26-2
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 26 Information About NAT
NAT Terminology
One of the main functions of NAT is to enable private IP networks to connect to the Internet. NAT
replaces a private IP address with a public IP address, translating the private addresses in the internal
private network into legal, routable addresses that can be used on the public Internet. In this way, NAT
conserves public addresses because it can be configured to advertise only one public address for the
entire network to the outside world.
Other functions of NAT include:
• Security—Keeping internal IP addresses hidden discourages direct attacks.
• IP routing solutions—Overlapping IP addresses are not a problem when you use NAT.
• Flexibility—You can change internal IP addressing schemes without affecting the public addresses
available externally; for example, for a server accessible to the Internet, you can maintain a fixed IP
address for Internet use, but internally, you can change the server address.
NAT Terminology
This document uses the following terminology:
• Real address/host/network/interface—The real address is the address that is defined on the host,
before it is translated. In a typical NAT scenario where you want to translate the inside network when
it accesses the outside, then the inside network would be the “real” network. Note that you can
translate any network connected to the adaptive security appliance, not just an inside network,
Therefore if you configure NAT to translate outside addresses, “real” can refer to the outside
network when it accesses the inside network.
• Mapped address/host/network/interface—The mapped address is the address that the real address is
translated to. In a typical NAT scenario where you want to translate the inside network when it
accesses the outside, then the outside network would be the “mapped” network.
• Bidirectional initiation—Static NAT allows connections to be initiated bidirectionally, meaning
both to the host and from the host.
• Source and destination NAT—For any given packet, both the source and destination IP addresses are
compared to the NAT rules, and one or both can be translated/untranslated.
NAT Types
You can implement NAT using the following methods:
• Static NAT—A consistent mapping between a real and mapped IP address. Allows bidirectional
traffic initiation.
• Dynamic NAT—A group of real IP addresses are mapped to a (usually smaller) group of mapped IP
addresses, on a first come, first served basis. Only the real host can initiate traffic.
• Dynamic Port Address Translation (PAT)—A group of real IP addresses are mapped to a single IP
address using a unique source port of that IP address.
• Identity NAT—Static NAT lets you translate a real address to itself, essentially bypassing NAT. You
might want to configure NAT this way when you want to translate a large group of addresses, but
then want to exempt a smaller subset of addresses.
To Next Page
Loading...
