26-13
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 26 Information About NAT
NAT in Routed and Transparent Mode
NAT in Routed Mode
Figure 26-12 shows a typical NAT example in routed mode, with a private network on the inside.
Figure 26-12 NAT Example: Routed Mode
1.
When the inside host at 10.1.2.27 sends a packet to a web server, the real source address of the
packet, 10.1.2.27, is changed to a mapped address, 209.165.201.10.
2. When the server responds, it sends the response to the mapped address, 209.165.201.10, and the
adaptive security appliance receives the packet.
3. The adaptive security appliance then changes the translation of the mapped address,
209.165.201.10, back to the real address, 10.1.2.27, before sending it to the host.
NAT in Transparent Mode
Using NAT in transparent mode eliminates the need for the upstream or downstream routers to perform
NAT for their networks.
NAT in transparent mode has the following requirements and limitations:
• When the mapped addresses are not on the same network as the transparent firewall, then on the
upstream router you need to add a static route for the mapped addresses that points to the
downstream router (through the adaptive security appliance).
• When you have VoIP or DNS traffic with NAT and inspection enabled, to successfully translate the
IP address inside VoIP and DNS packets, the adaptive security appliance needs to perform a route
lookup. Unless the host is on a directly-connected network, then you need to add a static route on
the adaptive security appliance for the real host address that is embedded in the packet.
• Because the transparent firewall does not have any interface IP addresses, you cannot use interface
PAT.
Web Server
www.cisco.com
Outside
Inside
209.165.201.2
10.1.2.1
10.1.2.27
130023
Translation
209.165.201.1010.1.2.27
Originating
Packet
Undo Translation
209.165.201.10 10.1.2.27
Responding
Packet
Security
Appliance
To Next Page
Loading...
Need help?
General
