NAT Rule Types – Cisco Network Address Translation (NAT)

NAT Rule Types

A threat defense offers two options to configure a NAT rule condition:

 

  • Auto NAT: An Auto NAT rule can translate one address—either a source or destination address—in a single rule. This means that to translate both source and destination addresses, two separate Auto NAT rules are necessary.
  • Manual NAT: A Manual NAT rule allows the translation of both source and destination addresses within the same rule. A Manual NAT rule may be necessary when you want to make an exception for translation.

Figure 17-3 compares the available translation options in the NAT rule editor. An Auto NAT Rule supports the translation of one address per rule, while a Manual NAT Rule allows you to translate both source and destination addresses in a single rule.

Figure 17-3 Auto NAT Versus Manual NAT—Comparison of Rule Editor Windows

 

A NAT policy editor categorizes NAT rules into three groups: NAT Rules Before, Auto NAT Rules, and NAT Rules After. In the CLI, you can view the rules under Section 1, Section 2, and Section 3, respectively. During evaluation, the threat defense begins with the rules under Section 1. Until there is a match, the threat defense continues evaluating the rules in the next sections.

Any rules under the NAT Rules Before and NAT Rules After sections are part of manual NAT policies. Their names and priorities are relative to the Auto NAT Rules, which allow you to translate one type of address at a time. To translate destination addresses, a separate Auto NAT rule is necessary.

Figure 17-4 describes the priority of each section in a NAT policy. In this chapter, you learn how to configure Auto NAT rules with both static and dynamic types.

Figure 17-4 Priorities of Rules in a NAT Policy

 

 

Best Practices for NAT Deployment

Consider the following best practices when you plan to enable NAT on a threat defense:

  • Configuring an Auto NAT rule is simpler than configuring a Manual NAT rule. Cisco recommends that you choose an Auto NAT rule because you can easily implement most of the common NAT scenarios with it. A Manual NAT rule may be necessary when you want to make an exception for translation.
  • If you modify an existing NAT rule or redeploy a new NAT policy, you may find that the new policy is not in action until the timer for any existing connections expires. To have a threat defense act on the latest NAT policy immediately, you can clear the current translations by running the clear xlate command on the threat defense.
  • The larger the translation table, the higher the processing overhead. If the number of translated connections grows excessively, it can affect the CPU and memory utilization of a threat defense.
  • To improve performance, prefer static NAT to dynamic NAT or PAT.
  • Review the addresses on dynamic and static NAT rules carefully before you apply them. Avoid creating rules with overlapping IP addresses.
  • Ensure that any applications running on a network terminate connections gracefully to prevent a threat defense from handling stale connections.

 

  • Make sure the global idle timeout durations for Translation Slot (xlate), Connection (Conn), and Xlate-PAT are set for optimal performance. You can adjust the timeout values for your threat defense by navigating to Devices > Platform Settings in your management center. The Platform Settings page allows you to manage a wide range of administrative settings to harden your threat defense. The settings are device specific, but they can be shared among multiple threat defense devices through a platform settings policy.

Figure 17-5 shows the global idle timeouts. If you are unsure about the timeout duration, use the default settings. Do not enter them arbitrarily because doing so can introduce unplanned connectivity issues.

Figure 17-5 Platform Settings Page Showing Global Timeouts

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *