23-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 23 Configuring Network Address Translation
Understanding Network Address Translation
• About “Simplified” NAT on ASA 8.3+ Devices, page 23-3
Types of Address Translation
The following table briefly describes the various types of address translation.
Note While certain of these types do not apply to ASA 8.3 and later devices, the ASA 8.3+ devices do provide
a Dynamic NAT and PAT option, which is Dynamic NAT with a Dynamic PAT back-up feature.
About “Simplified” NAT on ASA 8.3+ Devices
The release of ASA version 8.3 provides a simplified approach to configuring network address
translation (NAT), as compared to earlier ASA versions and other devices. Configuration of NAT was
simplified by replacing the earlier flow-based scheme with an “original packet” to “translated packet”
approach.
Table 23-1 Types of Address Translation
Static NAT Fixed translation of real source addresses to specific mapped
addresses—each source address is always translated to the same mapped
address, regardless of IP protocol and port number.
Static PAT Fixed translation of real source addresses with specific TCP or UDP port
numbers, to specific mapped addresses and ports. That is, each source
address/port is always translated to the same mapped address/port.
Policy Static NAT Fixed translation of real source addresses to specific mapped addresses.
Destination networks/hosts are also specified, and the service is always IP.
Policy Static PAT Fixed translation of real source addresses with specific TCP or UDP port
numbers, to specific mapped addresses and ports. Destination
networks/hosts and services are also specified.
Dynamic NAT Dynamic translation of real source addresses to mapped addresses obtained
from a pool of shared addresses. Each source address can be mapped to any
available address in the pool.
Dynamic PAT Translation of real source addresses to a single mapped address; singularity
is provided by dynamic translation of related port numbers. That is, each real
address/port combination is translated to the same mapped address, but
assigned a unique port. This is sometimes referred to as “overloading.”
Policy Dynamic NAT Dynamic translation of specific source-address/destination-address/service
combinations on a given interface, using a pool of shared addresses.
Translation direction—outbound or inbound—is also specified.
Identity NAT The specified address is translated to itself—that is, it is effectively not
translated; applies to outbound connections only. Identity NAT is a particular
type of Static NAT.
NAT Exempt Translation is bypassed for specified source/destination address
combinations; connections can be initiated in both the outbound and inbound
directions.