Network Address Translation Overview - Cisco 4700M Configuration Manual
Application control engine appliance security
Hide thumbs
Also See for 4700M:
- Administration manual (292 pages) ,
- Upgrade manual (24 pages) ,
- Installation manual (18 pages)
Table of Contents
Advertisement
Network Address Translation Overview
Network Address Translation Overview
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
5-2
When a client attempts to access a server in a data center, the client incorporates
its IP address in the IP header when it connects to the server. An ACE placed
between the client and the server can either preserve the client IP address or
translate that IP address to a routable address in the server network, based on a
pool of reserved dynamic NAT addresses or a static NAT address mapping, and
pass the request on to the server.
This IP address translation process is called Network Address Translation (NAT)
or source NAT (SNAT). The ACE tracks all SNAT mappings to ensure that
response packets from the server are routed back to the client. If your application
requires that the client IP address be preserved for statistical or accounting
purposes, do not implement SNAT.
Destination NAT (DNAT) translates the IP address and port of an inside host so
that it appears with a publicly addressable destination IP address to the rest of the
world. Typically, you configure DNAT using static NAT and port redirection. You
can use port redirection to configure servers that host a service on a custom port
(for example, servers hosting HTTP on port 8080).
To provide security for a server, you can map the server private IP address to a
global routable IP address that a client can use to connect to the server. In this
case, the ACE translates the global IP address to the server private IP address
when sending data from the client to the server. Conversely, when a server
responds to a client, the ACE translates the local server IP address to a global IP
address for security reasons. This process is called DNAT.
You can also configure the ACE to translate TCP and UDP port numbers greater
than 1024, and ICMP identifiers. This process is known as Port Address
Translation (PAT). The ACE provides 64 K minus 1 K ports for each IP address
for PAT. Ports 0 through 1024 are reserved and cannot be used for PAT.
By default, the ACE performs implicit PAT on flows except when:
Only routing packets
•
•
Only bridging packets
Performing transparent load balancing
•
Server load balancing is configured with the forward action in a policy
•
Some of the benefits of NAT are as follows:
You can use private addresses on your inside networks. Private addresses are
•
not routable on the Internet.
Chapter 5
Configuring Network Address Translation
OL-16202-01
Advertisement
Table of Contents
