17-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 17 Applying NAT
NAT Overview
Introduction to NAT
Address translation substitutes the real address in a packet with a mapped address that is routable on the
destination network. NAT is comprised of two steps: the process in which a real address is translated into
a mapped address, and then the process to undo translation for returning traffic.
The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule
matches, processing for the packet continues. The exception is when you enable NAT control.
NAT control requires that packets traversing from a higher security interface (inside) to a lower security
interface (outside) match a NAT rule, or else processing for the packet stops. (See the “Security Level
Overview” section on page 7-1 for more information about security levels, and see “NAT Control”
section on page 17-3 for more information about NAT control).
Note In this document, all types of translation are generally referred to as NAT. When discussing NAT, the
terms inside and outside are relative, and represent the security relationship between any two interfaces.
The higher security level is inside and the lower security level is outside; for example, interface 1 is at
60 and interface 2 is at 50, so interface 1 is “inside” and interface 2 is “outside.”
Some of the benefits of NAT are as follows:
• You can use private addresses on your inside networks. Private addresses are not routable on the
Internet. (See the “Private Networks” section on page D-2 for more information.)
• NAT hides the real addresses from other networks, so attackers cannot learn the real address of a
host.
• You can resolve IP routing problems such as overlapping addresses.
See Table 25-1 on page 25-3 for information about protocols that do not support NAT.
Figure 17-1 shows a typical NAT scenario, with a private network on the inside. When the inside host at
10.1.1.27 sends a packet to a web server, the real source address, 10.1.1.27, of the packet is changed to
a mapped address, 209.165.201.10. When the server responds, it sends the response to the mapped
address, 209.165.201.10, and the security appliance receives the packet. The security appliance then
undoes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.1.1.27
before sending it on to the host.
To Next Page
Loading...
Need help?
General