Information about dynamic nat – Cisco ASA 5505 User Manual
Page 563
29-9
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 29 Information About NAT
NAT Types
Information About Dynamic NAT
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the
destination network. The mapped pool typically includes fewer addresses than the real group. When a
host you want to translate accesses the destination network, the ASA assigns the host an IP address from
the mapped pool. The translation is created only when the real host initiates the connection. The
translation is in place only for the duration of the connection, and a given user does not keep the same
IP address after the translation times out. Users on the destination network, therefore, cannot initiate a
reliable connection to a host that uses dynamic NAT, even if the connection is allowed by an access rule.
shows a typical dynamic NAT scenario. Only real hosts can create a NAT session, and
responding traffic is allowed back.
Figure 29-8
Dynamic NAT
shows a remote host attempting to initiate a connection to a mapped address. This address
is not currently in the translation table; therefore, the ASA drops the packet.
Figure 29-9
Remote Host Attempts to Initiate a Connection to a Mapped Address
10.1.1.1
209.165.201.1
Inside
Outside
10.1.1.2
209.165.201.2
130032
Security
Appliance
Web Server
www.example.com
Outside
Inside
209.165.201.2
10.1.2.1
10.1.2.27
Security
Appliance
209.165.201.10
132217