Introduction To Nat - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
NAT Overview
Introduction to NAT
Address translation substitutes the real address in a packet with a mapped address that is routable on the
destination network. NAT is comprised of two steps: the process in which a real address is translated into
a mapped address, and then the process to undo translation for returning traffic.
The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule
matches, processing for the packet continues. The exception is when you enable NAT control.
NAT control requires that packets traversing from a higher security interface (inside) to a lower security
interface (outside) match a NAT rule, or else processing for the packet stops. (See the
Overview" section on page 7-1
section on page 17-3
In this document, all types of translation are generally referred to as NAT. When discussing NAT, the
Note
terms inside and outside are relative, and represent the security relationship between any two interfaces.
The higher security level is inside and the lower security level is outside; for example, interface 1 is at
60 and interface 2 is at 50, so interface 1 is "inside" and interface 2 is "outside."
Some of the benefits of NAT are as follows:
•
•
•
See
Figure 17-1
10.1.1.27 sends a packet to a web server, the real source address, 10.1.1.27, of the packet is changed to
a mapped address, 209.165.201.10. When the server responds, it sends the response to the mapped
address, 209.165.201.10, and the security appliance receives the packet. The security appliance then
undoes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.1.1.27
before sending it on to the host.
Cisco Security Appliance Command Line Configuration Guide
17-2
for more information about NAT control).
You can use private addresses on your inside networks. Private addresses are not routable on the
Internet. (See the
"Private Networks" section on page D-2
NAT hides the real addresses from other networks, so attackers cannot learn the real address of a
host.
You can resolve IP routing problems such as overlapping addresses.
Table 25-1 on page 25-3
for information about protocols that do not support NAT.
shows a typical NAT scenario, with a private network on the inside. When the inside host at
for more information about security levels, and see
Chapter 17
"Security Level
"NAT Control"
for more information.)
Applying NAT
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
