Several fields in the IP header, TCP or UDP headers, and even layer 7 data, from the original packet have to be changed in order to do NAT.
For example, the source IP address has to be changed as part of the NAT process (for changing an internal address like 192.168.x.x to a valid global IP address). If doing PAT instead of NAT then TCP or UDP source ports need to be changing. If the packet carries a payload that has IP addresses or ports for a specific layer 7 protocol (like SIP, for example), and the ASA/PIX is doing deep packet inspection of that protocol ("inspect sip", for example), then the layer 7 payload needs to be modified as well.
Once you change something then checksums (like IP, TCP and UDP checksums) need to be recalculated.
It's basically a new packet, but built based on the original packet. Fields that don't need to be changed as part of the NAT process are not touched. The IP ID is an example of a field that it is not touched. This helps when you need to identify a packet among hundreds in packet captures both on the inside (pre-NAT) and outside (post-NAT) interfaces.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...