Configure NAT for Threat Defense

Network address translation can be very complex. We recommend that you keep your rules as simple as possible to avoid translation problems and difficult troubleshooting situations. Careful planning before you implement NAT is critical. The following procedure provides the basic approach.

The NAT policy is a shared policy. You assign the policy to devices that should have similar NAT rules.

Whether a given rule in the policy applies to an assigned device is determined by the interface objects (security zones or interface groups) used in the rule. If the interface objects include one or more interface for the device, the rule is deployed to the device. Thus, you can configure rules that apply to subsets of devices within a single shared policy by carefully designing your interface objects. Rules that apply to “any” interface object are deployed to all devices.

If you change the type of an interface to a type that is not valid for use with a NAT policy that targets a device with that interface, the policy labels the interface as deleted. Click Save in the NAT policy to automatically remove the interface from the policy.

You can configure multiple NAT policies if groups of your devices require significantly different rules.

Procedure

Step 1	Navigate from CDO to Cloud-delivered Firewall Management Center
Step 2	Select Devices > NAT. Click New Policy > Threat Defense NAT to create a new policy. Give the policy a name, optionally assign devices to it, and click Save. You can change device assignments later by editing the policy and clicking Policy Assignments. Click Edit () to edit an existing threat defense NAT policy. Note that the page also shows Firepower NAT policies, which are not used by threat defense devices. If View () appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.
Step 3	Decide what kinds of rules you need. You can create dynamic NAT, dynamic PAT, static NAT, and identity NAT rules. For an overview, see NAT Types.
Step 4	Decide which rules should be implemented as manual or auto NAT. For a comparison of these two implementation options, see Auto NAT and Manual NAT.
Step 5	Decide which rules should be custom per device. Because you can assign a NAT policy to multiple devices, you can configure a single rule on many devices. However, you might have rules that should be interpreted differently by each device, or some rules that should apply to a subset of devices only. Use interface objects to control on which devices a rule is configured. Then, use object overrides on network objects to customize the addresses used per device. For detailed information, see Customizing NAT Rules for Multiple Devices.
Step 6	Create the rules as explained in the following sections. Dynamic NAT Dynamic PAT Static NAT Identity NAT
Step 7	Manage the NAT policy and rules. You can do the following to manage the policy and its rules. To edit the policy name or description, click in those fields, type in your changes, and click outside the fields. To view only those rules that apply to a specific device, click Filter by Device and select the desired device. A rule applies to a device if it uses an interface object that includes an interface on the device. To view any warnings or errors in the policy, click Show Warnings, then choose a Device. Warnings and errors mark configurations that could adversely affect traffic flow or prevent the policy from deploying. To change the devices to which the policy is assigned, click the Policy Assignments link and modify the selected devices list as desired. To change whether a rule is enabled or disabled, right click the rule and select the desired option from the State command. You can temporarily disable a rule without deleting it using these controls. To add a rule, click the Add Rule button. To edit a rule, click Edit () for the rule. To delete a rule, click Delete () for the rule. To change the number of rules displayed on the page, use the Rows Per Page drop-down list. To select more than one rule to enable, disable, or delete, click the checkbox for the rules, or the checkbox in the header, then perform the action.
Step 8	Click Save. You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.