While reading about CISCO NetFlow Analysis I came up with a term named NAT Stitching
.
I understand Flow Stitching
which join same type of inbound and outbound connection.
But can't find anything discrete about NAT Stitching
except the following,
NAT stitching: Unify the NAT information from inside the firewall with information from outside the firewall to pinpoint which IPs and users inside the network are responsible for a particular action
So how it work in detail? Is it a process/protocol or a specific type of NAT?
Best Answer
You must remember that a flow using NAT will look like two different flows: a flow pre-NAT, and a flow post-NAT. This is because NAT is changing one or more of the addresses in the packets. This can present a distorted view of your flows.
As Cisco explains it, NAT stitching will stitch the (apparently) separate flows to give you the single flow view:
The Cisco Press book NetFlow for Cybersecurity goes into more detail: