In the Securing Networks with ASA Fundamentals class, students are taught about all of the possible implementation alternatives for Network Address Translation (NAT). These include “regular” dynamic NAT, static NAT, NAT exemption, policy NAT, and two alternatives for Port Address Translation (PAT): a) with an unused global IP address and b) using the IP address of the security appliance interface. I sometimes have found it useful to explain these alternatives using the table below:
To explain this table, top-to-bottom, I typically begin by stating that dynamic NAT can be used by organizations that have the luxury of having a large public IP address space; by large I mean at least a cluster (2 or more) of Class C blocks comprising more than 500 potential IP addresses. Since this is not often an option for many companies or agencies, the second line for PAT with the unused global IP address can be a valuable alternative. The “unused global” description refers to an address which is in the configuration of the NAT appliance but is not owned by any device or workstation/server NIC. This can be conveniently implemented with internal private subnets being mapped to individual external public IP addresses.
Next, we come to NAT Exemption, a popular choice for implementations of Virtual Private Networks (VPNs). When an organization has numerous satellite locations under common administrative control, the IP address space is usually unique branch-to-branch. As a result, tunneled packets do not require translation between sites. Secondly, if an academic institution, for example is fortunate enough to have an entire class B or larger IP address space, NAT may not be required at all. This latter scenario would be implemented on an ASA using the default no nat-control global configuration setting or by removing all NAT statements on a Cisco IOS router.
The next-to-last entry in this table concerns policy NAT, a feature which had been in the VPN concentrator (End-of-Sale since 2007) for some time. For situations where a partnership, extranet, or other VPN collaboration might be formed between two sites that have overlapping IP address space, policy NAT becomes a convenient solution. This technique also serves the purpose of having a predictable global IP address being used uniquely for connections to special locations whose security policies require specific permissions.
Finally, we have static NAT, a common choice for network administrators allowing inbound connections to publicly available servers with fixed IP addresses as well as static DNS entries. Static NAT can be further enhanced by including specific port-redirection parameters so that the Small Office Home Office and similar locations with limited public IP addresses can also allow selected inbound access to services.
Author: Doug McKillip
PIX/ASA 7.x and FWSM: NAT and PAT Statements