17-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 17 Applying NAT
NAT Overview
NAT Types
This section describes the available NAT types. You can implement address translation as dynamic NAT,
Port Address Translation, static NAT, or static PAT or as a mix of these types. You can also configure
rules to bypass NAT, for example, if you enable NAT control but do not want to perform NAT. This
section includes the following topics:
• Dynamic NAT, page 17-5
• PAT, page 17-7
• Static NAT, page 17-7
• Static PAT, page 17-8
• Bypassing NAT when NAT Control is Enabled, page 17-9
Dynamic NAT
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the
destination network. The mapped pool can include fewer addresses than the real group. When a host you
want to translate accesses the destination network, the security appliance assigns it an IP address from
the mapped pool. The translation is added only when the real host initiates the connection. The
translation is in place only for the duration of the connection, and a given user does not keep the same
IP address after the translation times out (see the timeout xlate command in the Cisco Security
Appliance Command Reference). Users on the destination network, therefore, cannot reliably initiate a
connection to a host that uses dynamic NAT (even if the connection is allowed by an access list), and the
security appliance rejects any attempt to connect to a real host address directly. See the following “Static
NAT” or “Static PAT” sections for reliable access to hosts.
Note In some cases, a translation is added for a connection (see the show xlate command) even though the
session is denied by the security appliance. This condition occurs with an outbound access list, a
management-only interface, or a backup interface. The translation times out normally.
Figure 17-5 shows a remote host attempting to connect to the real address. The connection is denied
because the security appliance only allows returning connections to the mapped address.
To Next Page
Loading...
Need help?
General