Cisco ASA 5505 Configuration Manual page 511

Chapter 26 Information About NAT
NAT in Routed Mode
Figure 26-12
Figure 26-12
10.1.2.27
1.
2.
3.
NAT in Transparent Mode
Using NAT in transparent mode eliminates the need for the upstream or downstream routers to perform
NAT for their networks.
NAT in transparent mode has the following requirements and limitations:
•
•
•
OL-20339-01
shows a typical NAT example in routed mode, with a private network on the inside.
NAT Example: Routed Mode
Originating
Packet
Translation
209.165.201.10
When the inside host at 10.1.2.27 sends a packet to a web server, the real source address of the
packet, 10.1.2.27, is changed to a mapped address, 209.165.201.10.
When the server responds, it sends the response to the mapped address, 209.165.201.10, and the
adaptive security appliance receives the packet.
The adaptive security appliance then changes the translation of the mapped address,
209.165.201.10, back to the real address, 10.1.2.27, before sending it to the host.
When the mapped addresses are not on the same network as the transparent firewall, then on the
upstream router you need to add a static route for the mapped addresses that points to the
downstream router (through the adaptive security appliance).
When you have VoIP or DNS traffic with NAT and inspection enabled, to successfully translate the
IP address inside VoIP and DNS packets, the adaptive security appliance needs to perform a route
lookup. Unless the host is on a directly-connected network, then you need to add a static route on
the adaptive security appliance for the real host address that is embedded in the packet.
Because the transparent firewall does not have any interface IP addresses, you cannot use interface
PAT.
Web Server
www.cisco.com
Outside
209.165.201.2
Security
Appliance
209.165.201.10
10.1.2.1
Inside
10.1.2.27
Cisco ASA 5500 Series Configuration Guide using ASDM
NAT in Routed and Transparent Mode
Responding
Packet
Undo Translation
10.1.2.27
26-13