Dynamic pat disadvantages and advantages, Identity nat – Cisco ASA 5505 User Manual

Page 565

Advertising
background image

29-11

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 29 Information About NAT

NAT Types

Figure 29-10

shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and

responding traffic is allowed back. The mapped address is the same for each translation, but the port is
dynamically assigned.

Figure 29-10

Dynamic PAT

After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout
is not configurable. Users on the destination network cannot reliably initiate a connection to a host that
uses PAT (even if the connection is allowed by an access rule).

Note

For the duration of the translation, a remote host can initiate a connection to the translated host if an
access rule allows it. Because the port address (both real and mapped) is unpredictable, a connection to
the host is unlikely. Nevertheless, in this case you can rely on the security of the access rule.

Dynamic PAT Disadvantages and Advantages

Dynamic PAT lets you use a single mapped address, thus conserving routable addresses. You can even
use the ASA interface IP address as the PAT address.

Dynamic PAT does not work with some multimedia applications that have a data stream that is different
from the control path. See the

“Default Settings” section on page 42-4

for more information about NAT

and PAT support.

Dynamic PAT may also create a large number of connections appearing to come from a single IP address,
and servers might interpret the traffic as a DoS attack. (8.4(2)/8.5(1) and later) You can configure a PAT
pool of addresses and use a round-robin assignment of PAT addresses to mitigate this situation.

Identity NAT

You might have a NAT configuration in which you need to translate an IP address to itself. For example,
if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT,
you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote
access VPN, where you need to exempt the client traffic from NAT.

10.1.1.1:1025

209.165.201.1:2020

Inside

Outside

10.1.1.1:1026

209.165.201.1:2021

10.1.1.2:1025

209.165.201.1:2022

130034

Security
Appliance

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals