Network address translation (NAT) is a method of transmitting and receiving network traffic through a router that involves reassigning the source or destination IP address. The most common use for NAT is to allow private networks to communicate with the internet. Static NAT performs a 1:1 translation, which does not pose a problem for Firepower Management
Center communication with devices, but port address translation (PAT) is more common. PAT lets you use a single public IP address and unique ports to access the public network; these ports are dynamically assigned as needed, so you cannot initiate a connection to a device behind a PAT router.
Normally, you need both IP addresses (along with a registration key) for both routing purposes and for authentication: the Firepower Management
Center specifies the device IP address, and the device specifies the Firepower Management
Center IP address. However, if you only know one of the IP addresses, which is the minimum requirement for routing purposes, then you must also specify a unique NAT ID on both sides of the connection to establish trust for the initial communication and to look up the correct registration key. The Firepower Management
Center and device use the registration key and NAT ID (instead of IP addresses) to authenticate and authorize for initial registration.
For example, you add a device to the Firepower Management
Center, and you do not know the device IP address (for example, the device is behind a PAT router), so you specify only the NAT ID and the registration key. On the device, you specify the Firepower Management
Center IP address, the same NAT ID, and the same registration key. The device registers to the Firepower Management
Center's IP address. At this point, the Firepower Management
Center uses the NAT ID instead of IP address to authenticate the device.
Although the use of a NAT ID is most common for NAT environments, you might choose to use the NAT ID to simplify adding many devices to the Firepower Management
Center. On the Firepower Management
Center, specify a unique NAT ID for each device you want to add, and then on each device, specify both the Firepower Management
Center IP address and the NAT ID. Note: The NAT ID must be unique per device.