29-11
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter29 Information About NAT
NAT Types
Figure 29-10 shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and
responding traffic is allowed back. The mapped address is the same for each translation, but the port is
dynamically assigned.
Figure29-10 Dynamic PAT
After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout
is not configurable. Users on the destination network cannot reliably initiate a connection to a host that
uses PAT (even if the connection is allowed by an access rule).
Note For the duration of the translation, a remote host can initiate a connection to the translated host if an
access rule allows it. Because the port address (both real and mapped) is unpredictable, a connection to
the host is unlikely. Nevertheless, in this case you can rely on the security of the access rule.

Dynamic PAT Disadvantages and Advantages

Dynamic PAT lets you use a single mapped address, thus conserving routable addresses. You can even
use the ASA interface IP address as the PAT address.
Dynamic PAT does not work with some multimedia applications that have a data stream that is different
from the control path. See the “Default Settings” section on page42-4 for more information about NAT
and PAT support.
Dynamic PAT may also create a large number of connections appearing to come from a single IP address,
and servers might interpret the traffic as a DoS attack. (8.4(2)/8.5(1) and later) You can configure a PAT
pool of addresses and use a round-robin assignment of PAT addresses to mitigate this situation.
Identity NAT
You might have a NAT configuration in which you need to translate an IP address to itself. For example,
if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT,
you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote
access VPN, where you need to exempt the client traffic from NAT.
10.1.1.1:1025 209.165.201.1:2020
Inside Outside
10.1.1.1:1026 209.165.201.1:2021
10.1.1.2:1025 209.165.201.1:2022
130034
Security
Appliance