Pat - Cisco Catalyst 6500 Series Configuration Manual

NAT Overview
translation is only in place for the duration of the connection, a given user does not keep the same
IP address after the translation times out (see the timeout xlate command in the Catalyst 6500 Series
Switch and Cisco 7600 Series Router Firewall Services Module Command Reference). Users on the
destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT
(even if the connection is allowed by an access control list (ACL)). Not only can you not predict the
global IP address of the host, but the FWSM does not create a translation at all unless the local host is
the initiator. See
For the duration of the translation, a global host can initiate a connection to the local host if an ACL
Note
allows it. Because the address is unpredictable, a connection to the host is unlikely. However in this case,
you can rely on the security of the ACL.
Dynamic NAT has these disadvantages:
•
•
The advantage of dynamic NAT is that some protocols cannot use PAT. PAT does not work with some
applications that have a data stream on one port and the control path on another, such as some multimedia
applications. See the
NAT and PAT support.

PAT

PAT translates multiple local addresses to a single global IP address. Specifically, the FWSM translates
the local address and local port for multiple connections and/or hosts to a single global address and a
unique port (above 1024). When a local host connects to the destination network on a given source port,
the FWSM assigns the global IP address to it and a unique port number. Each host receives the same
IP address, but because the source port numbers are unique, the responding traffic, which includes the
IP address and port number as the destination, can be sent to the correct host. Because there are over
64,000 ports available, you are unlikely to run out of addresses, which can happen with dynamic NAT.
Because the translation is specific to the local address and local port, each connection, which generates
a new source port, requires a separate translation. For example, 10.1.1.1:1025 requires a separate
translation from 10.1.1.1:1026.
The translation is only in place for the duration of the connection, so a given user does not keep the same
global IP address port number after the translation times out (see the timeout xlate command in the
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command
Reference). Users on the destination network, therefore, cannot reliably initiate a connection to a host
that uses PAT (even if the connection is allowed by an ACL). Not only can you not predict the local or
global port number of the host, but the FWSM does not create a translation at all unless the local host is
the initiator. See
PAT lets you use a single global address, thus conserving routable addresses. You can even use the
FWSM interface IP address as the PAT address. PAT does not work with some multimedia applications
that have a data stream that is different from the control path. See the
section on page 13-1
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
9-4
"Static NAT"
If the global pool has fewer addresses than the local group, you could run out of addresses if the
amount of traffic is more than expected.
Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a
single address.
You have to use a large number of routable addresses in the global pool; if the destination network
requires registered addresses, such as the Internet, you might encounter a shortage of usable
addresses.
"Inspection Engine Overview" section on page 13-1
"Static NAT"
for more information about NAT and PAT support.
or "Static PAT" below for reliable access to hosts.
or "Static PAT" below for reliable access to hosts.
Chapter 9 Configuring Network Address Translation
for more information about
"Inspection Engine Overview"
OL-6392-01