23-46
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 23 Configuring Network Address Translation
NAT Policies on Security Devices
(Policy view) Select NAT (PIX/ASA/FWSM) > Per-Session NAT Rules from the Policy Type
selector. Select an existing policy from the Shared Policy selector, or right-click Translation Rules
to create a new policy.
The Per-Session NAT Rules page is displayed.
Adding, Editing and Deleting Rules
To add a per-session NAT rule:
1. Select the rule under which the rule is to be added. If you do not select a heading, the rule will be
added to the end of the table by default.
2. Open the Add Per-Session NAT Rule dialog box: either click the Add Row button at the bottom of
the table, or right-click anywhere in the table and choose Add Row from the pop-up menu.
3. Define the rule and then click OK to close the dialog box, adding the rule to the table.
See Add and Edit Per Session NAT Rule Dialog Boxes, page 23-46 for a complete description of the Add
Per-Session NAT Rule dialog box.
To edit a per-session NAT rule:
1. Open the Edit Per-Session NAT Rule dialog box for the desired rule: either select the rule in the
Per-Session NAT rules table and then click the Edit Row button at the bottom of the table, or simply
right-click the desired rule entry and choose Edit Row from the pop-up menu.
2. Edit the rule and then click OK to close the dialog box.
See Add and Edit Per Session NAT Rule Dialog Boxes, page 23-46 for a complete description of the Edit
Per-Session NAT Rule dialog box.
To delete a per-session NAT rule, select the rule in the table and click the Delete Row button at the
bottom of the table, or simply right-click the desired rule entry and choose Delete Row from the pop-up
menu.
Enabling and Disabling Rules
You can disable one or more consecutive rules without removing them from the table, as follows:
1. Select the rule(s) to be disabled. If selecting a contiguous block of rules, click the first and then
Shift-click the last rule of the block.
2. Right-click a selected rule, and choose Disable from the pop-up menu.
Disabled rules are grayed-out in the table.
To re-enable one or one or more consecutive disabled rules, repeat this process, choosing Enable from
the pop-up menu.
Add and Edit Per Session NAT Rule Dialog Boxes
By default, all TCP PAT traffic and all UDP DNS traffic uses per-session PAT. To use multi-session PAT
for traffic, you can configure per-session PAT rules: a permit rule uses per-session PAT, and a deny rule
uses multi-session PAT.
For more information about per-session vs. multi-session PAT, see Per-Session NAT Rules: ASA
9.0(1)+.
Defaults
By default, the following rules are installed:
Permit TCP from any (IPv4 and IPv6) to any (IPv4 and IPv6)