Chapter 15 Firewall Mode Overview - Cisco FirePOWER ASA 5500 series Configuration Manual

Routed Mode Overview
NAT control was the default behavior for software versions earlier than Version 7.0. If you upgrade a
Note
security appliance from an earlier version, then the nat-control command is automatically added to your
configuration to maintain the expected behavior.
Some of the benefits of NAT include the following:
•
•
•
Figure 15-1
sends a packet to a web server on the Internet, the local source address of the packet is changed to a
routable global address. When the web server responds, it sends the response to the global address, and
the security appliance receives the packet. The security appliance then translates the global address to
the local address before sending it on to the user.
Figure 15-1
Source Addr Translation
10.1.2.27
How Data Moves Through the Security Appliance in Routed Firewall Mode
This section describes how data moves through the security appliance in routed firewall mode, and
includes the following topics:
•
•
•
Cisco Security Appliance Command Line Configuration Guide
15-2
You can use private addresses on your inside networks. Private addresses are not routable on the
Internet.
NAT hides the local addresses from other networks, so attackers cannot learn the real address of a
host.
NAT can resolve IP routing problems by supporting overlapping IP addresses.
shows a typical NAT scenario, with a private network on the inside. When the inside user
NAT Example
Originating
Packet
209.165.201.10
An Inside User Visits a Web Server, page 15-3
An Outside User Visits a Web Server on the DMZ, page 15-4
An Inside User Visits a Web Server on the DMZ, page 15-5
Web Server
www.example.com
Outside
209.165.201.2
10.1.2.1
Inside
10.1.2.27
Chapter 15 Firewall Mode Overview
Responding
Packet
Dest Addr Translation
209.165.201.10 10.1.2.27
OL-10088-01