Cisco Cisco Firepower Management Center 2000

A network address translation (NAT) policy determines how the system achieves routing with network 
address translation. You can configure one or more NAT policies, which you can then apply to one or 
more managed devices. Each device can have one currently applied policy.

You add NAT rules to a policy to control how the system handles network address translations. Each rule 
contains a set of conditions that identify the specific traffic you want to translate. You can create the 
following types of rules:

static, which provide one-to-one translations on destination networks and optionally port and 
protocol

dynamic IP, which translate many-to-many source networks, but maintain port and protocol

dynamic IP and port, which translate many-to-one or many-to-many source networks and port and 
protocol

The system matches traffic to static translations before dynamic translations are inspected. The system 
then matches traffic to dynamic NAT rules in order; the first-matched rules handle the traffic. See 

 for more information.

If you have access control policies in your deployment, the system does not translate traffic until it has 
passed through access control.

To configure and apply NAT policies on your appliances, you must have a Control license enabled on 
each of your target managed devices. Additionally, you can only apply NAT policies to Series 3 devices 
with configured virtual routers or hybrid interfaces.

After you have configured and deployed NAT policies, you can use the command line interface (CLI) 
for managed device targets to troubleshoot the deployment. The CLI displays three types of NAT 
information: configuration, rule definitions, and active translations. See 

 for more information.

See the following sections for more information on creating and managing NAT policies: