Solved: identity nat vs policy nat

John Blakley · ‎04-27-2009

Is using identity nat as compared to nat exemption merely a preference, or are there benefits to one over the other? I've changed all of my identity nats over to policy nat, but I'm not sure (other than ease of reading and it doesn't add to the xlate table) if there are any other benefits I'm not seeing.

Thanks,

John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎04-27-2009

John

To be honest with you i think the terminology is way too complicated.

According the doc policy NAT is where you specify TCP/UDP ports in your acl rather than just src/dst IP's.

I tend to think of in more simple terms, perhaps because i am fundamentally quite a simple person :-).

1) Dynamic NAT with or without acl's, NAT or PAT.

2) static NAT with or without acl's.

For both of the above the acl's merely define the source IP's to be Natted.

3) Policy NAT - the ability to translate the same address to multiple different IP's based on src and dst IP and TCP/UDP port.

4) NAT exemption - don't do NAT at all.

Why the docs have to confuse things with identity NAT i don't know. I actually had to look that term up !. The above works well for me altho others may take issue with it.

As for which to use. Well if you don't want to NAT then NAT exemption saves an entry in the xlate table as you say.

Jon

View solution in original post

Jon Marshall · ‎04-27-2009

John

Just to clarify, what do you mean by policy NAT. Could you have a look at this document which covers policy NAT, identity NAT (both static and dynamic) and NAT exemption -

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

So you may be confusing policy NAT with NAT exemption. Then again you may not and it may be that is confused :-)

Personally i use policy NAT when i want to translate the same source addresses to different addresses depending on the destination address.

Jon

John Blakley · ‎04-27-2009

Jon,

I was confusing them. :)

policy nat = static (inside,dmz1)...

nat exemption = nat (inside) 0 access-list..

Is that right? I decided to take all of my statics off and move over to nat exemption, but I may go back. I'm not sure what a good deciding factor of doing one over the other is.

Thanks,

John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎04-27-2009

John

To be honest with you i think the terminology is way too complicated.

According the doc policy NAT is where you specify TCP/UDP ports in your acl rather than just src/dst IP's.

I tend to think of in more simple terms, perhaps because i am fundamentally quite a simple person :-).

1) Dynamic NAT with or without acl's, NAT or PAT.

2) static NAT with or without acl's.

For both of the above the acl's merely define the source IP's to be Natted.

3) Policy NAT - the ability to translate the same address to multiple different IP's based on src and dst IP and TCP/UDP port.

4) NAT exemption - don't do NAT at all.

Why the docs have to confuse things with identity NAT i don't know. I actually had to look that term up !. The above works well for me altho others may take issue with it.

As for which to use. Well if you don't want to NAT then NAT exemption saves an entry in the xlate table as you say.

Jon