Managing Cisco Network Security, Second Edition

In today's world of enterprise networks, one of the major problems facing IT professionals is the rapidly depleting supply of globally unique Internet network addresses. Measures have been taken to slow the rate at which IP addresses are being allocated including strategies such as Classless Inter-Domain Routing (CIDR), Network Address Translation (NAT), and Port Address Translation (PAT). This chapter will discuss NAT and PAT and how they can contribute to a security policy, the implications of NAT, and considerations when implementing NAT.
Network Address Translation is designed for IP address simplification and conservation. It enables private IP networks that use non-registered RFC1918 IP addresses to connect to the Internet. NAT operates on a device, usually connecting two networks together, that allows them to communicate. Typically, one network uses RFC1918 IP addresses, which are translated into globally unique IP addresses. Other scenarios in which NAT can be utilized will be discussed later in this chapter.
NAT by itself is not a security measure and should not be implemented in such a fashion. A common misconception is that NAT will allow a company to "hide" its internal network. This can be an added security benefit, but should not be relied upon as the only security measure. Although typical private networks use addresses that are never intended to be publicly issued, a company's ISP may have knowledge of that particular network. If routing between the company and the ISP is not done properly, a route to the company may be leaked throughout the...