NAT in Transparent Mode or Within a Bridge Group

Using NAT in transparent mode eliminates the need for the upstream or downstream routers to perform NAT for their networks. It can perform a similar function within a bridge group in routed mode.

NAT in transparent mode, or in routed mode between members of the same bridge group, has the following requirements and limitations:

  • You cannot configure interface PAT when the mapped address is a bridge group member interface, because there is no IP address attached to the interface.

  • ARP inspection is not supported. Moreover, if for some reason a host on one side of the threat defense sends an ARP request to a host on the other side of the threat defense, and the initiating host real address is mapped to a different address on the same subnet, then the real address remains visible in the ARP request.

  • Translating between IPv4 and IPv6 networks is not supported. Translating between two IPv6 networks, or between two IPv4 networks is supported.

The following figure shows a typical NAT scenario in transparent mode, with the same network on the inside and outside interfaces. The transparent firewall in this scenario is performing the NAT service so that the upstream router does not have to perform NAT.

NAT Example: Transparent Mode

NAT in Threat Defense transparent mode.

  1. When the inside host at 10.1.1.75 sends a packet to a web server, the real source address of the packet, 10.1.1.75, is changed to a mapped address, 209.165.201.15.

  2. When the server responds, it sends the response to the mapped address, 209.165.201.15, and the threat defense receives the packet because the upstream router includes this mapped network in a static route directed to the threat defense management IP address.

  3. The threat defense then undoes the translation of the mapped address, 209.165.201.15, back to the real address, 10.1.1.1.75. Because the real address is directly-connected, the threat defense sends it directly to the host.

  4. For host 192.168.1.2, the same process occurs, except for returning traffic, the threat defense looks up the route in its routing table and sends the packet to the downstream router at 10.1.1.3 based on the threat defense static route for 192.168.1.0/24.