Nat/pat

I'm reading odoms icnd1.

He describes NAT as using port numbers in order to differentiate between internal hosts for the purpose of packets coming in from the internet.

My problem is that port numbers are common to programs, what if two hosts on the internal net are getting replies on the same port? How do we know where to route them?

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

mikem2te

daveccna wrote: »

I'm reading odoms icnd1.

He describes NAT as using port numbers in order to differentiate between internal hosts for the purpose of packets coming in from the internet.

My problem is that port numbers are common to programs, what if two hosts on the internal net are getting replies on the same port? How do we know where to route them?

When a program on your computer such as Internet Explorer sends a request to the internet it sends a packet to the HTTP server with a destination port of port 80 but the source port is a random generated port. The HTTP server sends its reply to the source port specified.

PAT basically replaces or translates the source port of the outbound packet with it's own randomly generated source port. The destination port is still port 80.

The router tracks the source ports translations, when the HTTP server replies it transposes the source and detination ports, the reply is sent with the source port or 80 and the destination port is the port generated by the router. The router looks this port up in it's NAT table then redirects the packet to the original internal host.

notgoing2fail

daveccna wrote: »

I'm reading odoms icnd1.

He describes NAT as using port numbers in order to differentiate between internal hosts for the purpose of packets coming in from the internet.

My problem is that port numbers are common to programs, what if two hosts on the internal net are getting replies on the same port? How do we know where to route them?

You can't do that with NAT.

With NAT, it's a one to one relationship with the internal host and some outside public IP.

So if you ONLY have ONE public IP address, you can either do a one to one IP mapping or port forwarding to your program internally.

For example, you have 2 internal webservers listening on port 80.

Since you only have one public IP, then you can only forward outside traffic to one web server. The NAT router won't get confused. It won't allow you to create entries for 2 internal programs listening on the same port and not knowing where to direct the incoming traffic?

Make sense?

(of course I'm assuming you only have one public IP, if you have more, then the scenario changes....)

mikem2te

daveccna wrote: »

I'm reading odoms icnd1.

He describes NAT as using port numbers in order to differentiate between internal hosts for the purpose of packets coming in from the internet.

My problem is that port numbers are common to programs, what if two hosts on the internal net are getting replies on the same port? How do we know where to route them?

If you are talking about running multiple servers inside your own network, whether email, web, SSH for remote router access, you can't. There needs to be something to make the incoming traffic unique, eg have multiple IP addresses on your wan/internet link or use a different port for each internal host.

What is possible is to configure NAT to translate / port forward incoming connections.

It is possible to have two internal HTTP servers using port 80, the router can be configured to forward incoming traffic on port 80 to server 1 and forward incoming traffic on port 81 to server 2 but translate incoming port 81 to port 80 as used by the server.

EDIT : Looks like "notgoing2fail" beat me to my reply.

daveccna

Thanks guys, I didn't realise that the outgoing source ports from the internal LAN were randomised.

I knew about the services ports but a reminder is always good.

Dilbert65

Keep in mind that Nat does nothing with swapping ports around. Nat just takes a non-routable ip to a routable ip address on the outside link for outgoing traffic and then reverses the process with incomming traffic.

Now PAT on the other hand is what changes the ports around.

Make sure you keep those 2 seperate cause you never know what the test may ask

CiskHo

Sounds like you need "PAT overloading". Here is a NAT FAQ from Cisco:
Network Address Translation (NAT) FAQ - Cisco Systems

PAT with One IP Address
Condition Description
1) NAT/PAT inspects traffic and matches it to a translation rule.

2) Rule matches to a PAT configuration.

3) If PAT knows about the traffic type and if that traffic type has "a set of specific ports or ports it negotiates" that it will use, PAT sets them aside and does not allocate them as unique identifiers.

4) If a session with no special port requirements attempts to connect out, PAT translates the IP source address and checks availability of the originated source port (433, for example). Note: For Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), the ranges are: 1-511, 512-1023, 1024-65535. For Internet Control Message Protocol (ICMP), the first group starts at 0.

5) If the requested source port is available, PAT assigns the source port, and the session continues.

6) If the requested source port is not available, PAT starts searching from the beginning of the relevant group (starting at 1 for TCP or UDP applications, and from 0 for ICMP).

7) If a port is available it is assigned, and the session continues. If no ports are available, the packet is dropped.