NAT Tab
The NAT tab, shown in Figure 15-12, lets you view all the address translation rules or NAT
exemption rules applied to your network.
Figure 15-12 NAT Tab on ASDM
The Cisco Security Appliance supports both NAT, which provides a globally unique address
for each outbound host session, and PAT, which provides a single, unique global address for
more than 64,000 simultaneous outbound or inbound host sessions. The global addresses
used for NAT come from a pool of addresses to be used specifically for address translation.
The unique global address that is used for PAT can be either one global address or the IP
address of a given interface.
From the NAT tab, you also can create a translation exemption rule, which lets you specify
traffic that is exempt from being translated. The exemption rules are grouped by interface in
the table, and then by direction. If you have a group of IP addresses that will be translated,
you can exempt certain addresses from being translated by using the exemption rules. If you
have a previously configured access list, you can use that to define your exemption rule.
ASDM writes the exemption to the Security Appliance using a nat 0 command through the
CLI. You can re-sort your exemption’s view by clicking the column heading.
It is important to note that the order in which you apply translation rules can affect how the
rules operate. ASDM lists the static translations first and then the dynamic translations. Each
rule type will be examined in order, with the Security Appliance handling the packet based
on the first rule the packet qualifies for in each set. The Security Appliance will first look at
NAT 0, the static translations, NAT, and lastly PAT rules. If a packet arrives at the Security
Appliance and is destined for a web server using PAT, the packet must pass all of the previous
rules defined in NAT 0, static, and NAT before PAT translation even happens. When
processing NAT, the Cisco Security Appliance first translates the static translations in the
order they are configured. The packet will be handled based on the first match in the
translation rule set. You can use the Insert Before or Insert After commands to determine the
order in which static translations are processed. Because dynamically translated rules are
processed on a best-match basis, the option to insert a rule before or after a dynamic
translation is disabled. Use the Manage Pools button to create global address pools to be used
by NAT. You can view or delete existing global pools through the global address pools
window.