23-15
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter2 3 Configuring Network Address Translation
NAT Policies on Security Devices
NAT Policies on Security Devices
The following topics describe configuring network address translation (NAT) options on managed
security appliances: PIX firewalls, Firewall Service Modules (FWSMs) on Catalyst switches,
pre-version-8.3 Adaptive Security Appliances (ASAs), and ASA 8.3+ devices. The topics are arranged
as follows:
NAT in Transparent Mode, page 23-15
Translation Options Page, page 23-15
PIX, FWSM, and pre-8.3 ASA
Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 23-17
Address Pools, page 23-17
Translation Rules: PIX, FWSM, and pre-8.3 ASA, page23-18
ASA 8.3+
Configuring NAT on ASA 8.3+ Devices, page 23-32
Translation Rules: ASA 8.3+, page 23-32

NAT in Transparent Mode

Using NAT on a security appliance operating in transparent mode eliminates the need for upstream or
downstream routers to perform NAT for their networks. NAT in transparent mode has the following
requirements and limitations:
When the mapped addresses are not on the same network as the transparent firewall, you need to add
a static route for the mapped addresses on the upstream router that points to the downstream router
(through the security appliance).
If the real destination address is not directly connected to the security appliance, you also need to
add a static route on the security appliance for the real destination address that points to the
downstream router. Without NAT, traffic from the upstream router to the downstream router does not
need any routes on the security appliance because it uses the MAC address table. Using NAT,
however, causes the security appliance to use a route look-up instead of a MAC address look-up, so
it needs a static route to the downstream router.
Because the transparent firewall does not have any interface IP addresses, you cannot use interface
PAT.
ARP inspection is not supported. Moreover, if for some reason a host on one side of the security
appliance sends an ARP request to a host on the other side of the security appliance, and the
initiating host real address is mapped to a different address on the same subnet, then the real address
remains visible in the ARP request.

Translation Options Page

Use the Translation Options page to set options that affect network address translation for the selected
security appliance. These settings apply to all interfaces on the device.
Navigation Path
(Device view) Select NAT > Translation Options from the Device Policy selector.