Cisco Cisco Firepower Management Center 4000
12-18
FireSIGHT System User Guide
Chapter 12 Using NAT Policies
Understanding NAT Rule Types
Dynamic IP Only
Dynamic IP Only rules translate many-to-many source networks, but maintain port and protocol. When
configuring dynamic IP only translations, you can configure zones, source networks, original destination
networks, and original destination ports. You cannot configure translated destination networks or
translated destination ports.
configuring dynamic IP only translations, you can configure zones, source networks, original destination
networks, and original destination ports. You cannot configure translated destination networks or
translated destination ports.
You must specify at least one translated source network. If the number of translated source network
values is less than the number of original source networks, the system displays a warning on the rule that
it is possible to run out of translated addresses before all original addresses are matched.
values is less than the number of original source networks, the system displays a warning on the rule that
it is possible to run out of translated addresses before all original addresses are matched.
If there are multiple rules with conditions that match the same packet, the low priority rules become
dead, meaning they can never be triggered. The system also displays warnings for dead rules. You can
view tooltips to determine which rule supersedes the dead rule.
dead, meaning they can never be triggered. The system also displays warnings for dead rules. You can
view tooltips to determine which rule supersedes the dead rule.
Note
You can save and apply policies with dead rules, but the rules cannot provide any translation.
In some instances, you may want to create rules with limited scope preceding rules with a broader scope.
For example:
For example:
Rule 1: Match on address A and port A/Translate to address B
Rule 2: Match on address A/Translate to Address C
In this example, rule 1 matches some packets that also match rule 2. Therefore, rule 2 is not completely
dead.
dead.
Optionally, you can specify only original destination ports. You cannot specify translated destination
ports.
ports.
Dynamic IP + Port
Dynamic IP and port rules translate many-to-one or many-to-many source networks and port and
protocol. When configuring dynamic IP and port translations, you can configure zones, source networks,
original destination networks, and original destination ports. You cannot configure translated destination
networks or translated destination ports.
protocol. When configuring dynamic IP and port translations, you can configure zones, source networks,
original destination networks, and original destination ports. You cannot configure translated destination
networks or translated destination ports.
You must specify at least one translated source network. If there are multiple rules with conditions that
match the same packet, the low priority rules become dead, meaning they can never be triggered. The
system also displays warnings for dead rules. You can view tool tips to determine which rule supersedes
the dead rule.
match the same packet, the low priority rules become dead, meaning they can never be triggered. The
system also displays warnings for dead rules. You can view tool tips to determine which rule supersedes
the dead rule.
Note
You can save and apply policies with dead rules, but the rules cannot provide any translation.
Optionally, you can specify only original destination ports. You cannot specify translated destination
ports.
ports.
Note
If you create a dynamic IP and port rule, and the system passes traffic that does not use a port, no
translation occurs for the traffic. For example, a ping (ICMP) from an IP address that matches the source
network does not map, because ICMP does not use a port.
translation occurs for the traffic. For example, a ping (ICMP) from an IP address that matches the source
network does not map, because ICMP does not use a port.
The following table summarizes the NAT rule condition types that can be configured based on the
specified NAT rule type:
specified NAT rule type: