Cisco Systems ASA Services Module Webcam User Manual


 
3-13
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 3 Information About NAT (ASA 8.3 and Later)
NAT in Routed and Transparent Mode
NAT in Routed Mode
Figure 3-12 shows a typical NAT example in routed mode, with a private network on the inside.
Figure 3-12 NAT Example: Routed Mode
1.
When the inside host at 10.1.2.27 sends a packet to a web server, the real source address of the
packet, 10.1.2.27, is changed to a mapped address, 209.165.201.10.
2. When the server responds, it sends the response to the mapped address, 209.165.201.10, and the
ASA receives the packet because the ASA performs proxy ARP to claim the packet.
3. The ASA then changes the translation of the mapped address, 209.165.201.10, back to the real
address, 10.1.2.27, before sending it to the host.
NAT in Transparent Mode
Using NAT in transparent mode eliminates the need for the upstream or downstream routers to perform
NAT for their networks.
NAT in transparent mode has the following requirements and limitations:
Because the transparent firewall does not have any interface IP addresses, you cannot use interface
PAT.
ARP inspection is not supported. Moreover, if for some reason a host on one side of the ASA sends
an ARP request to a host on the other side of the ASA, and the initiating host real address is mapped
to a different address on the same subnet, then the real address remains visible in the ARP request.
Translating between IPv4 and IPv6 networks is not supported. Translating between two IPv6
networks, or between two IPv4 networks is supported.
Figure 3-13 shows a typical NAT scenario in transparent mode, with the same network on the inside and
outside interfaces. The transparent firewall in this scenario is performing the NAT service so that the
upstream router does not have to perform NAT.
Web Server
www.cisco.com
Outside
Inside
209.165.201.2
10.1.2.1
10.1.2.27
130023
Translation
209.165.201.1010.1.2.27
Originating
Packet
Undo Translation
209.165.201.10 10.1.2.27
Responding
Packet
Security
Appliance