NAT Types-Dynamic NAT

NAT Types 212

Several types of NAT are available. The Security Appliance can be configured to accomplish any of the following

types:

Dynamic NAT

Dynamic Port Abode Adaptation (PAT)

Static NAT

Static PAT

Dynamic NAT

Dynamic NAT translates a accumulation of absolute (private) addresses to accessible IP addresses fatigued from a basin of

registered (public) addresses that are routable on the destination network. Back a host initiates a affiliation to

a accurate destination, the Security Appliance translates the host antecedent abode to the agnate NAT rule

from the mapped pool. The adaptation is maintained and is accurate for the continuance of the affiliation and cleared

when the affair is terminated. If the aforementioned host initiates addition connection, there is no agreement it will

acquire the aforementioned abode from the mapped pool. Addresses from the basin are handed out on a first-come, firstserved

basis. Therefore, because the translated abode varies, the destination-side user cannot admit inbound

connections back activating NAT is used. Activating NAT and PAT are acclimated for unidirectional advice only.

Figure 6-10 shows how activating NAT works.

NAT Control

NAT Control

The firewall has consistently been a accent acknowledging and akin astute NAT for best ability and security.

NAT advantage is attainable as a capability in the new software absolution on the Aegis Appliance.

NAT advantage dictates the firewall if the address adjustment rules are adapted for alfresco communications and

ensures that the address adjustment behavior is the above as versions advanced than 7.0.

The NAT advantage amore works as follows:

When NAT advantage is disabled, and the firewall assiduously all packets from a higher-security (such as Inside)

interface to a lower-security (such as Outside) interface afterwards the acceding of a NAT rule. Traffic

from a lower-security interface to a higher-security interface abandoned requires that it be adequate in the

access lists, and no NAT adage is adapted in this mode.

When NAT advantage is enabled, this dictates the affirmation of appliance NAT. (The NAT adage is compulsatory in

this case.) When NAT advantage is enabled, it is additionally adapted that packets able from a academy securitylevel

interface (such as Inside) to a lower security-level interface (such as Outside) allegation bender a NAT rule

(nat command with a affiliated global, or a abiding command), or away processing for the packet

stops. Cartage from a lower-security interface to a higher-security interface additionally requires a NAT and is

permitted in the acceptance lists to be forwarded through the firewall.

The absence acceding is the adapt of the no nat-control command (NAT advantage disabled mode).

With adjustment 7.0 and later, this behavior can be afflicted as required.

To ascribe NAT control, use the nat-control command in the all-around acceding mode, as credible next:

hostname(config)# nat-control

Note

The nat-control command is attainable in baffled firewall access and in audible and different security

context modes.

When the nat-control is enabled, ceremony Inside address allegation acquire a affiliated Inside NAT rule. Similarly, if

an Alfresco activating NAT is enabled on an interface, ceremony Alfresco address allegation acquire a affiliated Outside

NAT adage afore admonition is acclimatized through the Aegis Appliance.

By default, NAT advantage is disabled (no nat-control command). The no nat-control command allows Inside

hosts to accustom with alfresco networks afterwards the allegation to configure a NAT rule. In essence, with NAT

control disabled, the Aegis Appliance does not achieve an address adjustment activity to any packets. To

disable NAT advantage globally, use the no nat-control command in all-around acceding mode:

hostname(config)# no nat-control

The abnormality amidst the no nat-control command and the nat 0 (identity NAT) command is that identity

NAT requires that cartage be able from the higher-level interface. The no nat-control command does not

have this requirement, nor does it crave a abiding command to accede admonition from the lower-level

interface (from Alfresco to Inside); it relies abandoned on access-policies—for example, acceptance the cartage in ACL

and accepting affiliated access entries.

To summarize, cartage traversing from a

More Secure to a Less Secure interface

Is appointed as outbound traffic.

The firewall will accede all IP-based cartage unless belted by acceptance lists, authentication, or authorization.

One or added of the after commands are required:

- nat, nat 0, global, static

Less Secure to a Added Secure interface

Is appointed as entering traffic.

Outside to Inside connections.

Inbound permission is required.

The firewall will bean all packets unless accurately acclimatized in the access-list that is activated on the

arriving interface. Further restrictions administrate if affirmation and allocation are used.

One or added of the after commands are required:

- nat 0 with ACL, abiding and entering access-list on the acceptance interface.

Network Abode Adaptation (NAT)

Network Abode Adaptation (NAT)

NAT, additionally referred to as IP abode masquerading, performs the adaptation of an IP abode that is acclimated within

one arrangement (internal network) to a altered IP abode accepted aural addition arrangement (outside world). NAT

technology is about acclimated to adumbrate the IP addresses in an centralized arrangement (using RFC 1918 private

addressing). The masquerading abode can be apparent as a anatomy of aegis ambuscade the absolute character of the

network.

A NAT accessory performs the afterward two processes:

1. Substituting a absolute abode into a mapped address, which is routable on the destination network.

2. Undoing adaptation for abiding traffic.

Firewall Stateful analysis advance all access traversing through the Aegis Appliance by advancement a

translation table and application this table to verify the destination of an entering packet that matches the antecedent of a

previous outbound request.