the network address translation (nat) feature works by substituting, or translating, host addresses on an internal interface with a "global address" associated with an outside interface. this protects internal host addresses from being exposed on other network interfaces. to understand whether you want to use nat, decide if you want to expose internal addresses on other network interfaces connected to the pix firewall. if you choose to protect internal host addresses using nat, you identify the pool of addresses you want to use for translation.

    if the addresses that you want to protect access only other networks within your organization, you can use any set of "private" addresses for the pool of translation addresses. for example, if you want to protect the host addresses on the finance department's network (connected to the inside interface on the pix firewall) from exposure when connecting to the sales department network (connected to the perimeter interface on the pix firewall), you can set up translation using any available set of addresses on the sales network. the effect is that hosts on the finance network appear as local addresses on the sales network.

    if the addresses that you want to protect require internet access, you use only nic-registered addresses (official internet addresses registered with the network information center for your organization) for the pool of translation addresses. for example, if you want to protect host addresses on the sales network (connected to a perimeter interface of the pix firewall) from exposure when making connections to the internet (accessible through the outside interface of the pix firewall), you can set up translation using a pool of registered addresses on the outside interface. the effect is that hosts on the internet see the only the internet addresses for the sales network, not the addresses on the perimeter interface.if you are installing the pix firewall in an established network that has host- or network-registered addresses, you might not want to do translation for those hosts or networks because that would require using another registered address for the translation.

    when considering nat, it is also important to consider whether you have an equal number of addresses for internal hosts. if not, some internal hosts might not get network access when making a connection. in this case you can either apply for additional nic-registered addresses or use port address translation (pat). pat uses a single external address to manage up to 64,000 concurrent connections.

    for inside systems, nat translates the source ip address of outgoing packets (defined in rfc 1631). it supports both dynamic and static translation. nat allows inside systems to be assigned private addresses (defined in rfc 1918), or to retain existing invalid addresses. nat also provides additional security by hiding the real network identity of internal systems from the outside network.

    pat uses port remapping, which allows a single valid ip address to support source ip address translation for up to 64,000 active xlate objects. pat minimizes the number of globally valid ip addresses required to support private or invalid internal addressing schemes. pat does not work with multimedia applications that have an inbound data stream different from the outgoing control path. pat provides additional security by hiding the real network identity of internal systems from the outside network.

    another class of address translation on the pix firewall is static translation. static translation allows you to substitute a fixed external ip address for an internal address. this is useful for servers that require fixed ip addresses for access from the public internet.

    the pix firewall identify feature allows address translation to be disabled. if existing internal systems have valid globally unique addresses, the identity feature allows nat and pat to be selectively disabled for these systems. this feature makes internal network addresses visible to the outside network.