There are a few things to consider when using PAT:
The IP addresses you specify for PAT cannot be in another global address pool.
PAT does not work with H.323 applications and caching nameservers. PAT works with Domain Name Service (DNS), FTP and passive FTP, HTTP, mail, remote-procedure call (RPC), rshell, Telnet, URL filtering, and outbound traceroute.
Do not use PAT when multimedia applications need to be run through the firewall. Multimedia applications can conflict with port mappings provided by PAT.
In PIX software release 4.2(2), the PAT feature did not work with IP data packets that arrived in reverse order. This problem is corrected in release 4.2(3).
IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX. To create reverse DNS mappings, use a DNS Pointer (PTR) record in the address-to-name mapping file for each global address. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests fail consistently.
For example, if a global IP adddress is 18.104.22.168 and the domain name for the PIX firewall is pix.caguana.com, the PTR record would be:
22.214.171.124.in-addr.arpa. IN PTR pix3.caguana.com
126.96.36.199.in-addr.arpa. IN PTR pix4.caguana.com & so on.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...