Suppose there is an archetecture like this: a firewall (connectted to internet) and a web/app server in the DMZ.
Any outgoing request (initialized from a inside LAN computer) will be processed by the firewall('s internal table):
from: 192.168.32.10 port 400
firewall outside: 126.96.36.199 port 1
which will be used to convert back to the 192.168.32.10 port 400 once the response comes back from the outside;
Now, if a request is initialized from an outside remote user's computer such as 188.8.131.52. It requests the web server (in the DMZ) via http to gain access to the web site. Does the firewall create a table similar to the above-mentioned, to record/convert back and forth the IP address and port, too?
(I mean, is the (frewall) conversion table used for the outbounding only, or for inbounding, too)?
NAT is a 1:1 translation. So, if you setup a nat, then yes the "converstion" is bidirectional.
PAT is a Many:1 translation. So Cisco can't tell where an inbound connection needs to go unless there's a table entry already setup for that connection (either via an outbound connection starrting the connection, or via a static mapping of a specific outbound port to a specific inbound server/port).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...