NAT Policies Overview
Network Address Translation (NAT) is a form of network
masquerading where you can hide devices or sites between zones or
interfaces. A trusted zone is a segment of a network on which security
measures are applied. It is usually assigned to the internal LAN.
An example of an untrusted zone is the internet. NAT modifies the
IP addresses of the packets moving between the trusted and untrusted
zones.
Whenever a packet exits a NAT device (when traversing from the
internal LAN to the external WAN), the device performs a translation
on the packet’s IP address by rewriting it with an IP address
that was specified for external use. After translation, the packet
appears to have originated from the gateway rather than from the original
device within the network. This process hides your internal IP addresses
from the other networks and keeps your network secure.
Using NAT also enables you to use more internal IP addresses.
As these IP addresses are hidden, there is no risk of conflict with
an IP address from a different network. This helps you conserve IP
addresses.
CSO supports three types of NAT:
- Source NAT— Translates the source IP address of
a packet leaving a trust zone (outbound traffic). It translates the
traffic originating from the device in the trust zone. The source
IP address of the traffic (which is a private IP address), is translated
to a public IP address that can be accessed by the destination device
specified in the NAT rule. The destination IP address is not translated.
The following uses cases show the support for source
NAT translation between IPv6 and IPv4 address domains:
- Translation from one IPv6 subnet to another IPv6 subnet
without Network Address Port Translation (NAPT), also known as Port
Address Translation (PAT).
- Translation from IPv4 addresses to IPv6 prefixes along
with IPv4 address translation.
- Translation from IPv6 hosts to IPv6 hosts with or without
NAPT.
- Translation from IPv6 hosts to IPv4 hosts with or without
NAPT.
- Translation from IPv4 hosts to IPv6 hosts with or without
NAPT.
- Destination NAT—Translates the destination IP address
of a packet. Using destination NAT, an external device can send packets
to a hidden internal device. As an example, consider the case of a
webserver behind a NAT device. Traffic to the WAN-facing public IP
address (the destination IP address) is translated to the internal
webserver private IP address.
The following uses cases show the support for destination
NAT translation between IPv6 and IPv4 address domains:
- Mapping of one IPv6 subnet to another IPv6 subnet
- Mapping between one IPv6 host and another IPv6 host
- Mapping of one IPv6 host (and optional port number) to
another special IPv6 host (and optional port number)
- Mapping of one IPv6 host (and optional port number) to
another special IPv4 host (and optional port number)
- Mapping of one IPv4 host (and optional port number) to
another special IPv6 host (and optional port number)
- Static NAT— Always translates a private IP address
to the same public IP address. It translates traffic from both sides
of the network (both source and destination). For example, a web-server
with a private IP address can access the Internet using a static,
one-to-one address translation. In this case, outgoing traffic from
the web-server undergoes source NAT translation, and incoming traffic
to the web-server undergoes destination NAT translation.
The following uses cases show the support for static
NAT translation between IPv6 and IPv4 address domains:
- Mapping of one IPv6 subnet to another IPv6 subnet.
- Mapping between one IPv6 host and another IPv6 host.
- Mapping between IPv4 address a.b.c.d and IPv6 address Prefix::a.b.c.d.
- Mapping between IPv4 hosts and IPv6 hosts.
- Mapping between IPv6 hosts and IPv4 hosts.
CSO also supports persistent NAT where address translations
are maintained in the database for a configurable amount of time after
a session ends.
Table 110 shows the
persistent NAT support for different source NAT and destination NAT
addresses.
Table 110: Persistent NAT Support
Source NAT Address | Translated Address | Destination NAT Address | Persistent NAT |
|---|
IPv4 | IPv6 | IPv4 | No |
IPv4 | IPv6 | IPv6 | No |
IPv6 | IPv4 | IPv4 | Yes |
IPv6 | IPv6 | IPv6 | No |
Table 111 and Table 112 show the translated address pool selection for source NAT, destination
NAT, and static NAT addresses.
Table 111: Translated
Address Pool Selection for Source NAT
Source NAT Address | Destination Address | Pool Address |
|---|
IPv4 | IPv4 | IPv4 |
IPv4 | IPv6 - Subnet must be greater than 96 | IPv6 |
IPv6 | IPv4 | IPv4 |
IPv6 | IPv6 | IPv6 |
Table 112: Translated
Address Pool Selection for Destination NAT And Static NAT
Source NAT Address | Destination Address | Pool Address |
|---|
IPv4 | IPv4 | IPv4 or IPv6 |
IPv4 | IPv6 - Subnet must be greater than 96 | IPv4 or IPv6 |
IPv6 | IPv4 | IPv4 |
IPv6 | IPv6 | IPv4 or IPv6 |
Note:
- For source NAT, the proxy Neighbor Discovery Protocol
(NDP) is available for NAT pool addresses. For destination NAT and
static NAT, the proxy NDP is available for destination NAT addresses.
- A NAT pool can have a single IPv6 subnet or multiple IPv6
hosts.
- You cannot configure the overflow pool if the address
type is IPv6.
- NAT pools permit address entries of only one version type:
IPv4 or IPv6.
Related Documentation
Help us to improve. Rate this article.
Feedback Received. Thank You!