THE PROCESS IS REPEATED UNTIL THE SESSION BETWEEN HOST A AND HOSTZ...

6. The process is repeated until the session between Host A and Host

Z is terminated.

Static NAT

With a static NAT, sessions can be initiated from hosts in the inside or out-

side network. Inside addresses are bound to globally unique addresses

using static translations as the connections are established in either direc-

tion. A translation that occurs from the inside network to the outside net-

work will be translated with the statically configured address on the NAT

https://traloihay.net

device. When a session must be established from an outside network to an

inside network, the static translation must already be set up manually on

the router. By creating a static translation, you are translating an inside IP

address to a fixed outside global IP address. This translation will never

change and will always remain in the translation table.

For example, if there is a resource on the inside network that must be

made accessible to the outside network, the global IP address of the

resource can be advertised worldwide through the DNS. Since this

resource has been statically translated into a global IP, this IP can be

advertised in a DNS record. If the resource is a mail server, an MX record

may be created in the company’s zone associating the MX record with the

global IP that was statically assigned to the resource in the inside network.

By doing this, even though the mail server is not physically located in the

outside network, it can still be accessed as if it were.

TIP

A configuration allowing global access to resources has security related

advantages. If the NAT device is a Cisco PIX firewall or Cisco router run-

ning FW IOS, Access Control Lists can be used to limit the type of traffic

permitted to reach the resource. Compare this with having a server that

is physically placed in the outside network allowing global access, lim-

iting the type of traffic would be very difficult if not impossible, there-

fore becoming a security risk.

Figure 3.5 illustrates a static NAT translation. A session is initiated

from Host Z on the outside network. Since the NAT device has a static

translation for Host A’s IP address to a global IP address, the NAT device

can forward the packet from Host Z to Host A’s static NAT public IP

address. Recall that with traditional or outbound NAT, a session can be

initiated only from the inside host, which causes a dynamic translation to

occur on the NAT device. Once this translation has been created, only then

can the outside host reply back to the inside host. Once the session times

out, the inside host will need to start a new session with the outside host,

causing the NAT device to create a new translation and possibly allocating

a new global IP address to the inside host for the duration of the session (if

NAT is used). With a static NAT, the translation is always active; the global

IP address will never be allocated dynamically to another host on the

inside network for translation purposes.

Figure 3.5 A Static NAT translation.