IOS vs. IPTABLES (when using NAT)
polm
Member Posts: 34 ■■□□□□□□□□
in CCNA & CCENT
As I review for my CCNA I come to the portion concerning NAT and PAT on Cisco IOS.
I run an IPTABLES based firewall @home, and I use the Masquerade feature to allow my @home LAN nodes to access the internet using my 1 dynamically assigned global IP address.
The impression I get from IOS running NAT is that only one node can be translated to one IP at a given time. Therefore the number of available IP's to be placed in a dynamic pool must accomidate the number of translated connections that must be running at one time.
At home, I can execute multiple outbound sessions to different global IP's from different @home LAN nodes without any problem. This is all using that same 1 global IP assigned from my ISP.
So..my question is; How does IPTABLES Masquerading differ from the Cisco IOS NAT/PAT service in terms of multiple simultaneos connections from many Inside local hosts to many Outside global hosts.
I run an IPTABLES based firewall @home, and I use the Masquerade feature to allow my @home LAN nodes to access the internet using my 1 dynamically assigned global IP address.
The impression I get from IOS running NAT is that only one node can be translated to one IP at a given time. Therefore the number of available IP's to be placed in a dynamic pool must accomidate the number of translated connections that must be running at one time.
At home, I can execute multiple outbound sessions to different global IP's from different @home LAN nodes without any problem. This is all using that same 1 global IP assigned from my ISP.
So..my question is; How does IPTABLES Masquerading differ from the Cisco IOS NAT/PAT service in terms of multiple simultaneos connections from many Inside local hosts to many Outside global hosts.
Comments
-
tunerX
Member Posts: 447 ■■■□□□□□□□
It is the same way. You can specify static address translations where one inside address is translated to one outside address. You can specify a pool where you have a group of inside addresses that are translated to a group of outside addresses. You have the overload feature which translates multiple inside addresses to a single outside address. You can do match statements that will keep the same host portion of the address on both the inside and outside; only the network numbers will change. In the case of overload then PAT is used to keep track of the multiple inside addresses that are translated to a single outside address.
-
tunerX
Member Posts: 447 ■■■□□□□□□□
You can also do static PAT. This function allows you to specify outside ports and an outside address to translate to a specific inside address and/or port.