23-41
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter2 3 Configuring Network Address Translation
NAT Policies on Security Devices
Refer to Add and Edit NAT Rule Dialog Boxes, page23-35 for more information about the defining
translation rules.
Round Robin Port Assignment
On version 8.4.2 and later ASA devices, you also can specify an alternate method of port assignment
during PAT processing. As mentioned earlier, PAT port numbers are assigned to a single IP address in
succession until the final port number is assigned, and then the process begins again with the next
available IP address in the pool.
However, a new parameter on 8.4.2 and later devices—Use Round Robin Allocation for PAT Pool—lets
you specify “round robin” cycling through available IP addresses and port numbers. This method assigns
an address/port combination using each successive address in the pool; it then uses the first address again
with a different port, proceeds to the second address again, and so on.
Further, the round-robin algorithm incorporates two additional principles it will attempt to adhere to
when assigning address/port combinations during PAT processing:
If a specific source-to-destination mapping already exists, the algorithm attempts to use the existing
translation for the new connection. If this is not possible (for example, when all ports for that IP
address have been exhausted), the algorithm proceeds with standard round-robin cycling.
If possible, the original source port number is used as the mapped port number. That is, if the port
number of the address/port combination to be translated is 4904, for example, and 4904 is available
with the next IP address in the PAT Pool, the translated address will be PAT_address/4904. Note if
this is not possible (that port is not available with the next PAT address), the algorithm proceeds with
standard round-robin cycling.
Note If you do not explicitly specify Round Robin Allocation, port-allocation cycling occurs as described for
pre-8.4.2 devices.
Add or Edit Network/Host Dialog Box: NAT Tab
Use the NAT tab in any of the dialog boxes used to add or edit host, network, or address range objects
to create or update object NAT rules. This NAT configuration is used only for ASA 8.3+ devices; if you
use the object on any other type of device, the NAT configuration is ignored.
The NAT configuration is created as a device override and is not kept in the global object. Therefore,
you must select the Allow Value Override per Device option if you configure these NAT options. (This
option is selected automatically when you close the dialog box.)
This topic describes the fields on the NAT tab. For information about the fields on the General tab, see
Add or Edit Network/Host Dialog Box, page 6-77.
Navigation Path
Select the NAT tab on the Add or Edit Network/Host Dialog Box when creating or editing a host,
network, or address range object.
Related Topics
Chapter 23, “Configuring Network Address Translation”
Creating Networks/Hosts Objects, page 6-76
Understanding Networks/Hosts Objects, page 6-74
Specifying IP Addresses During Policy Definition, page6-81
Policy Object Manager, page 6-4