Cisco 4700M Configuration Manual page 330

Network Address Translation Overview
Not only can you not predict the global IP address of the host, but the ACE does
not create a translation unless the local host is the initiator. See the
Static NAT and Static Port Redirection"
to hosts.
For the duration of the translation, a global host can initiate a connection to the
Note
local host if an ACL allows it. Because the address is unpredictable, a connection
to the host is unlikely. However, in this case, you can rely on the security of the
ACL.
Dynamic NAT has these disadvantages:
•
•
The ACE allows you to configure a virtual IP (VIP) address in the NAT pool for
Note
dynamic NAT and PAT. This action is useful when you want to source NAT real
server originated connections (bound to the client) using the VIP address. This
feature is specifically useful when there are a limited number of real world IP
addresses on the client-side network. To perform PAT for different real servers
that are source-NATed to the same IP address (VIP), you must configure the pat
keyword in the nat-pool command.
The advantage of dynamic NAT is that some protocols cannot use dynamic PAT.
Dynamic PAT does not work with some applications that have a data stream on
one port and the control path on another, such as some multimedia applications.
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
5-4
If the global address pool has fewer addresses than the local group, you could
run out of addresses if the amount of traffic is greater than expected.
Use dynamic PAT if this event occurs often, because dynamic PAT provides
over 64,000 translations using multiple ports of a single IP address.
If you need to use a large number of routable addresses in the global pool and
the destination network requires registered addresses (for example, the
Internet), you may encounter a shortage of usable addresses.
Chapter 5 Configuring Network Address Translation
section for details about reliable access
"Configuring
OL-16202-01