Network Address Translation (NAT) is a technique to modify network address information within IP packet headers in transit. This enables mapping one IP address to another to protect wireless controller, service platform or Access Point managed network address credentials. With typical deployments, NAT is used as an IP masquerading technique to hide private IP addresses behind a single, public facing, IP address.
Additionally, NAT is a process of modifying network address information in IP packet headers while in transit across a traffic routing device for the purpose of remapping one IP address to another. In most deployments NAT is used in conjunction with IP masquerading which hides RFC1918 private IP addresses behind a single public IP address.
NAT can provide a profile outbound internet access to wired and wireless hosts connected to a controller, service platform or Access Point. Many-to-one NAT is the most common NAT technique for outbound internet access. Many-to-one NAT allows a controller, service platform or Access Point to translate one or more internal private IP addresses to a single, public facing, IP address assigned to a 10/100/1000 Ethernet port or 3G card.
To define or override a NAT configuration that can be applied to a profile:
Note
A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click Clear Overrides. This removes all overrides from the device.Name | If you are adding a new NAT policy, provide a name to help distinguish it from others with similar configurations. The length cannot exceed 64 characters. |
IP Address Range | Define a range of IP addresses that are hidden from the public internet. NAT modifies network address information in the defined IP range while in transit across a traffic routing device. NAT only provides IP address translation and does not provide a firewall. A branch deployment with NAT by itself will not block traffic from potentially being routed through a NAT device. Consequently, NAT should be deployed with a stateful firewall. |
Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a web server on a perimeter interface with the internet, use static address translation to map the actual address to a registered IP address. Static address translation hides the actual address of the server from users on insecure interfaces. Casual access by unauthorized users becomes much more difficult. Static NAT requires a dedicated address on the outside network for each host.
Source IP | Enter the address used at the (internal) end of the static NAT configuration. This address (once translated) will not be exposed to the outside world when the translation address is used to interact with the remote destination. |
NAT IP | Enter the IP address of the matching packet to the specified value. The IP address modified can be either source or destination based on the direction specified. |
Network | Select Inside or
Outside NAT as the network direction. Inside NAT
is the default setting. Select Inside to create a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a web server on a perimeter interface with the internet, use static address translation to map the actual address to a registered IP address. Static address translation hides the actual address of the server from users on insecure interfaces. Casual access by unauthorized users becomes much more difficult. Static NAT requires a dedicated address on the outside network for each host. |
Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a web server on a perimeter interface with the internet, use static address translation to map the actual address to a registered IP address. Static address translation hides the actual address of the server from users on insecure interfaces. Casual access by unauthorized users becomes much more difficult. Static NAT requires a dedicated address on the outside network for each host.
Protocol | Select the protocol for use with
static translation. Available options are TCP,
UDP, and Any. The
default setting is Any. TCP is a transport layer protocol used by applications requiring guaranteed delivery. It is a sliding window protocol handling both timeouts and retransmissions. TCP establishes a full duplex virtual connection between two endpoints. Each endpoint is defined by an IP address and a TCP port number. The User Datagram Protocol (UDP) offers only a minimal transport service, non-guaranteed datagram delivery, and provides applications direct access to the datagram service of the IP layer. UDP is used by applications not requiring the level of service of TCP or are using communications services (multicast or broadcast delivery) not available from TCP. |
Destination IP | Enter the local address used at the (source) end of the static NAT configuration. This address (once translated) will not be exposed to the outside world when the translation address is used to interact with the remote destination |
Destination Port | Set the local port number used at the (source) end of the static NAT configuration. The default value is port 1. |
NAT IP | Enter the IP address of the matching packet to the specified value. The IP address modified can be either source or destination based on the direction specified. |
NAT Port | Enter the port number of the matching packet to the specified value. This option is valid only if the direction specified is destination. |
Network | Select Inside or Outside NAT as the network direction. Inside is the default setting. |
Dynamic NAT configurations translate the IP address of packets going out from one interface to another interface based on configured conditions. Dynamic NAT requires packets be switched through a NAT router to generate translations in the translation table.
Source List ACL | Lists an ACL to define the packet selection criteria for the NAT configuration. NAT is applied only on packets which match a rule defined in the access-list. These addresses (once translated) are not exposed to the outside world when the translation address is used to interact with the remote destination. |
Network | Displays Inside or Outside NAT as the network direction for the dynamic NAT configuration. |
Interface | Lists the VLAN (from 1 - 4094) used as the communication medium between the source and destination points within the NAT configuration. |
Overload Type | Displays the overload type used when several internal addresses are NATed to only one or a few external addresses. Options include NAT Pool, One Global Address, and Interface IP Address. Interface IP Address is the default setting. |
NAT Pool | Displays the name of an existing NAT pool used with the dynamic NAT configuration. |
Overload IP | If One Global IP Address is selected as the Overload Type, define an IP address to use as a filter address for the IP ACL rule. |
ACL Precedence | Lists the administrator-assigned priority set for the listed source list ACL. The lower the value listed, the higher the priority assigned to this ACL rule. |
Source List ACL | Select an ACL name to define the packet selection criteria for NAT. NAT is applied only on packets which match a rule defined in the access-list. These addresses (once translated) will not be exposed to the outside world when the translation address is used to interact with the remote destination. |
Network | Select Inside or Outside NAT as the network direction for the dynamic NAT configuration. Inside is the default setting. |
ACL Precedence | Set the priority (from 1 - 5000) for the source list ACL. The lower the value, the higher the priority assigned to the ACL rule. |
Interface | Select the VLAN (from 1 - 4094) or WWAN used as the communication medium between the source and destination points within the NAT configuration. Ensure that the VLAN selected adequately supports the intended network traffic within the NAT supported configuration. VLAN1 is available by default. |
Overload Type | Define the overload type used when several internal addresses are NATed to only one or a few external addresses. Options include NAT Pool, One Global Address, and Interface IP Address. Interface IP Address is the default setting. |
NAT Pool | Provide the name of an existing NAT pool for use with the dynamic NAT configuration. |
Overload IP | If One Global IP Address is selected as the Overload Type, define an IP address to use as a filter address for the IP ACL rule. |