Dynamic Destination NAT
Dynamic destination NAT dynamically translates the destination IP address of the packet, and there is no fixed mapping between the pre-NAT and post-NAT addresses.
Static destination NAT can meet the requirements of most destination address translation scenarios. In some cases, however, the post-NAT address is expected to be not fixed. The scenario where mobile devices access wireless networks through destination address translation is a case in point.
Figure 1 shows the mechanism of dynamic destination NAT based on the NAT policy.
FW shows the destination NAT process when host A accesses the server.
- After receiving the packet from Host A, the FW translates the destination address of the packet that matches the NAT policy, randomly selects an address from the address pool as the translated address, and translates the destination IP address of the packet from 172.16.16.2 to 192.168.1.2.
- After checking the interzone security policy, the FW establishes a session table and sends the packet to the server.
- Upon receiving the packet that the server replies to host A, the FW searches the session table and the entry created in 2 is matched. Accordingly, the FW changes the source address of the packet to 172.16.16.2 and then forwards the packet to host A.
ACL-based destination NAT translates the destination addresses and ports of packets matching specific conditions into the specified addresses and ports. The conditions include security zones and ACLs. That is, the device performs destination NAT only for packets that mach a specific ACL and originate from a specific security zone. The mechanisms of ACL-based destination NAT and NAT policy-based dynamic destination NAT are similar and differ only in the conditions for matching packets that require address translation. ACL-based destination NAT matches packets based on specific conditions, whereas NAT policy-based dynamic destination NAT matches packets based on NAT policies.