Nat in routed mode, Nat in transparent mode – Cisco ASA 5505 User Manual
Page 567
29-13
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 29 Information About NAT
NAT in Routed and Transparent Mode
NAT in Routed Mode
shows a typical NAT example in routed mode, with a private network on the inside.
Figure 29-12
NAT Example: Routed Mode
1.
When the inside host at 10.1.2.27 sends a packet to a web server, the real source address of the
packet, 10.1.2.27, is changed to a mapped address, 209.165.201.10.
2.
When the server responds, it sends the response to the mapped address, 209.165.201.10, and the
ASA receives the packet because the ASA performs proxy ARP to claim the packet.
3.
The ASA then changes the translation of the mapped address, 209.165.201.10, back to the real
address, 10.1.2.27, before sending it to the host.
NAT in Transparent Mode
Using NAT in transparent mode eliminates the need for the upstream or downstream routers to perform
NAT for their networks.
NAT in transparent mode has the following requirements and limitations:
•
Because the transparent firewall does not have any interface IP addresses, you cannot use interface
PAT.
•
ARP inspection is not supported. Moreover, if for some reason a host on one side of the ASA sends
an ARP request to a host on the other side of the ASA, and the initiating host real address is mapped
to a different address on the same subnet, then the real address remains visible in the ARP request.
shows a typical NAT scenario in transparent mode, with the same network on the inside
and outside interfaces. The transparent firewall in this scenario is performing the NAT service so that the
upstream router does not have to perform NAT.
Web Server
www.cisco.com
Outside
Inside
209.165.201.2
10.1.2.1
10.1.2.27
130023
Translation
209.165.201.10
10.1.2.27
Originating
Packet
Undo Translation
209.165.201.10
10.1.2.27
Responding
Packet
Security
Appliance