23-30
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 23 Configuring Network Address Translation
NAT Policies on Security Devices
General Tab
Use the General tab of the Translation Rules page to view a summary of all translation rules defined for
the current device or shared policy. The translation rules are listed in the order that they will be evaluated
on the device.
Note The General tab is only visible for PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices
in transparent mode. Other devices in transparent mode support only static translation rules and do not
need to display summary information.
Navigation Path
You can access the General tab from the Translation Rules page. See Translation Rules: PIX, FWSM,
and pre-8.3 ASA, page 23-18 for more information.
Related Topics
Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 23-17
Translation Exemptions (NAT 0 ACL), page 23-19
Dynamic Rules Tab, page 23-21
Policy Dynamic Rules Tab, page23-23
Static Rules Tab, page23-25
Timeout For PIX 6.x devices, enter a timeout value for this translation rule, in
the format hh:mm:ss. This value overrides the default translation
timeout specified in Platform > Security > Timeouts, unless this value
is 00:00:00, in which case translations matching this rule use the
default translation timeout (specified in Platform > Security >
Timeouts).
Randomize Sequence
Number
If checked, the security appliance randomizes the sequence numbers of
TCP packets. Each TCP connection has two Initial Sequence Numbers
(ISNs): one generated by the client and one generated by the server. The
security appliance randomizes the ISN of the TCP SYN in both the
inbound and outbound directions. Randomizing the ISN of the
protected host prevents an attacker from predicting the next ISN for a
new connection and potentially hijacking the new session.
Disable this feature only if:
Another in-line security appliance is also randomizing initial
sequence numbers and data is being scrambled.
You are using eBGP multi-hop through the security appliance, and
the eBGP peers are using MD5. Randomization breaks the MD5
checksum.
You are using a WAAS device which requires that the security
appliance not randomize the sequence numbers of connections.
Disabling this option opens a security hole in the security appliance.
Table23-12 Advanced NAT Options Dialog Box (Continued)
Element Description