NAT provides little control over what internal-network users can access on the Internet. In addition, Network Address Translation (NAT) is a way to map an entire network (or networks) to a single IP address. NAT is necessary when the number of IP addresses assigned to you by your Internet Service Provider is less than the total number of computers that you wish to provide Internet access for.
It does not control what Web sites users can access, and cannot selectively allow or deny access to particular Internet services, such as newsgroups or FTP. If your situation requires this level of control, you must implement a proxy server to examine packets at the application layer. If, however, you need to block a particular network service on a wholesale level (such as AOL), you can use the packet filtering mechanism available with the Routing and Remote Access Service (RRAS).

Address translation substitutes the real address in a packet with a mapped address that is routable on the destination network. NAT is comprised of two steps:

1. the process in which a real address is translated into a mapped address, and then
2. the process to undo translation for returning traffic.

The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues. The exception is when you enable NAT control. NAT control requires that packets traversing from a higher security interface (inside) to a lower security interface (outside) match a NAT rule, or else processing for the packet stops.