Pat; Static Nat - Cisco 7604 Configuration Manual

NAT Overview
Dynamic NAT has these disadvantages:
•
•
The advantage of dynamic NAT is that some protocols cannot use PAT. For example, PAT does not work
with IP protocols that do not have a port to overload, such as GRE version 0. PAT also does not work
with some applications that have a data stream on one port and the control path on another and are not
open standard, such as some multimedia applications. See the
page 22-2

PAT

PAT (also known as NAT overloading) translates multiple real addresses to a single mapped IP address.
Specifically, the FWSM translates the real address and source port (real socket) to the mapped address
and a unique port above 1024 (mapped socket). Each connection requires a separate translation, because
the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation
from 10.1.1.1:1026.
After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout
is not configurable. Users on the destination network cannot reliably initiate a connection to a host that
uses PAT (even if the connection is allowed by an access list). Not only can you not predict the real or
mapped port number of the host, but the FWSM does not create a translation at all unless the translated
host is the initiator. See the following
PAT lets you use a single mapped address, thus conserving routable addresses. You can even use the
FWSM interface IP address as the PAT address. PAT does not work with some multimedia applications
that have a data stream that is different from the control path. See the
section on page 22-2
For the duration of the translation, a remote host can initiate a connection to the translated host if an
Note
access list allows it. Because the port address (both real and mapped) is unpredictable, a connection to
the host is unlikely. However in this case, you can rely on the security of the access list.

Static NAT

Static NAT creates a fixed translation of real address(es) to mapped address(es).With dynamic NAT and
PAT, each host uses a different address or port for each subsequent translation. Because the mapped
address is the same for each consecutive connection with static NAT, and a persistent translation rule
exists, static NAT allows hosts on the destination network to initiate traffic to a translated host (if there
is an access list that allows it).
The main difference between dynamic NAT and a range of addresses for static NAT is that static NAT
allows a remote host to initiate a connection to a translated host (if there is an access list that allows it),
while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with
static NAT.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
16-8
If the mapped pool has fewer addresses than the real group, you could run out of addresses if the
amount of traffic is more than expected.
Use PAT if this event occurs often because PAT provides over 64,000 translations using ports of a
single address.
You have to use a large number of routable addresses in the mapped pool; if the destination network
requires registered addresses, such as the Internet, you might encounter a shortage of usable
addresses.
for more information about NAT and PAT support.
for more information about NAT and PAT support.
"Inspection Engine Overview" section on
"Static NAT" or "Static PAT"
Chapter 16 Configuring NAT
sections for reliable access to hosts.
"Inspection Engine Overview"
OL-20748-01