Cisco Cisco FirePOWER Appliance 7020
12-24
FireSIGHT System User Guide
Chapter 12 Using NAT Policies
Working with Different Types of Conditions in NAT Rules
•
explains how to match traffic by specified
transport protocol ports.
Adding Zone Conditions to NAT Rules
License:
Any
The security zones on your system are comprised of interfaces on your managed devices. Zones that you
add to a NAT rule target the rule to devices on your network that have routed or hybrid interfaces in those
zones. You can only add security zones with routed or hybrid interfaces as conditions for NAT rules. See
add to a NAT rule target the rule to devices on your network that have routed or hybrid interfaces in those
zones. You can only add security zones with routed or hybrid interfaces as conditions for NAT rules. See
for information on creating security zones using the object
manager.
You can add either zones or standalone interfaces that are currently assigned to a virtual router to NAT
rules. If there are devices with unapplied device configurations, the Zones page displays a warning icon
(
rules. If there are devices with unapplied device configurations, the Zones page displays a warning icon
(
) at the top of the available zones list, indicating that only applied zones and interfaces are displayed.
You can click the arrow icon (
) next to a zone to collapse or expand the zone to hide or view its
interfaces.
If an interface is on a clustered device, the available zones list displays an additional branch from that
interface with the other interfaces in the cluster as children of the primary interface on the active device
in the cluster. You can also click the arrow icon (
interface with the other interfaces in the cluster as children of the primary interface on the active device
in the cluster. You can also click the arrow icon (
) to collapse or expand the clustered device interfaces
to hide or view its interfaces.
Note
You can save and apply policies with disabled interfaces, but the rules cannot provide any translation
until the interfaces are enabled.
until the interfaces are enabled.
The two lists on the right are the source and destination zones used for matching purposes by the NAT
rules. If the rule already has values configured, these lists display the existing values when you edit the
rule. If the source zones list is empty, the rule matches traffic from any zone or interface. If the
destination zones list is empty, the rule matches traffic to any zone or interface.
rules. If the rule already has values configured, these lists display the existing values when you edit the
rule. If the source zones list is empty, the rule matches traffic from any zone or interface. If the
destination zones list is empty, the rule matches traffic to any zone or interface.
The system displays warnings for rules with zone combinations that never trigger on a targeted device.
Note
You can save and apply policies with these zone combinations, but the rules will not provide any
translation.
translation.
You can add individual interfaces by selecting an item in a zone or by selecting a standalone interface.
You can only add interfaces in a zone if the zone it is assigned to has not already been added to a source
zones or destination zones list. These individually selected interfaces are not affected by changes to
zones, even if you remove them and add them to a different zone. If an interface is the primary member
of a cluster and you are configuring a dynamic rule, you can add only the primary interface to the source
zones or destination zones list. For static rules, you can add individual cluster member interfaces to the
source zones list. You can only add a primary cluster interface to a list if none of its children have been
added, and you can only add individual cluster interfaces if the primary has not been added.
You can only add interfaces in a zone if the zone it is assigned to has not already been added to a source
zones or destination zones list. These individually selected interfaces are not affected by changes to
zones, even if you remove them and add them to a different zone. If an interface is the primary member
of a cluster and you are configuring a dynamic rule, you can add only the primary interface to the source
zones or destination zones list. For static rules, you can add individual cluster member interfaces to the
source zones list. You can only add a primary cluster interface to a list if none of its children have been
added, and you can only add individual cluster interfaces if the primary has not been added.
If you add a zone, the rule uses all interfaces associated with the zone. If you add or remove an interface
from the zone, the rule will not use the updated version of the zone until the device configuration has
been reapplied to the devices where the interfaces reside.
from the zone, the rule will not use the updated version of the zone until the device configuration has
been reapplied to the devices where the interfaces reside.