PAT, NAT, DNAT...how to tell which one?
I've gone through some practice test questions that talk about network translation - PAT, NAT, DNAT. I'm still not sure which one applies to which situation. Can anyone help me understand how these are used correctly?
Comments
-
f0rgiv3n Member Posts: 598 ■■■■□□□□□□Without examples I would say that it would be best for you to understand what the acronyms mean:
PAT - PORT address translation
NAT - Network address translation
DNAT - Destination NAT
PAT basically means that you're translating one port to another. A common use for this is if you only have one public IP address but need to have multiple services published out to the Internet. Say your public IP is 2.2.2.2:
Customer
> Port 3389 -> [2.2.2.2] -> 3389 -> 192.168.1.10(RDP server)
Customer
> Port 80 -> [2.2.2.2] -> 80 -> 192.168.1.11 (HTTP server)
You don't have to keep the ports the same, i just did it for simplicity sake.
NAT:
Insider[192.168.1.11] --> [2.2.2.2]
> google.com
What happens is google.com never sees that the real request is coming from 192.168.1.11, it sees 2.2.2.2 because the [source] address was translated to the public IP address of the router/firewall.
DNAT:
Insider[192.168.1.22]---going to 192.168.1.24--> [firewall/router] -> destination changed to going to 192.168.20->>> [192.168.1.20] -
instant000 Member Posts: 1,745NAT - network address translation
DNAT - dynamic network address translation
PAT - port address translation (also called NAT overload)
static NAT - static network address translation
NAT - is network address translation.
NAT is basically a translation from one network address, to another one.
static NAT - means that the address ALWAYS translates to the same address, every single time
dynamic NAT - means that the address may translate to one of several addresses, it doesn't necessarily have a one-to-one correspondence, like the static NAT. dynamic NAT is used with a pool of addresses that addresses could be translated to
PAT - means that the translation is to a address/port combination, such that one address can "overload" the NAT.
that is, one address can translate to 10.10.10.1:50000 and another address can translate to 10.10.10.1:40000, for example.
The form of NAT most familiar to you would probably be PAT, as your home internet connection uses a PAT so that multiple devices inside your home network connect out through a single global address. Each of your internal devices translates to a different address/port combination.
About the only way this can make more sense, is if you configure it
Hope this helps!
EDIT: I may have made an example of this before somewhere. If I can find it, I'll try to post it here. (No need to reinvent the wheel.)Currently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!) -
David_P Member Posts: 18 ■□□□□□□□□□If I understanding you guys correctly, NAT just changes a private IP to a public IP to get out onto the internet, a one-one relationship, right? And PAT takes all my devices on my private network and changes it to a single public address to get out onto the internet? A many to one relationship?
I just found an example that makes sense to me about DNAT:
Assume for a moment that Joe has an internal network at his home. It has a firewall performing traditional network address translation (NAT) between public IP addresses on the Internet, and private IP addresses on his internal network. Within his internal network, Joe has created a web server with a private IP address of 192.168.1.100. Joe wants to be able to access this web server while he’s away from home.
He can configure port forwarding (or DNAT) on the firewall mapping port 8080 traffic to 192.168.1.100 port 80 As long as he knows the public IP address of his router, he can connect to his internal web server using port 8080 with a standard web browser. For example, if his router was assigned a public IP address of 70.160.136.150, he could plug this into a web browser while away from home: 70.160.136.150:8080
When the traffic hit the firewall, DNAT would change the destination IP address and port to 192.168.1.100 and port 80, and the packet would be rerouted to the web server.
Hopefully I'm understanding the difference between the 3 now. -
f0rgiv3n Member Posts: 598 ■■■■□□□□□□Check which DNAT you're referring to. DNAT as I described is "Destination NAT" which is different than what instant000 described which is "Dynamic NAT".
-
f0rgiv3n Member Posts: 598 ■■■■□□□□□□If I understanding you guys correctly, NAT just changes a private IP to a public IP to get out onto the internet, a one-one relationship, right? And PAT takes all my devices on my private network and changes it to a single public address to get out onto the internet? A many to one relationship?I just found an example that makes sense to me about DNAT:
When the traffic hit the firewall, DNAT would change the destination IP address and port to 192.168.1.100 and port 80, and the packet would be rerouted to the web server.
While this is technically correct it's a bit of a weird way to think about it IMHO. Don't relate port forwarding to DNAT. Port forwarding is something that is more related to PAT. the NAT portion is always an IP->different IP it doesn't matter if it's changing destination or source, it's always NAT. From a pool of addresses (dynamic) or a single IP (static).
Destination NAT literally changes the destination IP to a different one, it's redirecting the request elsewhere. -
David_P Member Posts: 18 ■□□□□□□□□□Check which DNAT you're referring to. DNAT as I described is "Destination NAT" which is different than what instant000 described which is "Dynamic NAT".
Destination Network Address Translation -
instant000 Member Posts: 1,745Thanks for clarifying destination NAT versus dynamic NAT. I was way off.
I found an example, but it was from a school assignment, and it doesn't say much more than whats here, other than including a few screenshots from a router.
Not sure that helps, though, at this point.
One of the best ways to learn this would be if you configured this yourself and saw what happened.Currently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!) -
David_P Member Posts: 18 ■□□□□□□□□□I couldn't find the practice test question yesterday, and I just found it.
Sara, the security administrator, must configure the corporate firewll to allow all public IP addresses on the internal interface of the firewall to be translated to one public IP address on the external interface of the same firewall. Which of the following would Sara configure?
A PAT
B NAP
C DNAT
D NAC
Book says, A. But to me from the descriptions mentioned above, it would be C. I guess I'm still confused. -
instant000 Member Posts: 1,745The book is correct.
Port address translation is probably what they're looking for.
This attachment should explain the "port address translation" a little better. It was an assignment I did about SOHO routers configuration.
TASK.pdf
It covers it within the first 10 pages, I believe.
EDIT: From looking at the paper, I used the term "NAT overload" that's the same one as what your book calls port address translation (PAT).
EDIT2: My paper also used the term dynamic NAT, and not destination NAT.
Hope this helps.Currently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!) -
ralbertos21 Member Posts: 27 ■□□□□□□□□□instant000 wrote: »NAT - network address translation
DNAT - dynamic network address translation
PAT - port address translation (also called NAT overload)
static NAT - static network address translation
NAT - is network address translation.
NAT is basically a translation from one network address, to another one.
static NAT - means that the address ALWAYS translates to the same address, every single time
dynamic NAT - means that the address may translate to one of several addresses, it doesn't necessarily have a one-to-one correspondence, like the static NAT. dynamic NAT is used with a pool of addresses that addresses could be translated to
PAT - means that the translation is to a address/port combination, such that one address can "overload" the NAT.
that is, one address can translate to 10.10.10.1:50000 and another address can translate to 10.10.10.1:40000, for example.
The form of NAT most familiar to you would probably be PAT, as your home internet connection uses a PAT so that multiple devices inside your home network connect out through a single global address. Each of your internal devices translates to a different address/port combination.
About the only way this can make more sense, is if you configure it
Hope this helps!
EDIT: I may have made an example of this before somewhere. If I can find it, I'll try to post it here. (No need to reinvent the wheel.)
now I get it Lol