ctrl keys to select multiple conditions,
or right-click and then click
Select All
.
Conditions you select are highlighted.
Step 4
You have the following choices:
•
To match traffic by original destination network, click
Add to Original
.
•
To specify the translation value for traffic that matches the translated destination network, click
Add
to Translated
.
Alternatively, you can drag and drop selected conditions into the
Original Destination Network
or
Translated
Destination Network
lists.
Conditions you selected are added.
Step 5
Optionally, click the add icon (
) above the
Available Networks
list to add an individual network object.
For dynamic rules, you can add multiple IP addresses, CIDR blocks, and prefix lengths to each network
object. For static rules, you can add only a single IP address. Optionally, you can then select the object
you added. See
object. For static rules, you can add only a single IP address. Optionally, you can then select the object
you added. See
and
for more information.
Step 6
Optionally, click the
Enter an IP address
prompt below the
Original Destination Network
or
Translated
Destination Network
list, then type an IP address or address block and click
Add
.
for more
information.
Step 7
Save or continue editing the rule.
You must apply the NAT policy for your changes to take effect; see
Adding Port Conditions to NAT Rules
License:
Any
You can add a port condition to a rule to match network traffic based on the original and translated
destination port and transport protocol for translation. If the original port is not configured, any
destination port matches the rule. If a packet matches the NAT rule and a translated destination port is
configured, the system translates the port into that value. Note that for dynamic rules, you can specify
only the original destination port. For static rules, you can define a translated destination port, but only
with an object with the same protocol as the original destination port object or literal value.
destination port and transport protocol for translation. If the original port is not configured, any
destination port matches the rule. If a packet matches the NAT rule and a translated destination port is
configured, the system translates the port into that value. Note that for dynamic rules, you can specify
only the original destination port. For static rules, you can define a translated destination port, but only
with an object with the same protocol as the original destination port object or literal value.
The system matches the destination port against the value of the port object or literal port in the original
destination port list for static rules, or multiple values for dynamic rules.
destination port list for static rules, or multiple values for dynamic rules.
Because static NAT rules are one-to-one translations, the
Available Ports
list contains only port objects
and groups that contain only a single port. For static translations, you can add only a single object or
literal value to both the
literal value to both the
Original Port
or
Translated Port
lists.
For dynamic rules, you can add a range of ports. For example, when specifying the original destination
port, you can add
port, you can add
1000-1100
as a literal value.