Dynamic NAT

Use dynamic NAT to translate a set of unregistered IP addresses to a smaller set of registered addresses. Dynamic NAT enables you to connect to a large number of hosts to the public Internet using a limited number of registered addresses.

Unlike static NAT, which sets up a one-to-one translation between internal unregistered addresses and external registered addresses, dynamic NAT creates a many-to-one translation where several internal addresses use the same public address. Dynamic NAT avoids IP address conflicts by maintaining a state table that records five values (source address, source port, destination address, destination port, and protocol) for each TCP or UDP connection. A Screen can multiplex thousands of translations over a single registered address.

Dynamic NAT is unidirectional, meaning that communication can be initiated only internally from the unregistered private network. Dynamic NAT only works when a user originates a connection from inside the firewall; packets from outside that are not in the address lookup table of an established connection cannot identify a host on the private network and are discarded. Dynamic NAT only works for connections initiated from the Source address systems. These generally represent machines with unregistered addresses that you want to translate to registered address.

For example, assume you have workstations with unregistered addresses defined by the address group my_private that you want to allow access to the Internet using a set of public addresses defined by the address group my_public. The address Internet represents the addresses of the internet.

To do this, you define a dynamic NAT rule, as shown in the table below, that specifies that the Source address my_private becomes the translated source address group my_public. Destination and translated destination are the address Internet, which limits the scope of the translation of packets going to or from the Internet.