23-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 23 Configuring Network Address Translation
Understanding Network Address Translation
Understanding Network Address Translation
Address translation substitutes the real address in a packet with a mapped address that is routable on the
destination network. As part of the process, the device also records the substitution in a translation
database; these records are known as “xlate” entries. The appropriate xlate entry must exist to allow
address translation on return packets—the substitution of the original real address for the mapped
address; this procedure is sometimes referred to as “untranslation.” Thus, network address translation
(NAT) actually consists of two steps: the translation of a real address into a mapped address, and the
reverse translation for returning traffic.
One of the main functions of NAT is to enable private IP networks to connect to the Internet. Network
address translation replaces a private IP address with a public IP address, translating the private
addresses in the internal network into legal, routable addresses that can be used on the public Internet.
In this way, NAT conserves public addresses; for example, NAT rules can be configured to utilize only
one public address for the entire network in communications with the outside world.
Other functions of NAT include:
Security – Keeping internal IP addresses hidden discourages direct attacks.
IP routing solutions – Overlapping IP addresses are not a problem.
Flexibility – You can change internal IP addressing schemes without affecting the public addresses
available externally. For example, for a server accessible to the Internet, you can maintain a fixed IP
address for Internet use, but internally, you can change the server address.
Cisco devices support both NAT, which provides a globally unique address for each outbound host
session, and Port Address Translation (PAT), which provides the same single address combined with a
unique port number, for up to 64,000 simultaneous outbound or inbound host sessions. The global
addresses used for NAT come from a pool of addresses specifically designated for address translation.
The unique global address that is used for PAT can be either one global address, or the IP address of a
given interface.
The device translates an address when an existing NAT rule matches the specific traffic. If no NAT rule
matches, processing for the packet continues. The exception is when you enable NAT control. NAT
control requires that packets traversing from a higher security interface (inside) to a lower security
interface (outside) match a NAT rule, or processing for the packet stops.
Cisco devices can perform NAT or PAT on both inbound and outbound connections. This ability to
translate inbound addresses is called “Outside NAT” because addresses on the outside, or less secure,
interface are translated to a usable inside IP address. Just as when you translate outbound traffic, you
may choose dynamic NAT, static NAT, dynamic PAT, or static PAT. If necessary, you can use outside NAT
together with inside NAT to translate the both source and destination IP addresses of a packet.
Note In this document, all types of translation are generally referred to as NAT; see Types of Address
Translation, page 23-3 for descriptions of the various types. When describing NAT, the terms inside and
outside represent the security relationship between any two interfaces. The higher security level is inside
and the lower security level is outside.
The release of ASA version 8.3 provides a simplified, interface-independent approach to configuring
network address translation, as compared to earlier ASA versions and other devices. See About
“Simplified” NAT on ASA 8.3+ Devices, page 23-3 for more information.
Related Topics
Types of Address Translation, page23-3