Chapter 5
Configuring Network Address Translation
Dynamic NAT
OL-16202-01
NAT hides the local addresses from other networks, so attackers cannot learn
•
the real address of a server in the data center.
You can resolve IP routing problems, such as overlapping addresses, when
•
you have two interfaces connected to overlapping subnets.
The ACE provides the following types of NAT and PAT:
Interface-based dynamic NAT
•
Interface-based dynamic PAT
•
Server farm-based dynamic NAT
•
Static NAT
•
Static port redirection
•
This section contains the following topics:
Dynamic NAT
•
Dynamic PAT
•
Server Farm-Based Dynamic NAT
•
Static NAT
•
Static Port Redirection
•
Maximum Number of NAT Commands
•
Global Address Guidelines
•
Dynamic NAT, which is typically used for SNAT, translates a group of local
source addresses to a pool of global source addresses that are routable on the
destination network. The global pool can include fewer addresses than the local
group. When a local host accesses the destination network, the ACE assigns an IP
address from the global pool to the host.
Because the translation times out after being idle for a user-configurable period
of time, a given user does not keep the same IP address. For this reason, users on
the destination network cannot reliably initiate a connection to a host that uses
dynamic NAT (even if the connection is allowed by an access control list [ACL]).
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
Network Address Translation Overview
5-3