для Cisco Cisco Firepower Management Center 2000
C H A P T E R
12-1
FireSIGHT System User Guide
12
Using NAT Policies
A network address translation (NAT) policy determines how the system achieves routing with network
address translation. You can configure one or more NAT policies, which you can then apply to one or
more managed devices. Each device can have one currently applied policy.
address translation. You can configure one or more NAT policies, which you can then apply to one or
more managed devices. Each device can have one currently applied policy.
You add NAT rules to a policy to control how the system handles network address translations. Each rule
contains a set of conditions that identify the specific traffic you want to translate. You can create the
following types of rules:
contains a set of conditions that identify the specific traffic you want to translate. You can create the
following types of rules:
•
static, which provide one-to-one translations on destination networks and optionally port and
protocol
protocol
•
dynamic IP, which translate many-to-many source networks, but maintain port and protocol
•
dynamic IP and port, which translate many-to-one or many-to-many source networks and port and
protocol
protocol
The system matches traffic to static translations before dynamic translations are inspected. The system
then matches traffic to dynamic NAT rules in order; the first-matched rules handle the traffic. See
then matches traffic to dynamic NAT rules in order; the first-matched rules handle the traffic. See
for more information.
If you have access control policies in your deployment, the system does not translate traffic until it has
passed through access control.
passed through access control.
To configure and apply NAT policies on your appliances, you must have a Control license enabled on
each of your target managed devices. Additionally, you can only apply NAT policies to Series 3 devices
with configured virtual routers or hybrid interfaces.
each of your target managed devices. Additionally, you can only apply NAT policies to Series 3 devices
with configured virtual routers or hybrid interfaces.
After you have configured and deployed NAT policies, you can use the command line interface (CLI)
for managed device targets to troubleshoot the deployment. The CLI displays three types of NAT
information: configuration, rule definitions, and active translations. See
for managed device targets to troubleshoot the deployment. The CLI displays three types of NAT
information: configuration, rule definitions, and active translations. See
for more information.
See the following sections for more information on creating and managing NAT policies:
•
•
•
•
•
•
•
•