Cisco Cisco Firepower Management Center 4000
12-17
FireSIGHT System User Guide
Chapter 12 Using NAT Policies
Understanding NAT Rule Types
Tip
You can use the right-click context menu to perform many rule creation and management actions; see
. You can also drag and drop rules to change their order.
Step 4
Configure the rule components, as described earlier in this section. You can configure the following, or
accept the defaults:
accept the defaults:
•
You must provide a unique rule
Name
.
•
Specify whether the rule is
Enabled
.
•
Select a rule
Type
.
•
Specify the rule position (dynamic rules only).
•
Configure the rule’s conditions.
Static rules must include an original destination network.
Dynamic rules must include a translated source network.
Step 5
Click
Add
or
Save
.
Your changes are saved. You must apply the NAT policy for your changes to take effect; see
.
Understanding NAT Rule Types
License:
Any
Every NAT rule has an associated type that:
•
qualifies network traffic
•
specifies how the traffic that matches those qualifications is translated
The following list summarizes the NAT rule types.
Static
Static rules provide one-to-one translations on destination networks and optionally port and protocol.
When configuring static translations, you can configure source zones, destination networks, and
destination ports. You cannot configure destination zones or source networks.
When configuring static translations, you can configure source zones, destination networks, and
destination ports. You cannot configure destination zones or source networks.
You must specify an original destination network. For destination networks, you can only select network
objects and groups containing a single IP address or enter literal IP addresses that represent a single IP
address. You can only specify a single original destination network and a single translated destination
network.
objects and groups containing a single IP address or enter literal IP addresses that represent a single IP
address. You can only specify a single original destination network and a single translated destination
network.
Optionally, you can specify a single original destination port and a single translated destination port. You
must specify an original destination network before you can specify an original destination port. In
addition, you cannot specify a translated destination port unless you also specify an original destination
port, and the translated value must match the protocol of the original value.
must specify an original destination network before you can specify an original destination port. In
addition, you cannot specify a translated destination port unless you also specify an original destination
port, and the translated value must match the protocol of the original value.
Caution
For static NAT rules on a a clustered device, only select an individual peer interface if all networks
affected by the NAT translations are private. Do not use this configuration for static NAT rules affecting
traffic between public and private networks.
affected by the NAT translations are private. Do not use this configuration for static NAT rules affecting
traffic between public and private networks.