17-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 17 Applying NAT
NAT Overview
Note The security appliance does not support VoIP inspection engines when you configure NAT on same
security interfaces. These inspection engines include Skinny, SIP, and H.323. See the “When to Use
Application Protocol Inspection” section on page 25-2 for supported inspection engines.
Order of NAT Commands Used to Match Real Addresses
The security appliance matches real addresses to NAT commands in the following order:
1. NAT exemption (nat 0 access-list)—In order, until the first match. Identity NAT is not included in
this category; it is included in the regular static NAT or regular NAT category. We do not recommend
overlapping addresses in NAT exemption statements because unexpected results can occur.
2. Static NAT and Static PAT (regular and policy) (static)—In order, until the first match. Static
identity NAT is included in this category.
3. Policy dynamic NAT (nat access-list)—In order, until the first match. Overlapping addresses are
allowed.
4. Regular dynamic NAT (nat)—Best match. Regular identity NAT is included in this category. The
order of the NAT commands does not matter; the NAT statement that best matches the real address
is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an
interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you
can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific
statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using
overlapping statements; they use more memory and can slow the performance of the security
appliance.
Mapped Address Guidelines
When you translate the real address to a mapped address, you can use the following mapped addresses:
• Addresses on the same network as the mapped interface.
If you use addresses on the same network as the mapped interface (through which traffic exits the
security appliance), the security appliance uses proxy ARP to answer any requests for mapped
addresses, and thus intercepts traffic destined for a real address. This solution simplifies routing,
because the security appliance does not have to be the gateway for any additional networks.
However, this approach does put a limit on the number of available addresses used for translations.
For PAT, you can even use the IP address of the mapped interface.
• Addresses on a unique network.
If you need more addresses than are available on the mapped interface network, you can identify
addresses on a different subnet. The security appliance uses proxy ARP to answer any requests for
mapped addresses, and thus intercepts traffic destined for a real address. If you use OSPF, and you
advertise routes on the mapped interface, then the security appliance advertises the mapped
addresses. If the mapped interface is passive (not advertising routes) or you are using static routing,
then you need to add a static route on the upstream router that sends traffic destined for the mapped
addresses to the security appliance.
To Next Page
Loading...
Need help?
General