Chapter 5 covered the various forms of NAT and the implementation for routers. NAT is also used on PIX firewalls, as covered in Chapters 17, 18, and 19. NAT is the process of altering the IP header of a packet, so the source local address of the internal host is replaced in the header by real global addresses. In some cases, the destination address might also be modified. This swapping process is performed by a NAT device, usually on the network perimeter. The NAT server then maintains a table of the translations, which allows returning packets to be addressed with the correct internal address.
Static NAT involves permanent, one-to-one address translations. This implementation is typically reserved for devices that must be accessed from the outside, such as shared servers. Dynamic NAT involves temporary address translations to allow inside hosts—often with private IP addresses—to use global addresses, while connecting with the outside world. While NAT works well, it can require a large number of global addresses, often at some monthly cost, to meet the needs of a large number of inside hosts that require global “real” addresses.
Port Address Translation (PAT) involves allowing multiple inside hosts to connect to the outside or to use the Internet as a vehicle to reach a corporate network, while using a single IP address. This one-to-many translation is accomplished by the NAT/PAT device using unique port numbers associated with the IP address to differentiate the sessions. The problem is IPSec won’t work with PAT. The next few sections explore Cisco’s solutions to this problem.