How nat is implemented – Cisco ASA 5505 User Manual
Page 570
29-16
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 29 Information About NAT
How NAT is Implemented
How NAT is Implemented
The ASA can implement address translation in two ways: network object NAT and twice NAT. This
section includes the following topics:
•
Main Differences Between Network Object NAT and Twice NAT, page 29-16
•
Information About Network Object NAT, page 29-17
•
Information About Twice NAT, page 29-17
Main Differences Between Network Object NAT and Twice NAT
The main differences between these two NAT types are:
•
How you define the real address.
–
Network object NAT—You define NAT as a parameter for a network object. A network object
names an IP host, range, or subnet so you can then use the object in configuration instead of the
actual IP addresses. The network object IP address serves as the real address. This method lets
you easily add NAT to network objects that might already be used in other parts of your
configuration.
–
Twice NAT—You identify a network object or network object group for both the real and
mapped addresses. In this case, NAT is not a parameter of the network object; the network object
or group is a parameter of the NAT configuration. The ability to use a network object group for
the real address means that twice NAT is more scalable.
•
How source and destination NAT is implemented.
–
Network object NAT— Each rule can apply to either the source or destination of a packet. So
two rules might be used, one for the source IP address, and one for the destination IP address.
These two rules cannot be tied together to enforce a specific translation for a source/destination
combination.
–
Twice NAT—A single rule translates both the source and destination. A matching packet only
matches the one rule, and further rules are not checked. Even if you do not configure the
optional destination address for twice NAT, a matching packet still only matches one twice NAT
rule. The source and destination are tied together, so you can enforce different translations
depending on the source/destination combination. For example, sourceA/destinationA can have
a different translation than sourceA/destinationB.
•
Order of NAT Rules.
–
Network object NAT—Automatically ordered in the NAT table.
–
Twice NAT—Manually ordered in the NAT table (before or after network object NAT rules).
See the
“NAT Rule Order” section on page 29-20
for more information.
We recommend using network object NAT unless you need the extra features that twice NAT provides.
Network object NAT is easier to configure, and might be more reliable for applications such as Voice
over IP (VoIP). (For VoIP, because twice NAT is applicable only between two objects, you might see a
failure in the translation of indirect addresses that do not belong to either of the objects.)