To configure a NAT policy, you must give the policy a unique
name and identify the devices, or
targets, where you want to deploy the policy. You can also
add, edit, delete, enable, and disable NAT rules. After you create or modify a
NAT policy, you can deploy the policy to all or some targeted devices.
You can deploy NAT policies to a
7000 or 8000 Series
device high-availability pair, including paired stacks, as you would a
standalone device. However, you can define static NAT rules for interfaces on
individual paired devices or the entire high-availability pair and use the
interfaces in source zones. For dynamic rules, you can use only the interfaces
on the whole high-availability pair in source or destination zones.
7000 or 8000 Series
device high-availability pairs, only select an individual peer interface for a
static NAT rule on a paired device if all networks affected by the NAT
translations are private. Do
not use this configuration for static NAT rules affecting
traffic between public and private networks.
If you configure dynamic NAT on a device high-availability pair
without HA link interfaces established, both paired devices independently
allocate dynamic NAT entries, and the system cannot synchronize the entries
You can deploy NAT policies to a device stack as you would a
standalone device. If you establish a device stack from devices that were
included in a NAT policy and had rules associated with interfaces from the
secondary device that was a member of the stack, the interfaces from the
secondary device remain in the NAT policy. You can save and deploy policies
with the interfaces, but the rules do not provide any translation.
In a multidomain deployment, the system displays policies
created in the current domain, which you can edit. It also displays policies
created in ancestor domains, which you cannot edit. To view and edit policies
created in a lower domain, switch to that domain.
Administrators in ancestor domains can target NAT policies to devices in
descendant domains, which descendant domains can use or replace with customized