NAT Policies Overview

Network Address Translation (NAT) is a form of network masquerading where you can hide devices or sites between zones or interfaces. A trusted zone is a segment of a network on which security measures are applied. It is usually assigned to the internal LAN. An example of an untrusted zone is the internet. NAT modifies the IP addresses of the packets moving between the trusted and untrusted zones.

Whenever a packet exits a NAT device (when traversing from the internal LAN to the external WAN), the device performs a translation on the packet’s IP address by rewriting it with an IP address that was specified for external use. After translation, the packet appears to have originated from the gateway rather than from the original device within the network. This process hides your internal IP addresses from the other networks and keeps your network secure.

Using NAT also enables you to use more internal IP addresses. As these IP addresses are hidden, there is no risk of conflict with an IP address from a different network. This helps you conserve IP addresses.

CSO supports three types of NAT:

CSO also supports persistent NAT where address translations are maintained in the database for a configurable amount of time after a session ends.

Table 173 shows the persistent NAT support for different source NAT and destination NAT addresses.

Table 173: Persistent NAT Support

 

Source NAT Address

Translated Address

Destination NAT

Address

Persistent NAT

IPv4

IPv6

IPv4

No

IPv4

IPv6

IPv6

No

IPv6

IPv4

IPv4

Yes

IPv6

IPv6

IPv6

No

Table 174 and Table 175 show the translated address pool selection for source NAT, destination NAT, and static NAT addresses.

Table 174: Translated Address Pool Selection for Source NAT

 

Source NAT Address

Destination Address

Pool Address

IPv4

IPv4

IPv4

IPv4

IPv6 - Subnet must be greater than 96

IPv6

IPv6

IPv4

IPv4

IPv6

IPv6

IPv6

Table 175: Translated Address Pool Selection for Destination NAT And Static NAT

 

Source NAT Address

Destination Address

Pool Address

IPv4

IPv4

IPv4 or IPv6

IPv4

IPv6 - Subnet must be greater than 96

IPv4 or IPv6

IPv6

IPv4

IPv4

IPv6

IPv6

IPv4 or IPv6

Note