Filter
Top Products
Copyright © 2001 Cisco Systems, Inc. Page 5 of 11
What is NAT?
Network Address Translation (NAT) is designed for IP address simplification and
conservation, as it enables private IP internetworks that use nonregistered IP addresses to
connect to the Internet. NAT can operate on the PIX or a router, usually connecting two
networks together, and translates the private (not globally unique) addresses in the
internal network into globally unique addresses before packets are forwarded onto
another network. As part of this functionality, NAT can be configured to advertise only
one address for the entire network to the outside world. This provides additional security,
effectively hiding the entire internal network from the world. NAT has the dual
functionality of security and address conservation and is typically implemented in remote
access environments.
There are three types of NAT available to the PIX.
-Static NAT – Static NAT is when each host on the internal network is permanently or
statically mapped to an address on the external network. Because this in not a dynamic
assignment process, a certain amount of administrative overhead is involved with this
method.
-Dynamic NAT – Dynamic NAT intercepts traffic from a host on the internal network
and maps it to an externally registered Internet Protocol (IP) address available from a
pool of addresses maintained by the PIX Firewall. All translations are stored in a table to
allow the traffic to make its way back to the internal host.
-PAT – Think of PAT as the port traffic version of NAT. Traffic is identified and routed
through a single IP address assigned to an external interface on the firewall. PAT maps
the source address of internal host connections to a single IP address on the external
interface. The PIX Firewall selects and assigns the packets a new (TCP or UDP) source
number. The port remapping is tracked by the PIX Firewall to ensure that traffic has a
circuitous route.
Implementing NAT for use with in-bound H.323 traffic
For the purpose of this paper we will look at using a Static NAT environment, since this
will allow outside callers to easily connect to systems on the inside of the firewall. The
reason for choosing this is simple. If we were to use Dynamic NAT, after a user-
configurable timeout period, during which there have been no translated packets for a
particular address mapping, the entry is removed from the translation table and that
address is freed for use by another inside host. By contrast, if we use Static NAT, you
will give an inside host a permanent outside address and no time outs will occur. This
will be especially useful for gatekeeper interaction.