23-10
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 23 Configuring Network Address Translation
NAT Policies on Cisco IOS Routers
the IP address for the inside device is one of the addresses from that second address pool, and it uses this
address when it communicates with the inside device. The router running NAT takes care of the
translations at this point.
To disable the translation of the address inside the payload, check the No Payload option when you
create a static NAT rule based on a global IP translation.
NAT Page: Dynamic Rules
Use the NAT Dynamic Rules tab of the router’s NAT page to manage dynamic address translation rules.
A dynamic address translation rule dynamically maps hosts to addresses, using either the IP address of
a specific interface (with dynamic port translation), or the addresses included in an address pool that are
globally unique in the destination network.
Defining Dynamic NAT Rules
You define a dynamic NAT rule by first selecting an access control list (ACL) whose rules specify the
traffic requiring translation.
Then, you must either select an interface with an IP address to which the addresses should be translated,
or define a pool of addresses to be used. You define the pool by specifying a range of addresses and
giving the range a unique name; you can specify multiple ranges. The router uses the available addresses
in the pool (those not used for static translations, or for its own WAN IP address) for connections to the
Internet or another outside network. When an address is no longer in use, it is returned to the address
pool to be dynamically assigned later to another device.
If the addressing requirements of your network exceed the available addresses in your dynamic NAT
pool, you can use the Port Address Translation (PAT) feature (also called Overloading) to associate many
private addresses with one or a small group of public IP address, using port addressing to make each
translation unique. With PAT enabled, the router chooses a unique port number for the IP address of each
outbound translation slot. This feature is useful if you cannot allocate enough unique IP addresses for
your outbound connections. Note that Port Address Translation does not occur until the address pool is
depleted.
Note By default, Security Manager does not perform NAT on traffic that is meant to be transmitted over a
VPN. Otherwise, any traffic appearing in both the NAT ACL and the crypto ACL defined on an interface
would be sent out unencrypted because NAT is always performed before encryption. However, you can
change this default setting.
Tip You can perform PAT on split-tunneled traffic on the spokes of your VPN topology directly from the
Global VPN Settings page. There is no need to create a dynamic NAT rule for each spoke. Any NAT
rules that you define on an individual device override the VPN setting. For more information, see
Configuring VPN Global NAT Settings, page 25-38.
The Add Dynamic NAT Rule and Edit Static NAT Rule dialog boxes are used to add and edit these rules.
Refer to NAT Dynamic Rule Dialog Box, page23-11 for descriptions of the fields displayed in the table
on this page.
Before You Begin
•Define the inside and outside interfaces used for NAT. See NAT Page: Interface Specification,
page 23-6.