9-12
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Network Address Translation (NAT)
Dynamic NAT
Dynamic NAT
The following topics explain dynamic NAT and how to configure it.
• About Dynamic NAT, page 9-12
• Configure Dynamic Network Object NAT, page 9-14
• Configure Dynamic Twice NAT, page 9-16
About Dynamic NAT
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the
destination network. The mapped pool typically includes fewer addresses than the real group. When a
host you want to translate accesses the destination network, the ASA assigns the host an IP address from
the mapped pool. The translation is created only when the real host initiates the connection. The
translation is in place only for the duration of the connection, and a given user does not keep the same
IP address after the translation times out. Users on the destination network, therefore, cannot initiate a
reliable connection to a host that uses dynamic NAT, even if the connection is allowed by an access rule.
Note For the duration of the translation, a remote host can initiate a connection to the translated host if an
access rule allows it. Because the address is unpredictable, a connection to the host is unlikely.
Nevertheless, in this case you can rely on the security of the access rule.
The following figure shows a typical dynamic NAT scenario. Only real hosts can create a NAT session,
and responding traffic is allowed back.
Figure 9-2 Dynamic NAT
10.1.1.1 209.165.201.1
Inside Outside
10.1.1.2 209.165.201.2
130032
Security
Appliance
To Next Page
Loading...
Need help?
General
