The translation is cleared when
the session is terminated. The port translation also expires after 30 seconds of inactivity. (This timeout is not
configurable.) PAT lets you use a single mapped address, thus conserving routable addresses. The interface IP
address of the Security Appliance can also be used as the PAT address. Similar to Dynamic NAT, the destinationside
user cannot initiate an inbound connection when using dynamic PAT. Figure 6-11 shows how dynamic PAT
works.
Figure 6-11. Dynamic PAT
Note
PAT does not work for some multimedia applications that have a data stream different from the control
path.
Dynamic NAT and PAT can be enabled concurrently. The Security Appliance first uses all the addresses from the
global address pool. When no addresses are available in the global pool, it applies the PAT translation, as shown
in Figure 6-12.
Figure 6-12. Dynamic NAT and PAT
[View full size image]
Configure Dynamic NAT and PAT
To configure dynamic NAT and PAT, perform the following steps:
Step 1. Identify the real (private) addresses on a given interface that requires translation by using the nat
command.
Step 2. Configure a corresponding global command to specify the mapped addresses pool for the egress
interface.
Pages:
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300