Download This Guide
NAT Policies Overview
Network Address Translation (NAT) is a form of network masquerading where you can hide devices between the zones or interfaces. A trust zone is a segment of the network where security measures are applied. It is usually assigned to the internal LAN. An untrust zone is the Internet. NAT modifies the IP addresses of the packets moving between the trust and untrust zones.
Whenever a packet arrives at the NAT device, the device performs a translation on the packet’s IP address by rewriting it with an IP address that was specified for external use. After translation, the packet appears to have originated from the gateway rather than from the original device within the network. This process hides your internal IP addresses from the other networks and keeps your network secure.
Using NAT also enables you to use more internal IP addresses. Because these IP addresses are hidden, there is no risk of conflict with an IP address from a different network. This helps you conserve IP addresses.
CSO supports two types of NAT:
- Source NAT— Translates the source IP address of
a packet leaving the trust zone (outbound traffic). It translates
the traffic originating from the device in the trust zone. Using source
NAT, an internal device can access the network by using the IP addresses
specified in the NAT policy. The following use cases are supported
with IPv6 NAT:
- Translation from one IPv6 subnet to another IPv6 subnet without Network Address Port Translation (NAPT), also known as Port Address Tranlation (PAT).
- Translation from IPv4 addresses to IPv6 prefixes along with IPv4 address translation.
- Translation from IPv6 hosts to IPv6 hosts with or without NAPT.
- Translation from IPv6 hosts to IPv4 hosts with or without NAPT.
- Translation from IPv4 hosts to IPv6 hosts with or without NAPT.
- Static NAT— Always translates a private IP address
to the same public IP address. It translates traffic from both sides
of the network (both source and destination). For example, a webserver
with a private IP address can access the Internet using a static,
one-to-one address translation. The following use cases are supported
with IPv6 NAT:
- Mapping of one IPv6 subnet to another IPv6 subnet.
- Mapping between one IPv6 host and another IPv6 host.
- Mapping between IPv4 address a.b.c.d and IPv6 address Prefix::a.b.c.d.
- Mapping between IPv4 hosts and IPv6 hosts.
- Mapping between IPv6 hosts and IPv4 hosts.
