NAT
NAT translates packet addresses at forwarding time. netverdict covers common inside/outside NAT and PAT scenarios plus an ASA-style twice-NAT runtime for selected firewall cases.
Support level
Section titled “Support level”| Area | Level | Notes |
|---|---|---|
| Static NAT | Supported | One-to-one inside/outside translation. |
| Dynamic PAT | Supported | Overload translation using interface or pool address. |
| Inside/outside roles | Supported | Interface roles control translation direction. |
| ASA twice NAT | Behaviour model | Parser and runtime for modelled ASA-style translations. |
| ALG behaviour | Not modelled | Protocol helpers are out of scope. |
Standards coverage
Section titled “Standards coverage”| Standard | Coverage | Notes |
|---|---|---|
| RFC 3022 | Behaviour model | Traditional NAT and NAPT semantics. |
| Cisco IOS NAT | Behaviour model | Supported CLI forms and translation order. |
| Cisco ASA NAT | Partial | Twice NAT model for selected cases. |
Feature matrix
Section titled “Feature matrix”| Feature | Status | Notes |
|---|---|---|
ip nat inside / outside | Supported | Interface direction. |
| Static inside source | Supported | Fixed local/global mapping. |
| Dynamic overload | Supported | PAT with ACL-selected source traffic. |
| NAT pools | Partial | Supported where parsed by the current CLI surface. |
| Translation table | Supported | Runtime translations can be inspected. |
| ASA object/twice NAT | Behaviour model | Selected object and twice-NAT forms. |
| Hairpin NAT | Not modelled | Not a current support claim. |
Vendor command matrix
Section titled “Vendor command matrix”| Command | IOS-style | ASA-style | VyOS-style | Notes |
|---|---|---|---|---|
ip nat inside source static 10.0.0.10 203.0.113.10 | Supported | n/a | Partial | Static NAT. |
ip nat inside source list 1 interface GigabitEthernet0/0 overload | Supported | n/a | Partial | PAT overload. |
ip nat inside | Supported | n/a | n/a | Interface role. |
nat (inside,outside) source static ... | n/a | Partial | n/a | ASA twice NAT subset. |
show ip nat translations | Supported | Partial | Partial | Translation table. |
Behaviour notes
Section titled “Behaviour notes”NAT is applied as part of forwarding. ACLs select candidate flows, interface roles decide direction, and the translation result feeds the next route lookup or packet decision.
Examples
Section titled “Examples”Canonical example
configure terminalaccess-list 1 permit 10.0.0.0 0.0.0.255interface GigabitEthernet0/0 ip nat outsideinterface GigabitEthernet0/1 ip nat insideip nat inside source list 1 interface GigabitEthernet0/0 overloadendshow ip nat translationsVendor styles
IOS-style
access-list 1 permit 10.0.0.0 0.0.0.255interface GigabitEthernet0/0 ip nat outsideinterface GigabitEthernet0/1 ip nat insideip nat inside source list 1 interface GigabitEthernet0/0 overloadASA-style
object network INSIDE-NET subnet 10.0.0.0 255.255.255.0 nat (inside,outside) dynamic interfaceVyOS-style
set nat source rule 100 outbound-interface eth0set nat source rule 100 source address 10.0.0.0/24set nat source rule 100 translation address masqueradeKnown limits
Section titled “Known limits”ALG rewriting, deterministic port-block allocation, NAT64/NPTv6, complex ASA section ordering, and every overlapping-object corner case are not complete.