Cisco ASA 5505 Configuration Manual page 509

Chapter 26 Information About NAT
Figure 26-10
responding traffic is allowed back. The mapped address is the same for each translation, but the port is
dynamically assigned.
Figure 26-10
10.1.1.1:1025
10.1.1.1:1026
10.1.1.2:1025
After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout
is not configurable. Users on the destination network cannot reliably initiate a connection to a host that
uses PAT (even if the connection is allowed by an access rule).
For the duration of the translation, a remote host can initiate a connection to the translated host if an
Note
access rule allows it. Because the port address (both real and mapped) is unpredictable, a connection to
the host is unlikely. Nevertheless, in this case you can rely on the security of the access rule.
Dynamic PAT Disadvantages and Advantages
Dynamic PAT lets you use a single mapped address, thus conserving routable addresses. You can even
use the adaptive security appliance interface IP address as the PAT address.
Dynamic PAT does not work with some multimedia applications that have a data stream that is different
from the control path. See the
more information about NAT and PAT support.
Identity NAT
You might have a NAT configuration in which you need to translate an IP address to itself. For example,
if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT,
you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote
access VPN, where you need to exempt the client traffic from NAT.
OL-20339-01
shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and
Dynamic PAT
Security
Appliance
209.165.201.1:2020
209.165.201.1:2021
209.165.201.1:2022
Inside Outside
"When to Use Application Protocol Inspection" section on page 36-2
Cisco ASA 5500 Series Configuration Guide using ASDM
NAT Types
for
26-11