Dynamic nat, Dynamic – Cisco ASA 5505 User Manual
Page 562
29-8
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 29 Information About NAT
NAT Types
shows a typical few-to-many static NAT scenario.
Figure 29-6
Few-to-Many Static NAT
For a many-to-few or many-to-one configuration, where you have more real addresses than mapped
addresses, you run out of mapped addresses before you run out of real addresses. Only the mappings
between the lowest real IP addresses and the mapped pool result in bidirectional initiation. The
remaining higher real addresses can initiate traffic, but traffic cannot be initiated to them (returning
traffic for a connection is directed to the correct real address because of the unique 5-tuple (source IP,
destination IP, source port, destination port, protocol) for the connection).
Note
Many-to-few or many-to-one NAT is not PAT. If two real hosts use the same source port number and go
to the same outside server and the same TCP destination port, and both hosts are translated to the same
IP address, then both connections will be reset because of an address conflict (the 5-tuple is not unique).
shows a typical many-to-few static NAT scenario.
Figure 29-7
Many-to-Few Static NAT
Instead of using a static rule this way, we suggest that you create a one-to-one rule for the traffic that
needs bidirectional initiation, and then create a dynamic rule for the rest of your addresses.
Dynamic NAT
This section describes dynamic NAT and includes the following topics:
•
Information About Dynamic NAT, page 29-9
•
Dynamic NAT Disadvantages and Advantages, page 29-10
10.1.2.27
209.165.201.3
Inside
Outside
10.1.2.28
209.165.201.4
10.1.2.27
209.165.201.5
10.1.2.28
209.165.201.6
10.1.2.27
209.165.201.7
Security
Appliance
248769
10.1.2.27
209.165.201.3
Inside
Outside
10.1.2.28
209.165.201.4
10.1.2.29
209.165.201.3
10.1.2.30
209.165.201.4
10.1.2.31
209.165.201.3
Security
Appliance
248770