Nat Types - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 17
Applying NAT
NAT Types
This section describes the available NAT types. You can implement address translation as dynamic NAT,
Port Address Translation, static NAT, or static PAT or as a mix of these types. You can also configure
rules to bypass NAT, for example, if you enable NAT control but do not want to perform NAT. This
section includes the following topics:
•
•
•
•
•
Dynamic NAT
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the
destination network. The mapped pool can include fewer addresses than the real group. When a host you
want to translate accesses the destination network, the security appliance assigns it an IP address from
the mapped pool. The translation is added only when the real host initiates the connection. The
translation is in place only for the duration of the connection, and a given user does not keep the same
IP address after the translation times out (see the timeout xlate command in the Cisco Security
Appliance Command Reference). Users on the destination network, therefore, cannot reliably initiate a
connection to a host that uses dynamic NAT (even if the connection is allowed by an access list), and the
security appliance rejects any attempt to connect to a real host address directly. See the following
NAT"
In some cases, a translation is added for a connection (see the show xlate command) even though the
Note
session is denied by the security appliance. This condition occurs with an outbound access list, a
management-only interface, or a backup interface. The translation times out normally.
Figure 17-5
because the security appliance only allows returning connections to the mapped address.
OL-10088-01
Dynamic NAT, page 17-5
PAT, page 17-7
Static NAT, page 17-7
Static PAT, page 17-8
Bypassing NAT when NAT Control is Enabled, page 17-9
or
"Static PAT"
sections for reliable access to hosts.
shows a remote host attempting to connect to the real address. The connection is denied
Cisco Security Appliance Command Line Configuration Guide
NAT Overview
"Static
17-5
Advertisement
Table of Contents
Troubleshooting
