Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
35-6
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 35 Configuring NAT (ASA 8.2 and Earlier)
NAT Overview
NAT Types
This section describes the available NAT types, and includes the following topics:
Dynamic NAT, page 35-6
PAT, page 35-8
Static NAT, page 35-8
Static PAT, page 35-9
Bypassing NAT When NAT Control is Enabled, page 35-10
You can implement address translation as dynamic NAT, Port Address Translation, static NAT, static
PAT, or as a mix of these types. You can also configure rules to bypass NAT; for example, to enable NAT
control when you do not want to perform NAT.
Dynamic NAT
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the
destination network. The mapped pool may include fewer addresses than the real group. When a host
you want to translate accesses the destination network, the ASA assigns the host an IP address from the
mapped pool. The translation is added only when the real host initiates the connection. The translation
is in place only for the duration of the connection, and a given user does not keep the same IP address
after the translation times out. Users on the destination network, therefore, cannot initiate a reliable
connection to a host that uses dynamic NAT, although the connection is allowed by an access list, and
the ASA rejects any attempt to connect to a real host address directly. See the “Static NAT” or “Static
PAT” section for information on how to obtain reliable access to hosts.
Note In some cases, a translation is added for a connection, although the session is denied by the ASA. This
condition occurs with an outbound access list, a management-only interface, or a backup interface in
which the translation times out normally.
Figure 35-6 shows a remote host attempting to connect to the real address. The connection is denied,
because the ASA only allows returning connections to the mapped address.