6-8
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter6 Configuring NAT (ASA 8.2 and Earlier)
NAT Overview
Dynamic NAT has these disadvantages:
If the mapped pool has fewer addresses than the real group, you could run out of addresses if the
amount of traffic is more than expected.
Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a
single address.
You have to use a large number of routable addresses in the mapped pool; if the destination network
requires registered addresses, such as the Internet, you might encounter a shortage of usable
addresses.
The advantage of dynamic NAT is that some protocols cannot use PAT. PAT does not work with the
following:
IP protocols that do not have a port to overload, such as GRE version 0.
Some multimedia applications that have a data stream on one port, the control path on another port,
and are not open standard.
See the “When to Use Application Protocol Inspection” section on page10-2 for more information about
NAT and PAT support.
PAT
PAT translates multiple real addresses to a single mapped IP address by translating the real address and
source port to the mapped address and a unique port. If available, the real source port number is used for
the mapped port. However, if the real port is not available, by default the mapped ports are chosen from
the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore,
ports below 1024 have only a small PAT pool that can be used.
Each connection requires a separate translation, because the source port differs for each connection. For
example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout
is not configurable. Users on the destination network cannot reliably initiate a connection to a host that
uses PAT (even if the connection is allowed by an ACL). Not only can you not predict the real or mapped
port number of the host, but the ASA does not create a translation at all unless the translated host is the
initiator. See the following “Static NAT” or “Static PAT” sections for reliable access to hosts.
PAT lets you use a single mapped address, thus conserving routable addresses. You can even use the ASA
interface IP address as the PAT address. PAT does not work with some multimedia applications that have
a data stream that is different from the control path. See the “When to Use Application Protocol
Inspection” section on page 10-2 for more information about NAT and PAT support.
Note For the duration of the translation, a remote host can initiate a connection to the translated host if an ACL
allows it. Because the port address (both real and mapped) is unpredictable, a connection to the host is
unlikely. Nevertheless, in this case, you can rely on the security of the ACL. However, policy PAT does
not support time-based ACLs.