Login

Managing On-Prem FMC with Security Cloud Control

Introduction
- About Cisco Security Cloud Control
- Products Managed by Cisco Security Cloud Control
- About Firewall in Security Cloud Control
- Managing On-Premises Firewall Management Center with Security Cloud Control
- The Firewall Dashboard
Get Started
- Create a Security Cloud Control Tenant
- Create a Security Cloud Control Tenant
- Browsers Supported in Security Cloud Control
- Login Requirements for Security Cloud Control
  - Initial Login to Your New Security Cloud Control Tenant
  - Signing in to Security Cloud Control in Different Regions
  - Troubleshooting Login Failures
- Migrate to Cisco Security Cloud Sign On Identity Provider
  - Troubleshooting Login Failures after Migration
- Launch a Security Cloud Control Tenant
- Security Cloud Control Services Page
- About Security Cloud Control Licenses
  - Cloud-Delivered Firewall Management Center and Threat Defense Licenses
- Security Cloud Control Platform Maintenance Schedule
- Cloud-delivered Firewall Management Center Maintenance Schedule
- Manage Objects
  - Object Types
  - Shared Objects
  - Object Overrides
  - Unassociated Objects
  - Compare Objects
  - Filters
    - Object Filters
      - Configure Object Filters
      - When to Exclude a Device from Filter Criteria
  - Unignore Objects
  - Deleting Objects
    - Delete a Single Object
    - Delete a Group of Unused Objects
  - Network Objects
    - Create or Edit ASA Network Objects and Network Groups
      - Create an ASA Network Object
      - Create an ASA Network Group
      - Edit an ASA Network Object
      - Edit an ASA Network Group
      - Add Additional Values to a Shared Network Group in Security Cloud Control
      - Edit Additional Values in a Shared Network Group in Security Cloud Control
      - Deleting Network Objects and Groups in Security Cloud Control
    - Create or Edit a Firepower Network Object or Network Groups
      - Create a Firepower Network Object
      - Create a Firepower Network Group
      - Edit a Firepower Network Object
      - Edit a Firepower Network Group
      - Add an Object Override
      - Edit Object Overrides
      - Add Additional Values to a Shared Network Group
      - Edit Additional Values in a Shared Network Group
      - Deleting Network Objects and Groups in Security Cloud Control
    - Discover and Manage On-Prem Firewall Management Center Network Objects
  - Service Objects
- Network Address Translation
- Order of Processing NAT Rules
- Network Address Translation Wizard
  - Create a NAT Rule by using the NAT Wizard
- Common Use Cases for NAT
  - Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
  - Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address
  - Make a Server on the Inside Network Available on a Specific Port of a Public IP Address
    - NAT Incoming FTP Traffic to an FTP Server
    - NAT Incoming HTTP Traffic to an HTTP Server
    - NAT Incoming SMTP Traffic to an SMTP Server
  - Translate a Range of Private IP Addresses to a Range of Public IP Addresses
    - Translate a Pool of Inside Addresses to a Pool of Outside Addresses
  - Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface
    - Create a Twice NAT Rule
Manage Tenants and Users
- Manage a Security Cloud Control Tenant
  - Configure User Preferences
    - General Preferences
      - Change the Security Cloud Control Web Interface Appearance
    - User Notification Preferences
    - View Security Cloud Control Notifications
  - Tenant Settings
    - Enable Change Request Tracking
    - Prevent Cisco Support from Viewing your Tenant
    - Enable the Option to Auto-accept Device Changes
    - Default Conflict Detection Interval
    - Web Analytics
    - Share Event Data with Cisco Talos
    - Tenant ID
    - Tenant Name
    - Security Cloud Control Platform Navigator
  - Organization Notification Settings
    - Enable Email Subscribers
      - Add an Email Subscription
      - Edit Email Subscriptions
      - Delete an Email Subscription
    - Enable Service Integrations for Security Cloud Control Notifications
      - Incoming Webhooks for Webex Teams
      - Incoming Webhooks for Slack
      - Incoming Webhooks for a Custom Integration
  - Logging Settings
  - Integrate Your SAML Single Sign-On with Security Cloud Control
  - Renew SSO Certificate
  - My Tokens
  - API Tokens
    - API Token Format and Claims
    - Manage API-only Users for Firewall in Security Cloud Control
    - Token Management
      - Generate an API Token
      - Renew an API Token
      - Revoke an API Token
  - Relationship Between the Identity Provider Accounts and Security Cloud Control User Records
    - Login Workflow
    - Implications of this Architecture
      - Customers Who Use Cisco Security Cloud Sign On
      - Customers Who Have Their Own Identity Provider
      - Cisco Managed Service Providers
      - Related Topics
  - Manage Multi-Tenant Portal
    - Add a Tenant to a Multi-Tenant Portal
    - Delete a Tenant from a Multi-Tenant Portal
    - Manage-Tenant Portal Settings
      - Settings
      - Switch Tenant
  - The Cisco Success Network
- Manage Users in Security Cloud Control
  - Manage Super Admins on Your Tenant
  - View the User Records Associated with your Tenant
- Active Directory Groups in User Management
  - Prerequisites for Adding an Active Directory Group to Security Cloud Control
  - Add an Active Directory Group for User Management
  - Edit an Active Directory Group for User Management
  - Delete an Active Directory Group for User Management
- Create a New Security Cloud Control User
  - Create a Cisco Security Cloud Sign On Account for the New User
    - About Logging in to Security Cloud Control
    - Before You Log In
    - Create a New Cisco Security Cloud Sign On Account and Configure Duo Multi-factor Authentication
  - Create a User Record with Your Security Cloud Control Username
  - The New User Opens Security Cloud Control from the Cisco Secure Sign-On Dashboard
- User Roles in Security Cloud Control
  - Read-only Role
  - Edit-Only Role
  - Deploy-Only Role
  - VPN Sessions Manager Role
  - Admin Role
  - Super Admin Role
  - Change The Record of the User Role
- Add a User Account to Security Cloud Control
  - Create a User Record
  - Create API Only Users
- Edit a User Record for a User Role
  - Edit a User Role
- Delete a User Record for a User Role
  - Delete a User Record
Connect Your Device
- Secure Device Connector
  - Connect Security Cloud Control to your Managed Devices
  - Deploy a VM for Running the Secure Device Connector and Secure Event Connector
  - Deploy a Secure Device Connector On Your VM
  - Bootstrap a Secure Device Connector on the Deployed Host
  - Deploy a Secure Device Connector to vSphere Using Terraform
  - Deploy a Secure Device Connector on an AWS VPC Using a Terraform Module
  - Migrate an On-Premises Secure Device Connector and Secure Event Connector from a CentOS 7 Virtual Machine to an Ubuntu Virtual Machine
  - Change the IP Address of a Secure Device Connector
  - Remove a Secure Device Connector
  - Move an ASA from one SDC to Another
  - Rename a Secure Device Connector
  - Update your Secure Device Connector
  - Using Multiple SDCs on a Single Security Cloud Control Tenant
  - Security Cloud Control Devices that Use the Same SDC
  - Open Source and Third-Party License in SDC
Onboard Devices and Services
- Supported Devices, Software, and Hardware
- Onboard an On-Premises Firewall Management Center
  - Onboard an On-Premises Management Center to Security Cloud Control
    - Auto-Onboard an On-Premises Management Center Integrated with Cisco Security Cloud
      - Integrate On-Premises Management Center With Cisco Security Cloud
      - Disable Auto-Onboarding of an On-Premises Management Center
    - Onboard an On-Premises Firewall Management Center to Security Cloud Control with Credentials
    - Redirect Security Cloud Control to an On-Premises Firewall Management Center
  - Remove an On-Premises Firewall Management Center from Security Cloud Control
Manage Onboarded Device Settings
- Changing a Device's IP Address in Security Cloud Control
- Changing a Device's Name in Security Cloud Control
- Export a List of Devices and Services
- Export Device Configuration
- External Links for Devices
  - Create an External Link from your Device
  - Create an External Link to
  - Create an External Link for Multiple Devices
  - Edit or Delete External Links
  - Edit or Delete External Links for Multiple Devices
- Bulk Reconnect Devices to Security Cloud Control
- Moving Devices Between Tenants
- Device Certificate Expiry Detection
- Write a Device Note
- Delete a Device from Security Cloud Control
- Manage Security Devices
- About Security Devices Page
- Security Cloud Control Labels and Filtering
  - Applying Labels to Devices and Objects
  - Filters
- Use Security Cloud Control Search Functionality
  - Page Level Search
  - Global Search
    - Initiate Full Indexing
    - Perform a Global Search
Configuring On-Premises Firewall Management Center Devices
- View Onboarded On-Premises Management Center
- Discover and Manage On-Prem Firewall Management Center Network Objects
- Reading, Discarding, and Deploying Configuration Changes
  - Read All Device Configurations
  - Preview and Deploy Configuration Changes for All Devices
  - Bulk Deploy Device Configurations
  - Preview and Deploy On-Premises Firewall Management Center Configurations
  - Discard Configuration Changes
  - Discard On-Premises Firewall Management Center Configuration Changes
  - Out-of-Band Changes on Devices
- Synchronizing Configurations Between Security Cloud Control and Device
  - Conflict Detection
    - Enable Conflict Detection
    - Enable Conflict Detection for an On-Premises Management Center
  - Automatically Accept Out-of-Band Changes from your Device
    - Configure Auto-Accept Changes
    - Disabling Auto-Accept Changes for All Devices on the Tenant
  - Resolve Configuration Conflicts
    - Resolve the Not Synced Status
    - Resolve the Conflict Detected Status
  - Schedule Polling for Device Changes
Analyzing, Detecting, and Fixing Policy Anomalies Using Policy Analyzer and Optimizer
- About Policy Analyzer and Optimizer
  - Analysis, Remediation, and Reporting
- Prerequisites to Use Policy Analyzer and Optimizer
- Policy Analyzer and Optimizer Licensing Requirements
- Enable Policy Analyzer and Optimizer for Cloud-delivered Firewall Management Center
- Enable Policy Analyzer and Optimizer for Security Cloud Control -managed On-Premises Firewall Management Center
- Policy Analysis
  - Analyze Cloud-delivered Firewall Management Center Policies
  - Analyze On-Premises Firewall Management Center Policies
- Policy Reporting
  - Policy Analysis Summary
  - Duplicate Rules
  - Overlapping Objects
  - Expired Rules
  - Mergeable Rules
  - Policy Insights
- Policy Remediation
  - Apply Policy Remediation
  - What Does the Policy Remediation Report Contain?
- Troubleshooting Policy Analyzer and Optimizer
  - Policy Analyzer and Optimizer Does Not Analyze Policies
  - Policy Analyzer and Optimizer Does Not Fetch Policies
- Frequently Asked Questions About Policy Analyzer and Optimizer
Manage Device Configuration
- Reading, Discarding, and Deploying Configuration Changes
  - Read All Device Configurations
  - Preview and Deploy Configuration Changes for All Devices
  - Bulk Deploy Device Configurations
  - Preview and Deploy On-Premises Firewall Management Center Configurations
  - Discard Configuration Changes
  - Discard On-Premises Firewall Management Center Configuration Changes
  - Out-of-Band Changes on Devices
- Synchronizing Configurations Between Security Cloud Control and Device
  - Conflict Detection
    - Enable Conflict Detection
    - Enable Conflict Detection for an On-Premises Management Center
  - Automatically Accept Out-of-Band Changes from your Device
    - Configure Auto-Accept Changes
    - Disabling Auto-Accept Changes for All Devices on the Tenant
  - Resolve Configuration Conflicts
    - Resolve the Not Synced Status
    - Resolve the Conflict Detected Status
  - Schedule Polling for Device Changes
Monitoring and Reporting Change Logs, Workflows, and Jobs
- Manage Change Logs in Security Cloud Control
- View Change Log Differences
- Export the Change Log
  - Differences Between Change Log Capacity in Security Cloud Control and Size of an Exported Change Log
- Change Request Management
  - Enable Change Request Management
  - Create a Change Request
  - Associate a Change Request with a Change Log Event
  - Search for Change Log Events with Change Requests
  - Search for a Change Request
  - Filter Change Requests
  - Clear the Change Request Toolbar
  - Clear a Change Request Associated with a Change Log Event
  - Delete a Change Request
  - Disable Change Request Management
  - Change Request Management Use Cases
- Monitor Workflows in Security Cloud Control
Integrating Security Cloud Control with Cisco Security Cloud Sign On
- Merge Your Security Cloud Control and Cisco XDR Tenant Accounts
Terraform
- About Terraform
Troubleshooting
- Troubleshoot a Secure Device Connector
  - SDC is Unreachable
  - SDC Status not Active on Security Cloud Control After Deployment
  - Changed IP Address of the SDC is not Reflected in Security Cloud Control
  - Troubleshoot Device Connectivity with the SDC
  - Intermittent or No Connectivity with SDC
  - Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc
    - Updating a Security Cloud Control -Standard SDC Host
    - Updating a Custom SDC Host
    - Bug Tracking
  - Invalid System Time
  - SDC version is lower than 202311****
  - Certificate or Connection errors with AWS servers
- Troubleshoot Security Cloud Control
  - Troubleshooting Access and Certificates
    - Resolve New Fingerprint Detected State
    - Troubleshooting Network Problems Using Security and Analytics Logging Events
    - Troubleshooting SSL Decryption Issues
  - Troubleshooting Login Failures after Migration
  - Troubleshooting Objects
    - Resolve Duplicate Object Issues
    - Resolve Unused Object Issues
      - Resolve an Unused Object Issue
      - Remove Unused Objects in Bulk
    - Resolve Inconsistent Object Issues
    - Resolve Object Issues in Bulk
- Device Connectivity States
  - Troubleshoot Insufficient Licenses
  - Troubleshoot Invalid Credentials
  - Troubleshoot New Certificate Issues
    - New Certificate Detected
  - Troubleshoot Onboarding Error
  - Resolve the Conflict Detected Status
  - Resolve the Not Synced Status
FAQ and Support
- Security Cloud Control
- FAQ About Onboarding Devices to Security Cloud Control
  - FAQs About Onboarding Secure Firewall ASA to Security Cloud Control
  - FAQs About Onboarding FDM-Managed Devices to Security Cloud Control
  - FAQs About Onboarding Secure Firewall Threat Defense to Cloud-delivered Firewall Management Center
  - FAQs About On-Premises Secure Firewall Management Center
  - FAQs About Onboarding Meraki Devices to Security Cloud Control
  - FAQs About Onboarding SSH Devices to Security Cloud Control
  - FAQs About Onboarding IOS Devices to Security Cloud Control
- Device Types
- Security
- Troubleshooting
- Terminologies and Definitions used in Zero-Touch Provisioning
- Policy Optimization
- Connectivity
- About Data Interfaces
- How Security Cloud Control Processes Personal Information
- Contact Security Cloud Control Support
  - Export The Workflow
  - Open a Support Ticket with TAC
    - How Security Cloud Control Customers Open a Support Ticket with TAC
    - How Security Cloud Control Trial Customers Open a Support Ticket with TAC
  - Security Cloud Control Service Status Page

Platform Secure Firewall Management Center Virtual

Activity On-Premises Deployment

Get Started Common Use Cases for NAT Translate a Range of Private IP Addresses to a Range of Public IP Addresses Translate a Pool of Inside Addresses to a Pool of Outside Addresses

Last updated: Jun 09, 2025

Translate a Pool of Inside Addresses to a Pool of Outside Addresses

Before you begin

Create a network object for the pool of private IP addresses you want to translate and create a network object for the pool of public addresses you want to translate those private IP addresses into.

For the ASA , the network group that defines the pool of "translated address" cannot be a network object that defines a subnet.

When creating these address pools, for instructions.

For the sake of the following procedure, we named the pool of private addresses, inside_pool and name the pool of public addresses, outside_pool.

Procedure

1	In the left pane, click Security Devices.
2	Click the Devices tab to locate the device or the Templates tab to locate the model device.
3	Click the appropriate device type tab.
4	Select the device you want to create the NAT rule for.
5	Click NAT in the Management pane at the right.
6	Click > Network Object NAT.
7	In section 1, Type, select Dynamic and click Continue.
8	In section 2, Interfaces, set the source interface to inside and the destination interface to outside. Click Continue.
9	In section 3, Packets, perform these tasks: For the Original Address, click Choose and then select the inside_pool network object (or network group) you made in the prerequisites section above. For the Translated Address, click Choose and then select the outside_pool network object (or network group) you made in the prerequisites section above.
10	Skip section 4, Advanced.
11	For an FDM-managed device, in section 5, Name, give the NAT rule a name.
12	Click Save.
13	Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Previous topic Translate a Range of Private IP Addresses to a Range of Public IP Addresses Next topic Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface