23-6
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 23 Configuring Network Address Translation
NAT Policies on Cisco IOS Routers
NAT Page: Interface Specification
Before creating NAT rules, you must define the “direction” of the traffic to be translated by specifying
the Inside and Outside interfaces. Inside interfaces typically connect to a LAN that the router serves.
Outside interfaces typically connect to your organization’s WAN or to the Internet. You must designate
at least one Inside interface and one Outside interface to enable the router to perform network address
translation.
The Inside and Outside designations are used when interpreting translation rules: addresses connected
to the Inside interface are translated to addresses on the Outside interface. After these interfaces are
defined, they are used in all static and dynamic NAT translation rules.
Use the Interface Specification tab of the NAT policy page to specify the Inside and Outside interfaces.
Navigation Path
(Device view) Select NAT from the Policy selector, then click the Interface Specification tab.
(Policy view) Select NAT (Router) > Translation Rules from the Policy Type selector. Select an
existing policy or create a new one, and then click the Interface Specification tab.
Defining the Inside and Outside Interfaces
In the NAT Inside Interfaces and NAT Outside Interfaces fields, enter or Select the names of the
interfaces or interface roles for the Inside and Outside interfaces, respectively. Separate multiple names
or roles with commas (for example, Ethernet1/1, Ethernet1/2). Note that you cannot enter the same name
in both fields.
Related Topics
NAT Policies on Cisco IOS Routers, page23-5
NAT Page: Static Rules, page23-6
NAT Page: Dynamic Rules, page 23-10
NAT Page: Timeouts, page 23-13
NAT Page: Timeouts, page 23-13
NAT Page: Static Rules
You define a static NAT rule by specifying a local address that must be translated, as well as the global
address to which it is translated. This is a static or fixed mapping—the local address is always translated
to the same global address.
You can define static NAT rules that translate the addresses of single hosts, as well as static rules that
translate multiple addresses in a subnet. When multiple local addresses must use the same global
address, you must define the necessary port redirection information, which defines a different port for
each local address using the global address.
Note We strongly recommend that you do not perform NAT on traffic that will be transmitted over a VPN.
Translating addresses on this traffic causes it to be sent out unencrypted instead of encrypted over the
VPN.
The procedure for creating a static rule depends on whether the address being translated represents a
port, a single host, or an entire subnet: