NAT and PAT

Phil3021Phil3021 Member Posts: 17 ■□□□□□□□□□
Hi everyone,
I have a little confusion on NAT and PAT. I know what thay do.(translate private addressing to public).But just want to verify a few things. Is it true that NAT will translate each private address to a public address and PAT will transfer many private addresses to one public address? can someone verify this for me or correct me if i am on the wrong track. If my statement is right then, what is the benifit of running NAT if every device would need a public address anyway? apart from security. I can see how PAT would save a lot of IP address as public address would share a private address. Unless im not sure if this is a good comment but im sure someone will correct me if i am wrong. You can have all your servers eg: dns and routers using NAT because they would need a fixed address and have all your host using PAT as they could share the same public addresses.So that would mean you would have NAT and PAT implemented on a router. can you do this? crash.gif

Comments

  • 2Tall2Tall Member Posts: 9 ■□□□□□□□□□
    Phil3021 wrote:
    I have a little confusion on NAT and PAT. I know what thay do.(translate private addressing to public).But just want to verify a few things. Is it true that NAT will translate each private address to a public address and PAT will transfer many private addresses to one public address? can someone verify this for me or correct me if i am on the wrong track. If my statement is right then, what is the benifit of running NAT if every device would need a public address anyway? apart from security. I can see how PAT would save a lot of IP address as public address would share a private address. Unless im not sure if this is a good comment but im sure someone will correct me if i am wrong. You can have all your servers eg: dns and routers using NAT because they would need a fixed address and have all your host using PAT as they could share the same public addresses.So that would mean you would have NAT and PAT implemented on a router. can you do this?

    i can answer part of your question, you have the concept of NAT and PAT correct. a great example of PAT is a proxy server or windows ICS box ... i wish i could go more in depth with my answer but i need to do some brushing up myself..... there is a great site {www.firewall.cx} that covers NAT/PAT in depth .... here is a direct link to get you started (or you can go to the main page and under the firewalls drop down menu select Network Address Translation) http://www.firewall.cx/nat-intro.php .. its 9 pages long so grab your bucket of popcorn
  • WebmasterWebmaster Admin Posts: 10,292 Admin
    I seem to have missed this post...

    Perhaps this clears it up: PAT is Port Address Translation

    It is a 'subset' of NAT. For example, you can use NAT to translate an private IP address of an internal web address to a public one (and vice versa), with PAT added you ccan configure the internal webserver to use port 1808 for example instead of 80 and let NAT (PAT actually) translate the port address.
  • 2Tall2Tall Member Posts: 9 ■□□□□□□□□□
    heres what i was taught: there are three different types of "Network Address Translation" ... you have static NAT .. where you have one external (real) IP address for every private internal address thats going to access the internet and your NAT table holds all the mappings. \\\ then there is dynamic NAT -- where you have reserved a range of external IP addresses that are available for use when a node/nodes on the internal network requests internet access, the router/box performing NAT strips the source IP and inserts an available internet-friendly IP address in place of it (67.2.240.107) lets say this same machine requesting internet access has an inactivity period of 5 minutes and then requests internet access again, the outgoing packet could be assigned a different address from the pool this time(67.2.240.10icon_cool.gif, since its previous internal to external IP mapping expired from the NAT table. \\\ then you have "NAT Overload" AKA NAPT (Network Address Port Translation), NAT with PAT (Port Address Translation), or just simply PAT... and known as IP Masquerade in the Linux/Unix world. with "NAT Overload" [aka PAT] you have ONE external address for all your internet connections and the device running PAT keeps track of the transmissions via the source and destination port numbers... if two outgoing requests happen to have the same source and destination ports (and the first outgoing request's responce has not been received), the device running PAT will actually translate the 2nd outgoing port address into a different one (in the range of 1025 to 65500) and file that away in the NAT table. i specifically remember my ex-FBI commando-style drill sargent teacher explain to the class that the process i described above is PAT.... johan, it seems to me that what you described above is NAT with port forwarding implemented for a specific IP address.

    that link i posted above explains the different types of address translation very well, and is a great read -- here is a direct link to the NAT overload/PAT section if you'd like to just check that out http://www.firewall.cx/nat-overload-part1.php

    ...thats just what i was taught, theres def. a chance i could be wrong
  • WebmasterWebmaster Admin Posts: 10,292 Admin
    theres def. a chance i could be wrong
    Same here;)

    Nice doc, but when it comes to topics like this, especially from a Cisco certification perspective you need only one site: www.cisco.com ;)

    icon_arrow.gifwww.cisco.com/en/US/tech/tk648/tk361/tech_tech_notes_list.html

    icon_arrow.gifwww.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml

    icon_arrow.gifwww.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml
    johan, it seems to me that what you described above is NAT with port forwarding implemented for a specific IP address.
    It seems I did... icon_redface.gif

    I guess you are saying that PAT is like dynamic NAT, but instead of using different IP addresses it uses different port numbers to distinguish the internal hosts...
    Phil3021 wrote:
    and PAT will transfer many private addresses to one public address?
    2Tall wrote:
    you have ONE external address for all your internet connections
    Cisco wrote:
    private addresses to one or more outside
    Cisco wrote:
    ]Several internal addresses can be NATed to only one or a few external addresses by using a feature called Port Address Translation (PAT) which is also referred to as "overload", a subset of NAT functionality

    Sorry if I caused any confusion, thanks for educating me :D I'll remember this thread when I'll write the NAT TechNotes ;)
  • 2Tall2Tall Member Posts: 9 ■□□□□□□□□□
    Nice doc, but when it comes to topics like this, especially from a Cisco certification perspective you need only one site: www.cisco.com

    i agree, i just happened to be browsing the sections of this great site and noticed the topic and figured i'd drop down what I learned and see if that correlated with cisco curriculum ... i am in the cisco academy and im beginning module 2 tomorrow so i will start getting in to router configuration etc etc etc, im sure there will be plenty of times where you will be taking me to school in this forum as i go through the modules and prepare for the CCNA myself icon_wink.gif ... so cisco doesnt differentiate


    ... i found it odd that cisco described PAT as using one OR MORE "real world" ip addresses... until i read this and the lightbulb came on icon_idea.gif
    Several internal addresses can be NATed to only one or a few external addresses by using a feature called Port Address Translation (PAT) which is also referred to as "overload", a subset of NAT functionality.

    PAT uses unique source port numbers on the Inside Global IP address to distinguish between translations. Because the port number is encoded in 16 bits, the total number could theoretically be as high as 65,536 per IP address. PAT will attempt to preserve the original source port, if this source port is already allocated PAT will attempt to find the first available port number starting from the beginning of the appropriate port group 0-5111, 512-1023 or 1024-65535. If there is still no port available from the appropriate group and more than one IP address is configured, PAT will move to the next IP address and try to allocate the original source port again. This continues until it runs out of available ports and IP addresses.
  • WebmasterWebmaster Admin Posts: 10,292 Admin
    icon_idea.gif I see what you mean:

    "In the end there can be only one" icon_wink.gif
  • techman-aka-Formattechman-aka-Format Inactive Imported Users Posts: 59 ■■□□□□□□□□
    May it be duncan mcloud the highlander! just kidding guys a little bit of humor! great stuff on NAT and PAT!
    information belongs to the public! hack the planet!
  • 2Tall2Tall Member Posts: 9 ■□□□□□□□□□
    Re-upping this post because it is a really good read! [i revisited specifically to find the link to http://www.firewall.cx/ that i lost when the HD went out ... i was asking for it by not backing up though icon_wink.gif ]

    i just read through this post and reading what i typed was like reading someone elses post; i've been away from doing networking like this for too long!
Sign In or Register to comment.