1. Home
  2. Networking
  3. CCSP Cisco Certified Security Professional Certification

NAT Issues

NAT Issues

Chapter 5 covered the various forms of NAT and the implementation for routers. NAT is also used on PIX firewalls, as covered in Chapters 17, 18, and 19. NAT is the process of altering the IP header of a packet, so the source local address of the internal host is replaced in the header by real global addresses. In some cases, the destination address might also be modified. This swapping process is performed by a NAT device, usually on the network perimeter. The NAT server then maintains a table of the translations, which allows returning packets to be addressed with the correct internal address.

Static NAT involves permanent, one-to-one address translations. This implementation is typically reserved for devices that must be accessed from the outside, such as shared servers. Dynamic NAT involves temporary address translations to allow inside hosts—often with private IP addresses—to use global addresses, while connecting with the outside world. While NAT works well, it can require a large number of global addresses, often at some monthly cost, to meet the needs of a large number of inside hosts that require global “real” addresses.

Port Address Translation (PAT) involves allowing multiple inside hosts to connect to the outside or to use the Internet as a vehicle to reach a corporate network, while using a single IP address. This one-to-many translation is accomplished by the NAT/PAT device using unique port numbers associated with the IP address to differentiate the sessions. The problem is IPSec won’t work with PAT. The next few sections explore Cisco’s solutions to this problem.




BackCover
CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide
Introduction
Part I: Introduction to Network Security
Part II: Securing the Network Perimeter
Part III: Virtual Private Networks (VPNs)
Chapter 9: Cisco IOS IPSec Introduction
Chapter 10: Cisco IOS IPSec for Preshared Keys
Chapter 11: Cisco IOS IPSec Certificate Authority Support
Chapter 12: Cisco IOS Remote Access Using Cisco Easy VPN
Chapter 13: Cisco VPN Hardware Overview
Chapter 14: Cisco VPN 3000 Remote Access Networks
Chapter 15: Configuring Cisco VPN 3002 Remote Clients
Chapter 16: Cisco VPN 3000 LAN-to-LAN Networks
The VPN Concentrators in LAN-to-LAN VPNs
LAN-to-LAN Networks with Preshared Keys
LAN-to-LAN Networks with Digital Certificates
NAT Issues
NAT Transparency
LAN-to-LAN VPN with Overlapping Network Addresses
LAN-to-LAN Routing
Chapter Review
Part IV: PIX Firewalls
Part V: Intrusion Detection Systems (IDS)
Part VI: Cisco SAFE Implementation
Appendix A: Access Control Lists
Appendix B: About the CD
List of Figures
List of Tables
List of Sidebars