Cisco PIX 520 - PIX Firewall 520 Online Help Manual page 168

However, the PIX Firewall does allow the hosts on high security interfaces to initiate connections
using their actual, untranslated addresses. This type of rule is different form a static rule because the
address is not exposed to the lower security interface. This type of rule also differs from the No NAT
type because No NAT prevents the affected hosts from initiating connections, and they have no
visible address on the lower security interface.
No NAT. The hosts on the high security interfaces cannot initiate connections to hosts on low
security interfaces because the PIX Firewall does not perform an address mapping.
In other words, the PIX Firewall dynamically maps a valid IP address from the selected type to the lower
security interface for connections traversing the firewall between the selected host/network and another
node. For example, your internal network hosts can conduct outbound connections using a dynamic rule.
For each internal host that requests an outbound connection, the PIX Firewall unit dynamically maps the
request to the IP address . For more information on dynamic NAT rules and its uses, refer to
Dynamic NAT.
The following sections are included in this Help topic:
Field Descriptions
Edit Dynamic NAT rules
Edit Static NAT rules
Field Descriptions
The Edit host/network>NAT dialog box displays a set of rows, one for each higher security interface, containing
the following fields:
Static—Selecting this option defines a permanent map between the internal IP address and a valid IP
address on the lower security interface. This rule allows hosts from the lower security interface to gain
access to the selected host or network, and vice versa. When this option is selected, the Static box and the
Advanced button appear.
<address_value>—Identifies the IP address (translated address) that is exposed to the interface from
which the network or host's address is hidden. The PIX Firewall uses this address to replace the
network or host's address for any network packets that traverse from the interface on which the
network or host exists to the interfaces listed in rule. This value is the specific translated IP address
to which you want to map the original addresses of the translated object. You can define exactly one
address.
Advanced—Clicking this button opens the
configure the maximum connections permitted through this static address, the maximum number of
embryonic connections allowed, and whether the PIX Firewall unit generates random sequence
numbers for TCP packets belonging to a translated session.
Dynamic—Selecting this option defines a dynamic NAT rule. The rule dictates which address pool is used
to translate addresses for the host or network being added when the host initiates a connection passing
through the interface. When this option is selected, the Addresses Pool ID list and the Manage Global
Address Pools button appear.
Address Pool ID—Identifies the type of dynamic NAT rule to define for the selected host or
network. You can select one of the following values in this list:
No NAT—Specifies that no dynamic NAT rule be used for the selected host or network. If an
Static NAT Options dialog box, from which you can
Understanding