-
Using Management Center for Firewalls 1.2
-
Preface
-
Getting Started With Firewall MC
-
Task Flow Checklists
-
Preparing the Firewall MC Environment
-
Managing Activities
-
Preparing Your Network
-
Creating an Inheritance and Grouping Strategy
-
Representing Network Assets in Firewall MC
-
Configuring Device-Level Settings
-
Configuring Routing Rules
-
Defining Your Policy Building Blocks
-
Configuring Access Rules
-
Configuring Translation Rules
-
Manually Defining Rules Using CLI Syntax
-
Generating and Verifying Configuration Files
-
Deploying Configuration Files
-
Monitoring and Reports
-
Configuring VPN Settings
-
Configuring Failover
-
Maintaining your Firewall MC Server
-
Troubleshooting
-
Understanding User Roles and Permissions
-
Index
-
Table of Contents
Configuring Translation RulesWhat's New
General Notes About Translation Rules
Important Notes About NAT Translation Rules
Important Notes About PAT Translation Rules
Important Notes About NAT 0 ACL Rules
Translating DNS Queries
Address Translation Types
Understanding NAT
Understanding PAT
Configuring Static Translation Rules
Static Translation Rules Field-Level Elements and Descriptions
Dynamic Translation Rules Field-Level Elements and Descriptions
Configuring Translation Rules
Address translation means that when a host starts an outbound connection, the IP addresses in the internal network are translated into global addresses. Address translation protects these addresses from visibility on the external network. Different types of address translation are used for this purpose.
- Network Address Translation (NAT)—Provides a globally unique address for each outbound host session. The global addresses used for NAT come from a pool of addresses used specifically for address translation. NAT is used by a device (firewall, router, or computer) that sits between an internal network and the rest of the world. NAT has many forms and can work in several ways. NAT allows your network to have any IP addressing scheme, and the firewall devices protect these addresses from visibility on the external network. For more information, see:
- Port Address Translation (PAT)—Uses a port in addition to an IP address, which provides a single, unique global address for up to 65,535 simultaneous outbound host sessions. The global address used for PAT can be one global address or the IP address of a given interface. Because PAT automatically assigns multiple sessions to the same registered IP address, fewer registered IP addresses are needed. For more information, see:
- Translation Exception Rules (NAT 0 ACL)—Provides the capability to generate translation rules that abort all other address translation logic.
Another concept that relates to address translation is referred to as Bi-Directional NAT. Normal address translation allows an address at an interface with a higher security level to be translated to an address at an interface with a lower security level. With Bi-Directional NAT, you can now translate an address at an interface with a lower security level to an address at an interface with a higher security level.
 |
Note Bi-Directional NAT requires PIX OS version 6.2 or later. |
Translation rules can be applied to the Global group, its subgroups, or individual devices. To access this feature, select Configuration > Translation Rules.
Firewall MC supports a feature that can create translation rules automatically as needed. This feature is called Identity Address Translation, which is also referred to as auto- NAT. Auto-NAT is exclusive to Firewall MC. Rules automatically created using this feature are not shown in Firewall MC translation rule tables. No corresponding command is supported in PIX OS versions to create auto- NAT translation rules. Auto NAT is enabled by default. To disable this feature, select Configuration > MC Settings > Management.
Based on existing configuration information, Firewall MC defines the static rules or uses the No NAT option, which is a way by which a firewall device suspends the requirement that each traffic flow is allowed only if there is a translation entry corresponding to it in the configuration.
In other words, Firewall MC automatically creates translation rules for you if no NAT 0 ACL rule is defined. If a NAT 0 ACL is defined, Firewall MC disables any automatically created static identity NAT or rules using No NAT.
To help you understand more about address translation, additional topics are discussed:
What's New
Dynamic NAT entries can now hide networks behind an interface with a lower security level from an interface with a higher security level by means of a pool on the interface with a higher security level. For example, A DMZ network can now be hidden from the inside interface by means of a pool on "inside."
Static NAT and PAT can now expose networks behind an interface with a lower security level to a translated address on an interface with a higher security level. For example, an outside network can be translated into another network for the DMZ.
NAT 0 ACL can now be exempt from address translation traffic between the interface it is applied on and an interface with a higher security level.
General Notes About Translation Rules
- Before you can designate translation rules for your network, you must define each host or server for which a rule applies.
- Hosts cannot contact hosts on other interfaces unless static or dynamic NAT rules have been created.
- We recommend that you define building blocks before you define translation rules, for example, network groups, services groups, and AAA server groups.
- Before you can create dynamic rules, you must create an address translation pool. To do this, select Configuration > Building Blocks > Address Translation Pools.
- Static address translation should not overlap with a global IP address pool on the same external interface. It causes the overlapping address to become unavailable for dynamic address translation.
- A packet whose source is on the more secure (inside) interface destined for an intermediate interface (DMZ) must have a different translated address when it is outbound on a less secure (outside) interface. However, if one dynamic rule is deleted on either outbound interface, all outbound dynamic rules for translations originating on that interface are deleted.
- Dynamic and static rules are defined at the group level and are intermingled on a best-match basis, but they can be edited only at the level at which they are defined.
- Additional translation rules are created automatically as necessary when the Identity Address Translation Rules feature is enabled. These automatically created rules are not shown in the Translation Rules table. To enable the Identity Address Translation Rules feature, select Configuration > MC Settings > Management.
If you decide to use the Identity Address Translation Rules feature, you do not need to define NAT 0 ACL rules.
If you decide to define NAT 0 ACL rules and you previously enabled the Identity Address Translation Rules feature, the latter becomes disabled.
Important Notes About NAT Translation Rules
- You must run NAT even if you have routable IP addresses on your secure networks (a unique feature of firewall devices). You can run NAT by translating the IP address to itself on the outside interface. You can also opt to use No NAT.
- Hosts cannot contact hosts on other interfaces unless static or dynamic NAT rules have been created. You can achieve this by using Address Identity Translation, which is enabled by default.
Important Notes About PAT Translation Rules
- Do not use with H.323 applications and caching nameservers.
- Do not use when multimedia applications must be run through a firewall device. Multimedia applications can conflict with port associations provided by PAT.
- Do not use with a DNS server on a higher-level security interface that requires updates from a root nameserver on an outside interface.
- To use with a passive FTP, set the Fixup FTP strict protocol with an access-list command statement to permit outbound FTP traffic. See Configuring Basic Fixups.
Important Notes About NAT 0 ACL Rules
- On import, if a service other than IP is specified in the ACE of a NAT 0 ACL, a warning results. The service is automatically changed to IP. No user intervention is required.
- A PIX Firewall always interprets the service of NAT 0 ACL as IP. As a result, you are not prompted for a service when you are configuring a NAT 0 ACL.
- Additional translation rules are created automatically as necessary when the Identity Address Translation Rules feature is enabled. These automatically created rules are not shown in the Translation Rules table. To enable the Identity Address Translation Rules feature, select Configuration > MC Settings > Management.
- If you decide to use the Identity Address Translation Rules feature, you do not need to define NAT 0 ACL rules.
- If you decide to define NAT 0 ACL rules and you previously enabled the Identity Address Translation Rules feature, the latter becomes disabled.
- NAT 0 ACL rules are listed sequentially and are applied in the order in which they appear in the NAT 0 ACL Rule table.
Translating DNS Queries
Perhaps your network uses a DNS server to provide an address for a requested hostname. If NAT translations are used between where the server is located and where you are, the address that the server provides will not be the correct one. The PIX Firewall can process the DNS reply packets and correct the DNS reply packet data, as well as perform regular packet address translation. To enable this feature, click the Translate DNS Replies check box when you are configuring a dynamic translation rule. For more information, see Adding or Editing a Dynamic Translation Rule.
 |
Caution If you expose your internal DNS servers using a static NAT rule, you do not benefit from the address-hiding feature provided by translation rules. External users can simply request information about your trusted networks from the DNS servers that you expose. |
Address Translation Types
Table 12-1 shows the different address translation types.
Table 12-1 Address Translation Types
Understanding NAT
Topics for discussion include:
Understanding Static NAT
Static NAT refers to one-to-one address translation between a set of addresses on an interface with a higher security level and a set of addresses on an interface with a lower security level. The inside interface is the highest security interface, and the outside interface is the lowest security interface. The purpose of static NAT is to enable a host on an interface with a lower security level to have an address to which to send packets directed for a host attached to an interface with a higher security level. The address at the interface with a higher security level is hidden from the interface with a lower security level, as shown in Figure 12-1.
Figure 12-1 Static NAT
Static address translation does not vary over time. In static NAT, the computer with the IP address 192.168.32.10 will always translate to 213.18.123.110.
For inbound access to internal local hosts, you should use static NAT rules. A static NAT rule assigns an external IP address to a specific internal host internal IP address. An internal IP address can be assigned to different external addresses on different interfaces.
For example, when the firewall device receives a session request in which the source address matches the IP address of the internal fileserver, it changes the source address to the external IP address. It then places the packet onto the network of which the external address is a member.
Alternatively, when the firewall device receives a network packet destined for a translated address, it changes the destination address to the address of the internal fileserver. It then places the new packet onto the network to which the internal fileserver belongs. Thus, the internal fileserver processes the packet as though it were originally destined for the fileserver.
In both cases, all packets that are part of a valid session are remapped according to the translation rule (assuming that the active security policy permits the communication). If the active security policy does not permit a specific communication, the session request is rejected and the translation never occurs.
|
Caution If you expose your internal DNS servers using a static NAT rule, you do not benefit from the address-hiding feature provided by translation rules. External users can simply request information about your trusted networks from the DNS servers that you expose. |
Understanding Dynamic NAT
Every computer connected to your network must have a globally unique transport address that can be identified by both the routers in your ISP network, and those routers comprising the Internet backbone. If the IP addresses are not unique, these routers cannot route network packets. Users who have duplicate IP addresses cannot be reached and cannot establish application sessions.
Dynamic NAT converts IP addresses used in an intranet or other private network (called a subdomain) and Internet IP addresses (or external IP addresses on a firewall device) to unique addresses. Thus, you can use a large number of addresses within the subdomain without depleting the limited number of available Internet IP addresses.
Dynamic NAT temporarily reassigns a registered IP address to an internal computer that requests services through the Internet (or another external network). The address-hiding translator acts as a buffer between the global Internet and the local IP networks called subnets. The internal subnets require IP addresses that are unique to that subnet level. When a computer on a subnet sends traffic through the Internet (thus traveling through the firewall device), the translator strips the internal IP address from the network packets and replaces the address with a unique external address that is registered and assigned to that subnet or site.
Dynamic NAT is useful for establishing outbound network connections from an interface with a higher security level to an interface with a lower security level.
Dynamic NAT has a many-to-one relationship, in that addresses are mapped to other addresses using a pool. The address at the interface with a higher security level is hidden from the interface with a lower security level.
In dynamic NAT, the computer with the IP address of 192.168.32.10 will translate to the first available address in the range from 213.18.123.100 to 213.18.123.150, as shown in Figure 12-2.
Figure 12-2 Dynamic NAT IP Address Conversion
The address-hiding translator often contains a pool of external IP addresses, which enables more than one internal computer to connect to the Internet at the same time. The pool contains those IP addresses that are registered with the American Registry for Internet Numbers (ARIN). When you allocate IP addresses for your subnets, you must verify that those addresses do not conflict with the external IP addresses. Doing so ensures that the external IP addresses remain unique, enabling the address-hiding translator to distinguish among computers.
When a network packet is routed across the firewall device, the address-hiding translator replaces the internal corporate address with a temporary external address. After a session ends (or the timeout value is exceeded), the external address is returned to the pool and reassigned during a new session request.
Dynamic NAT provides the following benefits:
- Enhances network security by hiding your network's internal structure from external users and enables you to logically group your users according to security domains.
- Permits an almost unlimited number of users for one Class C network address because valid external addresses are required only when a user is connected to the Internet.
- Permits you to retain the IP address of each computer on your internal subnets without replacing each with a registered IP address from the Internet Network Information Center, also known as ARIN.
Understanding Bi-Directional NAT
Bi-Directional NAT refers to the ability to perform network address translations for traffic flowing from an interface with a higher security level to an interface with a lower security level and from an interface with a lower security level to an interface with a higher security level. To configure Bi-Directional NAT, you define a translation rule and identify the outside interface as the original interface.
Bi-Directional NAT defined as a static translation has a one-to-one relationship, in that an address is mapped to another address, but the address at the interface with a lower security level is hidden from the interface with a higher security level.
Bi-Directional NAT defined as a dynamic translation has a many-to-one relationship, in that an address is mapped to another address based on which address in the pool is available, but the address at the interface with a lower security level is hidden from the interface with a higher security level.
With the introduction of PIX OS version 6.3, the alias command has been deprecated. The alias command was used to translate one address into another to prevent conflicts when you had IP addresses on a network that were the same as those on the Internet or another intranet. The command was also used to do address translation on a destination address.
As a workaround, you can convert existing alias commands to static Bi-Directional NAT or PAT commands.
For more information, see the procedure for Adding or Editing a Static Translation Rule.
Understanding PAT
Topics for discussion include:
Understanding Static PAT
Static PAT refers to one or more one-to-one address translations between a set of sockets on an interface with a higher security level and a set of sockets on an interface with a lower security level. A socket is a protocol and port pair. (For example, the socket for smtp mail is TCP port 25.) The purpose of a static PAT is to enable a host on an interface with a lower security level to have a socket to which to send packets directed for a host attached to an interface with a higher security level.
Static PAT is an "exposed service." An exposed service is a rule that gives external users access to one of your internal network servers. This rule maps an external IP address that is assigned to an interface in a firewall device to an IP address that is assigned to the internal network server. You can define an exposed service rule on a per-IP address and per-network service basis. In this case, the network service only specifies its transport layer protocol (TCP or UDP) and the port on which it listens.
Understanding Dynamic PAT
Dynamic PAT refers to a many-to-one address translation, whereby many addresses are hidden behind one address that specifies a port.
PAT uses unique source port numbers on the inside global IP address to distinguish between translations. Because the port number is encoded in 16 bits, the total number of translations could theoretically be as high as 65,535 per IP address. PAT tries to preserve the original source port. If the source port is already allocated, PAT tries to find the first available port number, starting from the beginning of the appropriate port group 0-511, 512-1023, or 1024-65535. If there is still no port available from the appropriate group and more than one IP address is configured, PAT moves to the next IP address and tries to allocate the original source port again. The process continues until available ports and IP addresses run out.
Dynamic PAT is similar to dynamic NAT except that only a single address is used on the lower security interface. Every outbound connection from the host on a higher security interface to a host on a lower security interface is facilitated by associating the source socket (protocol and port pair) on the host, establishing the network session to the next available socket in the ascending port order on a single address on the lower-security interface.
Dynamic PAT is useful for establishing outbound network connections from an interface with a higher security level to an interface with a lower security level only. The address at the interface with a higher security level is hidden from the interface with a lower security level.
|
Note An IP address that you specify for a port address cannot be used in another global address pool. |
Each computer on the private network is translated to the same IP address (213.18.123.100) but with a different port number assignment, as shown in Figure 12-3.
Figure 12-3 PAT IP Address Conversion
|
Note Because PAT requires port information, only TCP, UDP, and ICMP echo/echo-reply operate with PAT. |
Understanding Dual PAT
Regular dynamic PAT translates between host addresses on interfaces with a higher security level and a single address on an interface with a lower security level. This provides a many-to-one mapping between internal and external addresses. This allows internal users to share a single registered IP address and hides internal addresses from view on the public Internet. PAT is supported for fewer applications than is NAT.
Dual dynamic PAT translates between host addresses on interfaces with a lower security level and a single address on an interface with a higher security level. This provides a many-to-one mapping between external addresses and an internal address.
Regular static PAT translates between a host address on an interface with a higher security level and a single address on a lower security level that specifies an address and port. This provides a one-to-one mapping between an internal and external address and hides the internal address from view on the more secure interface.
Dual static PAT translates between a host address on an interface with a lower security level and a single address on an interface with a higher security level. this provides a one-to-one mapping between an internal and external address and hides the internal address from view on the less secure interface.
Configuring Static Translation Rules
A static translation is a bi-directional one-to-one address mapping rule that gives external users access to one of your internal network hosts. Static translation rules apply to all forms of IP traffic, which means they do not limit access to the host based on a specific network service. A static rule maps an external IP address that is assigned to a network interface in the firewall device to an IP address that is assigned to the internal network host.
The internal IP addresses are assigned permanently to a global IP address. These rules assign a host address on an interface with a lower security level to a global address on an interface with a higher security level. The actual address of the server is hidden from users on the less secure interface, making casual access by unauthorized users less likely. As an example, you can use a static rule to assign the local address of a web server (on a perimeter network) to a global address (on the outside interface) that hosts use to access the web server.
Unlike NAT or PAT, static address translation requires a dedicated address on the outside network for each host, so it does not save registered IP addresses.
Topics for discussion include:
Adding or Editing a Static Translation Rule
Before You Begin
Recommended but not required: Define a network object identifying each host or server for which a rule applies. See Defining Network Objects.
Step 1 Select Configuration > Translation Rules > Static Translation Rules.
The Static Translation Rules page appears.
Step 2 Using the object selector, select the scope to identify the device or device groups to which the rules will apply.
Step 3 Do one of the following:
The Enter Static Translation Rule page appears.
The Enter Static Translation Rule page appears.
Step 4 Select the original interface from the list. The list contains all interfaces defined at the current scope.
Step 5 Enter the original address or click Select, which opens a window to display a list of defined objects.
The objects are moved to the Selected Objects column.
You are returned to the Enter Static Translation Rule page.
Step 6 To select the protocol, click the respective radio button.
Step 7 Enter the original port.
Step 8 Select the translated interface from the list. The list contains all interfaces defined at the current scope.
Step 9 Enter the translated address or click Select, which opens a window to display a list of defined objects.
The object is moved to the Selected Objects column.
You are returned to the Enter Static Translation Rule page.
Step 10 Enter the translated port.
Step 11 Select the Translate DNS Replies check box to include a translated DNS address in the reply packet.
Step 12 Verify that you want the Randomize Sequence Numbers check box selected.
Step 13 Enter the number of embryonic connections (for example, a three-way handshake). This number is the number of connection attempts allowed before a firewall device denies connections (0 = unlimited connections).
Step 14 Enter the maximum number of connections that are allowed to connect to statically translated IP addresses. Values are 0-65,535 (0 = unlimited connections).
Step 15 Click Next.
The static translation rules summary page appears.
Step 16 Verify the information is correct, then click Finish.
Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.
|
Note Settings enabled during the configuration process are displayed as true in the wizard summary page. |
Static Translation Rules Field-Level Elements and Descriptions
|
| 1 Network objects are defined in Building Blocks. Select Configuration > Building Blocks > Network Objects. See "Defining Network Objects" section. 2 A connection that has been started but not established, for example, a three-way TCP handshake. |
Deleting a Static Translation Rule
Step 1 Select Configuration > Translation Rules > Static Translation Rule.
The Static Translation Rules page appears.
Step 2 Select the check box for the row in the table, then click Delete.
You are prompted to confirm the delete request.
Step 3 Click OK.
The selected rule is removed from the table, and the information is removed from the assigned firewall device configuration files when they are deployed.
Configuring Dynamic Translation Rules
Dynamic translation rules use internal IP addresses that are dynamically translated using IP addresses from a pool of global addresses or, in the case for PAT, a single address. These rules translate host addresses on an higher security-level interface to addresses selected from a pool of addresses for traffic sent to a lower security-level interface. Dynamic translations are often used to assign local, RFC 1918 IP addresses to addresses that can be routed through the Internet.
Topics for discussion include:
Adding or Editing a Dynamic Translation Rule
Before You Begin
Define a network object identifying each host or server for which the rule applies.
Step 1 Select Configuration > Translation Rules > Dynamic Translation Rules.
The Dynamic Translation Rules page appears.
Step 2 Using the object selector, select the scope (if not already selected) to identify the device or device groups to which the rules will apply.
Step 3 Do one of the following:
The Enter Dynamic Translation Rule page appears.
The Enter Dynamic Translation Rule page appears.
Step 4 From the Enter Dynamic Translation Rule page, select the original interface from the list.
Step 5 Enter the original address or click Select, which opens a window to display a list of defined objects.
The object is moved to the Selected Objects column.
You are returned to the Enter Dynamic Translation Rule page.
Step 6 Select the address pool that defines the available addresses to use for translation from the list. You can select No NAT to define an identity translation rule.
|
Note Address pools are user-defined. If you have not already done so, you can define an address pool by selecting Configuration > Building Blocks > Address Translation Pool. |
Step 7 Select the Translate DNS Replies check box to include a translated DNS address in the reply packet.
Step 8 Verify that you want the Randomize Sequence Numbers check box selected.
Step 9 Enter the number of embryonic connections (for example, a three-way handshake), which is the number of connection attempts allowed before a firewall device denies connections (0 = unlimited connections).
Step 10 Enter the maximum number of connections that are allowed to connect to dynamically translated IP addresses. Values are 0-65,535.
(0 = unlimited connections).
Step 11 Select the traffic direction.
Step 12 Click Next.
The dynamic translation rules summary page appears.
Step 13 Verify the information is correct, then click Finish.
Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.
|
Note Settings enabled during the configuration process are displayed as true in the wizard summary page. |
Dynamic Translation Rules Field-Level Elements and Descriptions
|
| 1 A connection that has been started but not established, for example, a three-way TCP handshake. |
Deleting a Dynamic Translation Rule
Step 1 Select Configuration > Translation Rules > Dynamic Translation Rule.
The Dynamic Translation Rules page appears.
Step 2 Select the check box for the row in the table, then click Delete.
You are prompted to confirm the delete request.
Step 3 Click OK.
The selected rule is removed from the table, and the information is removed from the assigned firewall device configuration files when they are deployed.
Configuring NAT 0 ACL Rules
Firewall MC supports the ability to generate translation rules that abort all other address translation logic. This feature is referred to as Translation Exception Rules, which is also referred to as NAT 0 ACL. To access this feature, select Configuration > Translation Rules > Translation Exception Rules (NAT 0 ACL).
No translation table entries are created in the session table of the PIX Firewall if the packet matches the NAT 0 ACL defined in Firewall MC for the incoming or outgoing interfaces.
The relative evaluation order of the address translation rules depends on the direction of the traffic (from an interface with a higher security level to an interface with a lower security level or from an interface with a lower security level to an interface with a higher security level) and whether the NAT 0 ACL is applied for the outbound or inbound traffic. In general, NAT 0 ACL is evaluated before static entries and NAT entries; static address translations are evaluated before NAT entries.
Firewall MC generates only ACLs that limit traffic flowing in through an interface, so it only needs to concern itself with translating the destination addresses when going between Firewall MC rules and PIX Firewall ACEs. For destination addresses, the NAT 0 ACL always takes precedence over static entries.
With the support of the Bi-Directional NAT feature, the NAT 0 ACL command is also available with the outside keyword. In this variation, the NAT 0 ACL applied to a particular interface waives address translation for any traffic originating from higher security interfaces.
Although NAT 0 ACL is grouped as a translation rule in the Firewall MC GUI, it does not translate. NAT 0 ACL uses ACLs to identify what traffic should be exempt from any other translation rules.
Figure 12-4 through Figure 12-7 show the relative evaluation order applied to NAT 0 with ACLs.
- Figure 12-4—Flow diagram of the source address translation for NAT 0 ACL. NAT 0 ACL applied on the source interface exempts the source address of an incoming packet from being translated.
- Figure 12-5—Flow diagram of the destination address translation for NAT 0 ACL. NAT 0 ACL exposes a hidden host.
- Figure 12-6—Flow diagram of the source address translation for NAT 0 ACL outside. NAT 0 ACL applied on the source interface exempts the source address of an incoming packet from being translated.
- Figure 12-7—Flow diagram of the destination address translation for NAT 0 ACL outside. NAT 0 ACL exposes a hidden host.
Figure 12-4 NAT 0 ACL Packet Processing Order on Source Address Translation
Figure 12-5 NAT 0 ACL Packet Processing Order on Destination Address Translation
Figure 12-6 NAT 0 ACL Outside Packet Process Order on Source Address Translation
Figure 12-7 NAT 0 ACL Outside Packet Process Order on Destination Address Translation
Inserting or Editing a NAT 0 ACL Rule
|
Note If you previously enabled the Identity Address Translation Rules feature, also called auto-identity NAT, and you are now using NAT 0 ACL rules, the auto-identity NAT feature is automatically disabled. |
Step 1 Select Configuration > Translation Rules > Translation Exception Rules (NAT 0 ACL) > [Mandatory or Default] (for example, Configuration > Translation Rules > Translation Exception Rules (NAT 0 ACL) > Mandatory).
The respective Translation Exception Rules (NAT 0 ACL) page appears.
Step 2 Using the object selector, select the scope (if not already selected) to identify the device or device groups to which the rules apply.
Step 3 Do one of the following:
The NAT 0 ACL popup window opens.
The NAT 0 ACL popup window opens.
A page appears from which you can print the tables.
Step 4 Verify the Enable rule check box is selected.
Step 5 Select the action.
Step 6 Enter the source address(es) or click Select to open a window that displays a list of defined objects.
The objects are moved to the Selected Objects column.
You are returned to the NAT 0 ACL popup window.
Step 7 Enter the destination address(es) or click Select to open a window that displays a list of defined objects.
The objects are moved to the Selected Objects column.
You are returned to the NAT 0 ACL popup window.
Step 8 Enter the source interface from the list. The list displays all interfaces defined at the current scope.
Step 9 Enter the traffic direction.
Step 10 Enter an optional description.
Step 11 Click OK.
Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.
NAT 0 ACL Field-Level Elements and Descriptions
|
| 1 Network objects are defined in Building Blocks. Select Configuration > Building Blocks > Network Objects. See Defining Network Objects. |
Deleting a NAT 0 ACL Rule
Step 1 Select Configuration > Translation Rules > Translation Exception Rules (NAT 0 ACL) > [Mandatory or Default] (for example, Configuration > Translation Rules > Translation Exception Rules (NAT 0 ACL) > Mandatory).
The respective Translation Exception Rules (NAT 0 ACL) page appears.
Step 2 Select the check box for the row in the table, then click Delete.
You are prompted to confirm the delete request.
Step 3 Click OK.
The selected rule is removed from the table, and the information is removed from the assigned firewall device configuration files when they are deployed.