Login

Managing FDM Devices with Security Cloud Control

Introduction
- About Cisco Security Cloud Control
- Products Managed by Cisco Security Cloud Control
- About Firewall in Security Cloud Control
- Managing FDM-Managed Devices with Firewall in Security Cloud Control
- The Firewall Dashboard
Get Started
- Networking Requirements
  - Managing an FDM-Managed Device from the Inside Interface
    - Manage an FDM-Managed Device from the Inside Interface
  - Managing an FDM-Managed Device from the Outside Interface
    - Manage the FDM-Managed Device's Outside Interface
- Create a Security Cloud Control Tenant
- Browsers Supported in Security Cloud Control
- Login Requirements for Security Cloud Control
  - Initial Login to Your New Security Cloud Control Tenant
  - Signing in to Security Cloud Control in Different Regions
  - Troubleshooting Login Failures
- Migrate to Cisco Security Cloud Sign On Identity Provider
  - Troubleshooting Login Failures after Migration
- Launch a Security Cloud Control Tenant
- Security Cloud Control Services Page
- About Security Cloud Control Licenses
  - Cloud-Delivered Firewall Management Center and Threat Defense Licenses
- Security Cloud Control Platform Maintenance Schedule
- Cloud-delivered Firewall Management Center Maintenance Schedule
- Manage Objects
  - Object Types
  - Shared Objects
  - Object Overrides
  - Unassociated Objects
  - Compare Objects
  - Filters
    - Object Filters
      - Configure Object Filters
      - When to Exclude a Device from Filter Criteria
  - Unignore Objects
  - Deleting Objects
    - Delete a Single Object
    - Delete a Group of Unused Objects
  - Network Objects
    - Create or Edit a Firepower Network Object or Network Groups
      - Create a Firepower Network Object
      - Create a Firepower Network Group
      - Edit a Firepower Network Object
      - Edit a Firepower Network Group
      - Add an Object Override
      - Edit Object Overrides
      - Add Additional Values to a Shared Network Group
      - Edit Additional Values in a Shared Network Group
      - Deleting Network Objects and Groups in Security Cloud Control
  - URL Objects
    - Create or Edit an FDM-Managed URL Object
    - Create a Firepower URL Group
      - Edit a Firepower URL Object or URL Group
  - Application Filter Objects
    - Create and Edit a Firepower Application Filter Object
      - Create a Firepower Application Filter Object
      - Edit a Firepower Application Filter Object
  - Geolocation Objects
    - Create and Edit a Firepower Geolocation Filter Object
      - Edit a Geolocation Object
  - DNS Group Objects
    - Create a DNS Group Object
    - Edit a DNS Group Object
    - Delete a DNS Group Object
    - Add a DNS Group Object as an FDM-Managed DNS Server
  - Certificate Objects
    - About Certificates
    - Certificate Types Used by Feature
    - Configuring Certificates
    - Uploading Internal and Internal CA Certificates
      - Procedure
    - Uploading Trusted CA Certificates
      - Procedure
    - Generating Self-Signed Internal and Internal CA Certificates
      - Procedure
  - About IPsec Proposals
    - Managing an IKEv1 IPsec Proposal Object
      - Create or Edit an IKEv1 IPsec Proposal Object
    - Managing an IKEv2 IPsec Proposal Object
      - Create or Edit an IKEv2 IPsec Proposal Object
  - About Global IKE Policies
    - Managing IKEv1 Policies
      - Create or Edit an IKEv1 Policy
    - Managing IKEv2 Policies
      - Create or Edit an IKEv2 Policy
  - RA VPN Objects
  - Security Zone Object
    - Create or Edit a Firepower Security Zone Object
      - Create a Security Zone Object
      - Edit a Security Zone Object
  - Service Objects
    - Create and Edit Firepower Service Objects
      - Create a Firepower Service Group
      - Edit a Firepower Service Object or Service Group
  - Security Group Tag Group
    - Security Group Tags
    - Create an SGT Group
    - Edit an SGT Group
    - Add an SGT Group to an Access Control Rule
  - Syslog Server Objects
    - Create and Edit Syslog Server Objects
      - Edit Syslog Server Objects
    - Create a Syslog Server Object for Secure Logging Analytics (SaaS)
      - Procedure
- Network Address Translation
- Order of Processing NAT Rules
- Network Address Translation Wizard
  - Create a NAT Rule by using the NAT Wizard
- Common Use Cases for NAT
  - Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
  - Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address
  - Make a Server on the Inside Network Available on a Specific Port of a Public IP Address
    - NAT Incoming FTP Traffic to an FTP Server
    - NAT Incoming HTTP Traffic to an HTTP Server
    - NAT Incoming SMTP Traffic to an SMTP Server
  - Translate a Range of Private IP Addresses to a Range of Public IP Addresses
    - Translate a Pool of Inside Addresses to a Pool of Outside Addresses
  - Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface
    - Create a Twice NAT Rule
Manage Tenants and Users
- Manage a Security Cloud Control Tenant
  - Configure User Preferences
    - General Preferences
      - Change the Security Cloud Control Web Interface Appearance
    - User Notification Preferences
    - View Security Cloud Control Notifications
  - Tenant Settings
    - Enable Change Request Tracking
    - Prevent Cisco Support from Viewing your Tenant
    - Enable the Option to Auto-accept Device Changes
    - Default Conflict Detection Interval
    - Enable the Option to Schedule Automatic Deployments
    - Web Analytics
    - Share Event Data with Cisco Talos
    - Configure a Default Recurring Backup Schedule
    - Tenant ID
    - Tenant Name
    - Security Cloud Control Platform Navigator
  - Organization Notification Settings
    - Enable Email Subscribers
      - Add an Email Subscription
      - Edit Email Subscriptions
      - Delete an Email Subscription
    - Enable Service Integrations for Security Cloud Control Notifications
      - Incoming Webhooks for Webex Teams
      - Incoming Webhooks for Slack
      - Incoming Webhooks for a Custom Integration
  - Logging Settings
  - Integrate Your SAML Single Sign-On with Security Cloud Control
  - Renew SSO Certificate
  - My Tokens
  - API Tokens
    - API Token Format and Claims
    - Manage API-only Users for Firewall in Security Cloud Control
    - Token Management
      - Generate an API Token
      - Renew an API Token
      - Revoke an API Token
  - Relationship Between the Identity Provider Accounts and Security Cloud Control User Records
    - Login Workflow
    - Implications of this Architecture
      - Customers Who Use Cisco Security Cloud Sign On
      - Customers Who Have Their Own Identity Provider
      - Cisco Managed Service Providers
      - Related Topics
  - Manage Multi-Tenant Portal
    - Add a Tenant to a Multi-Tenant Portal
    - Delete a Tenant from a Multi-Tenant Portal
    - Manage-Tenant Portal Settings
      - Settings
      - Switch Tenant
  - The Cisco Success Network
- Manage Users in Security Cloud Control
  - Manage Super Admins on Your Tenant
  - View the User Records Associated with your Tenant
- Active Directory Groups in User Management
  - Prerequisites for Adding an Active Directory Group to Security Cloud Control
  - Add an Active Directory Group for User Management
  - Edit an Active Directory Group for User Management
  - Delete an Active Directory Group for User Management
- Create a New Security Cloud Control User
  - Create a Cisco Security Cloud Sign On Account for the New User
    - About Logging in to Security Cloud Control
    - Before You Log In
    - Create a New Cisco Security Cloud Sign On Account and Configure Duo Multi-factor Authentication
  - Create a User Record with Your Security Cloud Control Username
  - The New User Opens Security Cloud Control from the Cisco Secure Sign-On Dashboard
- User Roles in Security Cloud Control
  - Read-only Role
  - Edit-Only Role
  - Deploy-Only Role
  - VPN Sessions Manager Role
  - Admin Role
  - Super Admin Role
  - Change The Record of the User Role
- Add a User Account to Security Cloud Control
  - Create a User Record
  - Create API Only Users
- Edit a User Record for a User Role
  - Edit a User Role
- Delete a User Record for a User Role
  - Delete a User Record
Onboard Devices and Services
- Secure Device Connector
  - Connect Security Cloud Control to your Managed Devices
  - Deploy a VM for Running the Secure Device Connector and Secure Event Connector
  - Deploy a Secure Device Connector On Your VM
  - Bootstrap a Secure Device Connector on the Deployed Host
  - Deploy a Secure Device Connector to vSphere Using Terraform
  - Deploy a Secure Device Connector on an AWS VPC Using a Terraform Module
  - Migrate an On-Premises Secure Device Connector and Secure Event Connector from a CentOS 7 Virtual Machine to an Ubuntu Virtual Machine
  - Change the IP Address of a Secure Device Connector
  - Remove a Secure Device Connector
  - Move an ASA from one SDC to Another
  - Rename a Secure Device Connector
  - Update your Secure Device Connector
  - Using Multiple SDCs on a Single Security Cloud Control Tenant
  - Security Cloud Control Devices that Use the Same SDC
  - Open Source and Third-Party License in SDC
- Supported Devices, Software, and Hardware
  - Secure Firewall Threat Defense Device Support Specifics
- Onboard FDM-Managed Device
  - Managing an FDM-Managed Device from the Inside Interface
    - Manage an FDM-Managed Device from the Inside Interface
  - Managing an FDM-Managed Device from the Outside Interface
    - Manage the FDM-Managed Device's Outside Interface
  - Onboard an FDM-Managed Device to Security Cloud Control
    - Onboard an FDM-Managed Device Using Username, Password, and IP Address
    - Onboard an FDM-Managed Device Running Software Version 6.4 or 6.5 Using a Registration Key
      - Unregister a Smart-licensed FDM-Managed Device
      - Procedure to Onboard an FDM-Managed Device Running Software Version 6.4 or 6.5 Using a Registration Key
    - Onboard an FDM-Managed Device Running Software Version 6.6+ Using a Registration Key
      - Unregistering an FDM-Managed Device from Cisco Cloud Services
      - Procedure to Onboad an FDM-Managed Device Running Software Version 6.6+ Using a Registration Key
    - Onboard an FDM-Managed Device using the Device's Serial Number
      - Workflow and Prerequisites to Onboard the FDM-Managed Device Using Zero-Touch Provisioning
        
        Onboard a Secure Firewall Threat Defense Device With Zero-Touch Provisioning
      - Onboard a Configured FDM-Managed Device using the Device's Serial Number
    - Onboard an FDM-Managed High Availability Pair
      - Onboard an FDM-Managed High Availablity Pair with a Registration Key
        
        Onboard an FDM-Managed HA Pair Running Version 6.4 or Version 6.5
        
        Onboard an FDM-Managed HA Pair Running Threat Defense Version 6.6 or Version 6.7 and later
      - Onboard an FDM-Managed High Availability Pair
    - Onboard an FTD Cluster
      - Onboard a Clustered Secure Firewall Threat Defense Device
  - Applying or Updating a Smart License
    - Smart-License an FDM-Managed Device When Onboarding Using a Registration Key
    - Smart-License an FDM-Managed Device After Onboarding the Device Using a Registration Key or its Credentials
    - Updating an Existing Smart License of an FDM-Managed Device
    - Change the Smart License Applied to an FDM-Managed Device Onboarded Using a Registration Key
    - Change the Smart License Applied to an FDM-Managed Device Onboarded Using its Credentials
  - Security Cloud Control Support for DHCP Addressing of FDM-Managed Devices
  - FDM-Managed Device Licensing Types
    - Virtual FDM-Managed Device Tiered Licenses
    - Viewing Smart-Licenses for a Device
    - Enabling or Disabling Optional Licenses
    - Impact of Expired or Disabled Optional Licenses
  - Create and Import an Firewall Device Manager Model
    - Export FDM-Managed Device Configuration
    - Import FDM-Managed Device Configuration
  - Backing Up FDM-Managed Devices
    - Back up an FDM-Managed Device On-Demand
      - Procedure
    - Configure a Recurring Backup Schedule for a Single FDM-Managed Device
      - Procedure
    - Download the Device Backup
    - Edit a Backup
    - Delete a Backup
    - Managing Device Backup
    - Restore a Backup to an FDM-Managed Device
  - FDM Software Upgrade Paths
    - Other Upgrade Limitations
    - 4100 and 9300 Series Devices
  - FDM-Managed Device Upgrade Prerequisites
  - Upgrade a Single FDM-Managed Device
    - Upgrade A Single FDM-Managed Device with Images from Security Cloud Control 's Repository
    - Upgrade a Single FDM-Managed Device with Images from your own Repository
    - Monitor the Upgrade Process
  - Bulk FDM-Managed Devices Upgrade
    - Upgrade Bulk FDM-Managed Devices with Images from Security Cloud Control 's Repository
    - Upgrade Bulk FDM-Managed Devices with Images from your own Repository
    - Monitor the Bulk Upgrade Process
  - Upgrade an FDM-Managed High Availability Pair
    - Upgrade an FDM-Managed HA Pair with Images from Security Cloud Control's Repository
    - Upgrade an FDM-Managed HA Pair with Images from your own Repository
    - Monitor the Upgrade Process
  - Upgrade to Snort 3.0
    - Upgrade the Device and the Intrusion Prevention Engine Simultaneously
    - Upgrade the Intrusion Prevention Engine
    - Monitor the Upgrade Process
  - Revert From Snort 3.0 for FDM-Managed Device
    - Revert From Snort 3.0
  - Schedule a Security Database Update
    - Edit a Scheduled Security Database Update
  - Update FDM-Managed Device Security Databases
Manage Onboarded Device Settings
- Changing a Device's IP Address in Security Cloud Control
- Changing a Device's Name in Security Cloud Control
- Export a List of Devices and Services
- Export Device Configuration
- External Links for Devices
  - Create an External Link from your Device
  - Create an External Link to FDM
  - Create an External Link for Multiple Devices
  - Edit or Delete External Links
  - Edit or Delete External Links for Multiple Devices
- Bulk Reconnect Devices to Security Cloud Control
- Moving Devices Between Tenants
- Device Certificate Expiry Detection
- Write a Device Note
- Delete a Device from Security Cloud Control
- Manage Security Devices
- About Security Devices Page
- Security Cloud Control Labels and Filtering
  - Applying Labels to Devices and Objects
  - Filters
- Use Security Cloud Control Search Functionality
  - Page Level Search
  - Global Search
    - Initiate Full Indexing
    - Perform a Global Search
Configuring FDM-Managed Devices
- Interfaces
  - Guidelines and Limitations for Firepower Interface Configuration
    - Maximum Number of VLAN Members by Device Model
  - Firepower Data Interfaces
  - Management/Diagnostic Interface
  - Interface Settings
    - Use of Security Zones in Firepower Interface Settings
    - Assign an FDM-Managed Device Interface to a Security Zone
      - Assign a Firepower Interface to a Security Zone
    - Use of Auto-MDI/MDX in Firepower Interface Settings
    - Use of MAC Addresses in Firepower Interface Settings
    - Use of MTU Settings in Firepower Interface Settings
  - IPv6 Addressing for Firepower Interfaces
  - Configuring Firepower Interfaces
    - Configure a Physical Firepower Interface
      - Procedure
      - Configure IPv4 Addressing for the Physical Interface
      - Configure IPv6 Addressing for the Physical Interface
      - Enable the Physical Interface
    - Configure Firepower VLAN Subinterfaces and 802.1Q Trunking
      - Procedure
      - Configure IPv4 Addressing for the Subinterface
      - Configure IPv6 Addressing for the Subinterface
      - Enable the Physical Interface
    - Configure Advanced Firepower Interface Options
    - Configure a Bridge Group
      - Configure the Name of the Bridge Group Interface and Select the Bridge Group Members
      - Configure the IPv4 Address for the BVI
      - Configure the IPv6 Address for the BVI
      - Configure Advanced Interface Options
      - Bridge Group Compatibility in FDM-Managed Configurations
      - Delete a Bridge Group
    - Add an EtherChannel Interface for an FDM-Managed Device
      - Add an EtherChannel Interface
    - Edit Or Remove an EtherChannel Interface for FDM-Managed Device
      - Edit an EtherChannel
      - Remove an EtherChannel Interface
    - Add a Subinterface to an EtherChannel Interface
      - Add a Subinterface to an EtherChannel Interface
    - Edit or Remove a Subinterface from an EtherChannel
      - Edit a Subinterface
      - Remove a Subinterface from an EtherChannel
    - Add Interfaces to a Virtual FDM-Managed Device
    - Switch Port Mode Interfaces for an FDM-Managed Device
    - Configure an FDM-Managed Device VLAN
    - Configure an FDM-Managed Device VLAN for Switch Port Mode
      - Create a VLAN Interface for Switch Port Mode
      - Configure an Existing Physical Interface for Switch Port Mode
  - Viewing and Monitoring Firepower Interfaces
    - Monitoring Interfaces in the CLI
- Synchronizing Interfaces Added to a Firepower Device using FXOS
- Routing
  - About Static Routing and Default Routes
    - Default Route
    - Static Routes
  - The Routing Table and Route Selection
    - How the Routing Table is Populated
    - How Forwarding Decisions are Made
  - Configure Static and Default Routes for FDM-Managed Devices
    - Procedure
    - Static Route Example
  - Monitoring Routing
  - Static Route Network Diagram
  - About Virtual Routing and Forwarding
- Manage Objects
  - Manage Objects
    - Object Types
    - Shared Objects
    - Object Overrides
    - Unassociated Objects
    - Compare Objects
    - Filters
      - Object Filters
        
        Configure Object Filters
        
        When to Exclude a Device from Filter Criteria
    - Unignore Objects
    - Deleting Objects
      - Delete a Single Object
      - Delete a Group of Unused Objects
    - Network Objects
      - Create or Edit a Firepower Network Object or Network Groups
        
        Create a Firepower Network Object
        
        Create a Firepower Network Group
        
        Edit a Firepower Network Object
        
        Edit a Firepower Network Group
        
        Add an Object Override
        
        Edit Object Overrides
        
        Add Additional Values to a Shared Network Group
        
        Edit Additional Values in a Shared Network Group
        
        Deleting Network Objects and Groups in Security Cloud Control
    - URL Objects
      - Create or Edit an FDM-Managed URL Object
      - Create a Firepower URL Group
        
        Edit a Firepower URL Object or URL Group
    - Application Filter Objects
      - Create and Edit a Firepower Application Filter Object
        
        Create a Firepower Application Filter Object
        
        Edit a Firepower Application Filter Object
    - Geolocation Objects
      - Create and Edit a Firepower Geolocation Filter Object
        
        Edit a Geolocation Object
    - DNS Group Objects
      - Create a DNS Group Object
      - Edit a DNS Group Object
      - Delete a DNS Group Object
      - Add a DNS Group Object as an FDM-Managed DNS Server
    - Certificate Objects
      - About Certificates
      - Certificate Types Used by Feature
      - Configuring Certificates
      - Uploading Internal and Internal CA Certificates
        
        Procedure
      - Uploading Trusted CA Certificates
        
        Procedure
      - Generating Self-Signed Internal and Internal CA Certificates
        
        Procedure
    - About IPsec Proposals
      - Managing an IKEv1 IPsec Proposal Object
        
        Create or Edit an IKEv1 IPsec Proposal Object
      - Managing an IKEv2 IPsec Proposal Object
        
        Create or Edit an IKEv2 IPsec Proposal Object
    - About Global IKE Policies
      - Managing IKEv1 Policies
        
        Create or Edit an IKEv1 Policy
      - Managing IKEv2 Policies
        
        Create or Edit an IKEv2 Policy
    - RA VPN Objects
    - Security Zone Object
      - Create or Edit a Firepower Security Zone Object
        
        Create a Security Zone Object
        
        Edit a Security Zone Object
    - Service Objects
      - Create and Edit Firepower Service Objects
        
        Create a Firepower Service Group
        
        Edit a Firepower Service Object or Service Group
    - Security Group Tag Group
      - Security Group Tags
      - Create an SGT Group
      - Edit an SGT Group
      - Add an SGT Group to an Access Control Rule
    - Syslog Server Objects
      - Create and Edit Syslog Server Objects
        
        Edit Syslog Server Objects
      - Create a Syslog Server Object for Secure Logging Analytics (SaaS)
        
        Procedure
- Manage Security Policies in Security Cloud Control
- FDM Policy Configuration
  - FDM-Managed Access Control Policy
    - Read an FDM-Managed Access Control Policy
    - Configure the FDM Access Control Policy
      - Create or Edit an FDM-Managed Access Control Policy
      - Configuring Access Policy Settings
        
        Procedure
      - About TLS Server Identity Discovery
    - Copy FDM-Managed Access Control Rules
      - Copy Rules within the Device
      - Copy Rules from One FDM-Managed Device Policy to Another FDM-Managed Device Policy
    - Move FDM-Managed Access Control Rules
      - Move Rules within the Device
      - Move a Rule from One FDM-Managed Device Policy to Another FDM-Managed Device Policy
    - Behavior of Objects when Pasting Rules to Another Device
    - Source and Destination Criteria in an FDM-Managed Access Control Rule
    - URL Conditions in an FDM-Managed Access Control Rule
      - Specifying a Reputation for a URL Category Used in a Rule
    - Intrusion Policy Settings in an FDM-Managed Access Control Rule
    - File Policy Settings in an FDM-Managed Access Control Rule
    - Logging Settings in an FDM-Managed Access Control Rule
      - Procedure
    - Security Group Tags
      - Create an SGT Group
      - Edit an SGT Group
      - Add an SGT Group to an Access Control Rule
    - Application Criteria in an FDM-Managed Access Control Rule
    - Intrusion, File, and Malware Inspection in FDM-Managed Access Control Policies
    - Custom IPS Policy in an FDM-Managed Access Control Rule
    - TLS Server Identity Discovery in Firepower Threat Defense
      - Enable the TLS Server Identity Discovery
  - Intrusion Prevention System
    - Threat Events
    - Custom Firepower Intrusion Prevention System Policy
      - Configure Firepower Custom IPS Policies
        
        Create a Custom IPS Policy
        
        Edit a Custom IPS Policy
        
        Edit Rule Groups in a Custom IPS Policy
        
        Delete a Custom IPS policy
  - Security Intelligence Policy
    - Configure the Firepower Security Intelligence Policy
      - Configure Firepower Security Intelligence Policy
    - Making Exceptions to the Firepower Security Intelligence Policy Blocked Lists
    - Security Intelligence Feeds for Firepower Security Intelligence Policies
  - FDM-Managed Device Identity Policy
    - How to Implement an Identity Policy
      - Procedure
    - Configure Identity Policies
      - Procedure
    - Configure Identity Policy Settings
      - Procedure
    - Configure the Identity Policy Default Action
      - Procedure
    - Configure Identity Rules
      - Procedure
  - SSL Decryption Policy
    - How to Implement and Maintain the SSL Decryption Policy
      - Procedure
    - About SSL Decryption
      - Why Implement SSL Decryption?
      - Actions You Can Apply to Encrypted Traffic
      - Automatically Generated SSL Decryption Rules
      - Handling Undecryptable Traffic
      - License Requirements for SSL Decryption Policies
      - Guidelines for SSL Decryption
    - Configure SSL Decryption Policies
      - Procedure
      - Enable the SSL Decryption Policy
        
        Procedure
      - Configure the Default SSL Decryption Action
        
        Procedure
      - Configure SSL Decryption Rules
        
        Procedure
      - Source/Destination Criteria for SSL Decryption Rules
      - URL Criteria for SSL Decryption Rules
      - User Criteria for SSL Decryption Rules
    - Configure Certificates for Known Key and Re-Sign Decryption
    - Downloading the CA Certificate for Decrypt Re-Sign Rules
      - Procedure
      - Warning
  - Rulesets
    - Configure Rulesets for a Device
      - Create or Edit a Ruleset
      - Deploy a Ruleset to Multiple FDM-Managed Devices or Templates
      - Add Devices to a Ruleset from the Ruleset page
      - Add Rulesets to a Device from the Device Policy page
    - Rulesets with FDM-Managed Templates
    - Create Rulesets from Existing Device Rules
    - Impact of Out-of-Band Changes on Rulesets
    - Impact of Discarding Staged Ruleset Changes
    - View Rules and Rulesets
      - View Rules from Device Policy Page
      - View Rulesets
      - Search Rulesets
      - View Jobs Associated with Rulesets
    - Change Log Entries after Creating Rulesets
    - Detach FDM-Managed Devices from a Selected Ruleset
    - Delete Rules and Rulesets
      - Delete Rules from a Ruleset
      - Delete a Ruleset
    - Remove a Ruleset From a Selected FDM-Managed Device
      - Delete a Ruleset From a Selected FDM-Managed Device
      - Disassociate a Ruleset From a Selected FDM-Managed Device
  - Adding Comments to Rules in Policies and Rulesets
    - Adding a Comment to a Rule
    - Editing Comments about Rules in Policies and Rulesets
      - Editing a comment on a rule in a policy
      - Editing a comment on a rule in a ruleset
  - Network Address Translation
  - Order of Processing NAT Rules
  - Network Address Translation Wizard
    - Create a NAT Rule by using the NAT Wizard
  - Common Use Cases for NAT
    - Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
    - Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address
    - Make a Server on the Inside Network Available on a Specific Port of a Public IP Address
      - NAT Incoming FTP Traffic to an FTP Server
      - NAT Incoming HTTP Traffic to an HTTP Server
      - NAT Incoming SMTP Traffic to an SMTP Server
    - Translate a Range of Private IP Addresses to a Range of Public IP Addresses
      - Translate a Pool of Inside Addresses to a Pool of Outside Addresses
    - Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface
      - Create a Twice NAT Rule
- Templates
  - FDM-Managed Device Templates
  - Configure an FDM Template
    - Create an FDM Template
    - Edit an FDM-Managed Device Template
    - Delete an FDM Template
  - Apply an FDM Template
    - Apply Template to an FDM-Managed Device
    - Review Device and Networking Settings
    - Deploy Changes to the Device
- FDM-Managed High Availability
  - FDM-Managed High Availability Pair Requirements
  - Create an FDM-Managed High Availability Pair
    - Procedure
  - FDM-Managed Devices in High Availability Page
    - High Availability Management Page
    - Edit High Availability Failover Criteria
    - Break an FDM-Managed High Availability Pairing
      - Break High Availability
      - Break Out-of-Band High Availability
    - Force a Failover on an FDM-Managed High Availability Pair
    - FDM-Managed High Availability Failover History
    - Refresh the FDM-Managed High Availability Status
    - Failover and Stateful Link for FDM-Managed High Availability
- FDM-Managed Device Settings
  - Configure an FDM-Managed Device's System Settings
  - Configure Management Access
    - Create Rules for Management Interfaces
    - Create Rules for Data Interfaces
  - Configure Logging Settings
    - Message Severity Levels
  - Configure DHCP Servers
  - Configure DNS Server
  - Management Interface
  - Hostname
  - Configure NTP Server
  - Configure URL Filtering
  - Cloud Services
    - Connecting to the Cisco Success Network
    - Sending Events to the Cisco Cloud
  - Enabling or Disabling Web Analytics
- Security Cloud Control Command Line Interface
  - Using the Command Line Interface
  - Entering Commands in the Command Line Interface
  - Work with Command History
- Bulk Command Line Interface
  - Bulk CLI Interface
  - Send Commands in Bulk
  - Work with Bulk Command History
  - Work with Bulk Command Filters
    - By Response Filter
    - By Device Filter
- Command Line Interface Macros
  - Create a CLI Macro from a New Command
  - Create a CLI Macro from CLI History or from an Existing CLI Macro
  - Run a CLI Macro
  - Edit a CLI Macro
  - Delete a CLI Macro
- Command Line Interface Documentation
- Export Security Cloud Control CLI Command Results
  - Export CLI Command Results
  - Export the Results of CLI Macros
  - Export the CLI Command History
  - Export the CLI Macro List
- Security Cloud Control Public API
- Create a REST API Macro
  - Using the API Tool
  - How to Enter a Secure Firewall Threat Defense REST API Request
  - About FTD REST API Macros
    - Create a REST API Macro
      - Create a REST API Macro from a New Command
      - Create a REST API Macro from History or from an Existing REST API Macro
    - Run a REST API Macro
    - Edit a REST API Macro
    - Delete a REST API Macro
- Reading, Discarding, and Deploying Configuration Changes
  - Read All Device Configurations
  - Read Configuration Changes from FDM-Managed Device to Security Cloud Control
    - Discard Changes Procedure
    - If Reverting Pending Changes Fails
    - Review Conflict Procedure
    - Accept Without Review Procedure
  - Preview and Deploy Configuration Changes for All Devices
  - Deploy Configuration Changes from Security Cloud Control to FDM-Managed Device
  - Deploy Changes to a Device
    - Cancelling Changes
    - Discarding Changes
  - Bulk Deploy Device Configurations
  - About Scheduled Automatic Deployments
    - Schedule an Automatic Deployment
    - Edit a Scheduled Deployment
    - Delete a Scheduled Deployment
  - Check for Configuration Changes
  - Discard Configuration Changes
  - Out-of-Band Changes on Devices
- Synchronizing Configurations Between Security Cloud Control and Device
  - Conflict Detection
    - Enable Conflict Detection
  - Automatically Accept Out-of-Band Changes from your Device
    - Configure Auto-Accept Changes
    - Disabling Auto-Accept Changes for All Devices on the Tenant
  - Resolve Configuration Conflicts
    - Resolve the Not Synced Status
    - Resolve the Conflict Detected Status
  - Schedule Polling for Device Changes
  - Schedule a Security Database Update
    - Create a Scheduled Security Database Update
    - Edit a Scheduled Security Database Update
  - Update FDM-Managed Device Security Databases
    - Workflows
Manage Device Configuration
- Reading, Discarding, and Deploying Configuration Changes
  - Read All Device Configurations
  - Read Configuration Changes from FDM-Managed Device to Security Cloud Control
    - Discard Changes Procedure
    - If Reverting Pending Changes Fails
    - Review Conflict Procedure
    - Accept Without Review Procedure
  - Preview and Deploy Configuration Changes for All Devices
  - Deploy Configuration Changes from Security Cloud Control to FDM-Managed Device
  - Deploy Changes to a Device
    - Cancelling Changes
    - Discarding Changes
  - Bulk Deploy Device Configurations
  - About Scheduled Automatic Deployments
    - Schedule an Automatic Deployment
    - Edit a Scheduled Deployment
    - Delete a Scheduled Deployment
  - Check for Configuration Changes
  - Discard Configuration Changes
  - Out-of-Band Changes on Devices
- Synchronizing Configurations Between Security Cloud Control and Device
  - Conflict Detection
    - Enable Conflict Detection
  - Automatically Accept Out-of-Band Changes from your Device
    - Configure Auto-Accept Changes
    - Disabling Auto-Accept Changes for All Devices on the Tenant
  - Resolve Configuration Conflicts
    - Resolve the Not Synced Status
    - Resolve the Conflict Detected Status
  - Schedule Polling for Device Changes
  - Schedule a Security Database Update
    - Create a Scheduled Security Database Update
    - Edit a Scheduled Security Database Update
  - Update FDM-Managed Device Security Databases
    - Workflows
Monitoring and Reporting Change Logs, Workflows, and Jobs
- Manage Change Logs in Security Cloud Control
- Change Log Entries After Deploying to FDM-Managed Device
- Change Log Entries After Reading Changes from an FDM-Managed Device
- View Change Log Differences
- Export the Change Log
  - Differences Between Change Log Capacity in Security Cloud Control and Size of an Exported Change Log
- Change Request Management
  - Enable Change Request Management
  - Create a Change Request
  - Associate a Change Request with a Change Log Event
  - Search for Change Log Events with Change Requests
  - Search for a Change Request
  - Filter Change Requests
  - Clear the Change Request Toolbar
  - Clear a Change Request Associated with a Change Log Event
  - Delete a Change Request
  - Disable Change Request Management
  - Change Request Management Use Cases
- FDM-Managed Device Executive Summary Report
  - Generating FDM-Managed Device Executive Summary Reports
- Monitor Jobs in Security Cloud Control
  - Reinitiate a Bulk Action
  - Cancel a Bulk Action
- Monitor Workflows in Security Cloud Control
Cisco Security Analytics and Logging
- About Security Analytics and Logging (SaaS) in Security Cloud Control
- Event Types in Security Cloud Control
- About Secure Analytics and Logging (SaaS) for FDM-Managed Devices
- Implementing Secure Logging Analytics (SaaS) for FDM-Managed Devices
- Send FDM Events to Security Cloud Control Events Logging
- Send FDM-Managed Events Directly to the Cisco Cloud
- Implementing SAL (SaaS) for Cloud-Delivered Firewall Management Center-Managed Devices
- Requirements, Guideline, and Limitations for the SAL (SaaS) Integration
- Send Cloud-delivered Firewall Management Center-Managed Events to SAL (SaaS) Using Syslog
- Send Cloud-delivered Firewall Management Center-Managed Event Logs to SAL (SaaS) Using a Direct Connection
- Enable or Disable Threat Defense Devices to Send Event logs to SAL (SaaS) Using a Direct Connection
- About Secure Event Connectors
- Installing Secure Event Connectors
  - Install a Secure Event Connector on an SDC Virtual Machine
  - Installing an SEC Using a Security Cloud Control Image
    - Install a Security Cloud Control Connector, to Support a Secure Event Connector, Using a Security Cloud Control VM Image
    - Install the Secure Event Connector on the Security Cloud Control Connector VM
  - Deploy Secure Event Connector on Ubuntu Virtual Machine
  - Install an SEC Using Your VM Image
    - Install a Security Cloud Control Connector to Support an SEC Using Your VM Image
    - Additional Configuration for SDCs and Security Cloud Control Connectors Installed on a VM You Created
    - Install the Secure Event Connector on your Security Cloud Control Connector Virtual Machine
  - Install a Secure Event Connector on an AWS VPC Using a Terraform Module
- Remove the Secure Event Connector
  - Remove an SEC from Security Cloud Control
  - Remove a Secure Event Connector from the Secure Device Connector VM
- Finding Your Device's TCP, UDP, and NSEL Port Used for Secure Logging Analytics (SaaS)
- Provision a Cisco Secure Cloud Analytics Portal
- Review Sensor Health and Security Cloud Control Integration Status in Secure Cloud Analytics
- Cisco Secure Cloud Analytics Sensor Deployment for Total Network Analytics and Reporting
- Viewing Cisco Secure Cloud Analytics Alerts from Security Cloud Control
  - Inviting Users to Join Your Secure Cloud Analytics Portal
  - Cross-Launching from Security Cloud Control to Secure Cloud Analytics
- Cisco Secure Cloud Analytics and Dynamic Entity Modeling
- Working with Alerts Based on Firewall Events
  - Triage open alerts
  - Snooze alerts for later analysis
  - Update the alert for further investigation
  - Review the alert and start your investigation
  - Examine the entity and users
  - Remediate issues using Secure Cloud Analytics
  - Update and close the alert
- Modifying Alert Priorities
- Viewing Live Events
  - Play/Pause Live Events
- View Historical Events
- Customize the Events View
  - Correlate Threat Defense Event Fields and Column Names
- Show and Hide Columns on the Event Logging Page
- Change the Time Zone for the Event Timestamps
- Customizable Event Filters
- Searching for and Filtering Events in the Event Logging Page
  - Filter Live or Historical Events
  - Filter for ASA or FDM-Managed Device Syslog Events but not ASA NetFlow Events
  - Combine Filter Elements
  - Search Historical Events in the Background
    - Search for Events in the Events Logging Page
    - Schedule a Background Search in the Event Viewer
    - Download a Background Search
- Event Attributes in Security Analytics and Logging
  - EventGroup and EventGroupDefinition Attributes for Some Syslog Messages
  - EventName Attributes for Syslog Events
  - Time Attributes in a Syslog Event
- Security Analytics and Logging license and Data Storage Plans
  - View Security Analytics and Logging License Information
  - Extend Event Storage Duration and Increase Event Storage Capacity
  - View Security Analytics and Logging Alerts
  - View Security Analytics and Logging Storage Usage and Event Ingest Rate
- Finding Your Device's TCP, UDP, and NSEL Port Used for Secure Logging Analytics (SaaS)
Integrating Security Cloud Control with Cisco Security Cloud Sign On
- Merge Your Security Cloud Control and Cisco XDR Tenant Accounts
Terraform
- About Terraform
Troubleshooting
- Troubleshoot FDM-Managed Devices
  - Troubleshoot the Executive Summary Report
  - Troubleshoot FDM-Managed Device Onboarding
  - Failed Because of Insufficient License
  - Troubleshoot Device Unregistered
  - Troubleshooting Device Registration Failure during Onboarding with a Registration Key
  - Troubleshooting SSL Decryption Issues
  - Troubleshoot FDM-Managed Device Onboarding Using Serial Number
    - Claim Error
    - Provisioning Error
  - Troubleshoot FDM-Managed HA Creation
- Troubleshoot a Secure Device Connector
  - SDC is Unreachable
  - SDC Status not Active on Security Cloud Control After Deployment
  - Changed IP Address of the SDC is not Reflected in Security Cloud Control
  - Troubleshoot Device Connectivity with the SDC
  - Intermittent or No Connectivity with SDC
  - Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc
    - Updating a Security Cloud Control -Standard SDC Host
    - Updating a Custom SDC Host
    - Bug Tracking
  - Invalid System Time
  - SDC version is lower than 202311****
  - Certificate or Connection errors with AWS servers
- Troubleshoot a Secure Event Connector
  - Troubleshoot SEC Onboarding Failures
  - Troubleshoot Secure Event Connector Registration Failure
  - Troubleshooting Network Problems Using Security and Analytics Logging Events
  - Troubleshooting NSEL Data Flows
  - Event Logging Troubleshooting Log Files
  - SEC Status is Inactive in Security Cloud Control
  - The SEC is online, but there are no events in Security Cloud Control Event Logging Page
  - Remove an SEC from Your Host
  - Use Health Check to Learn the State of your Secure Event Connector
- Troubleshoot Security Cloud Control
  - Troubleshooting Access and Certificates
    - Resolve New Fingerprint Detected State
    - Troubleshooting Network Problems Using Security and Analytics Logging Events
    - Troubleshooting SSL Decryption Issues
  - Troubleshooting Login Failures after Migration
  - Troubleshooting Objects
    - Resolve Duplicate Object Issues
    - Resolving Inconsistent or Unused Security Zone Objects
    - Resolve Unused Object Issues
      - Resolve an Unused Object Issue
      - Remove Unused Objects in Bulk
    - Resolve Inconsistent Object Issues
    - Resolve Object Issues in Bulk
- Device Connectivity States
  - Troubleshoot Device Unregistered
  - Troubleshoot Insufficient Licenses
  - Troubleshoot Invalid Credentials
  - Troubleshoot New Certificate Issues
    - New Certificate Detected
  - Troubleshoot Onboarding Error
  - Resolve the Conflict Detected Status
  - Resolve the Not Synced Status
  - Troubleshoot Unreachable Connection State
FAQ and Support
- Security Cloud Control
- FAQ About Onboarding Devices to Security Cloud Control
  - FAQs About Onboarding Secure Firewall ASA to Security Cloud Control
  - FAQs About Onboarding FDM-Managed Devices to Security Cloud Control
  - FAQs About Onboarding Secure Firewall Threat Defense to Cloud-delivered Firewall Management Center
  - FAQs About On-Premises Secure Firewall Management Center
  - FAQs About Onboarding Meraki Devices to Security Cloud Control
  - FAQs About Onboarding SSH Devices to Security Cloud Control
  - FAQs About Onboarding IOS Devices to Security Cloud Control
- Device Types
- Security
- Troubleshooting
- Terminologies and Definitions used in Zero-Touch Provisioning
- Policy Optimization
- Connectivity
- Complete the Initial Configuration of a Secure Firewall Threat Defense Device Using the CLI
- About Data Interfaces
- How Security Cloud Control Processes Personal Information
- Contact Security Cloud Control Support
  - Export The Workflow
  - Open a Support Ticket with TAC
    - How Security Cloud Control Customers Open a Support Ticket with TAC
    - How Security Cloud Control Trial Customers Open a Support Ticket with TAC
  - Security Cloud Control Service Status Page

Get Started Common Use Cases for NAT Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface Create a Twice NAT Rule

Last updated: Jun 09, 2025

Create a Twice NAT Rule

Before you begin

Create a network object or network group that defines the pool of IP addresses you are going to translate to itself. For the ASA, the range of addresses can be defined by a network object that uses an IP address range, a network object that defines a subnet, or a network group object that includes all the addresses in the range. For the FTD, the range of addresses can be defined by a network object that defines a subnet or a network group object that includes all the addresses in the range.

When creating the network objects or network groups, use Create or Edit a Firepower Network Object or Network Group for instructions.

For the sake of the following procedure, we are going call the network object or network group, Site-to-Site-PC-Pool.

Procedure

1	In the left pane, click Security Devices.
2	Click the Devices tab to locate the device or the Templates tab to locate the model device.
3	Click the appropriate device type tab.
4	Select the device you want to create the NAT rule for.
5	Click NAT in the Management pane at the right.
6	Click > Twice NAT..
7	In section 1, Type, select Static. Click Continue.
8	In section 2, Interfaces, choose inside for the source interface and outside for the destination interface. Click Continue.
9	In section 3, Packets, make these changes: Expand the Original Address menu, click Choose, and select the Site-to-Site-PC-Pool object you created in the prerequisites section. Expand the Translated Address menu, click Choose, and select the Site-to-Site-PC-Pool object you created in the prerequisites section.
10	Skip section 4, Advanced.
11	For an FDM-managed device, in section 5, Name, give the NAT rule a name.
12	Click Save.
13	For an ASA, create a crypto map. See CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide and review the chapter on LAN-to-LAN IPsec VPNs for more information on creating a crypto map.
14	Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Previous topic Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface Next topic Manage Tenants and Users