PAT, NAT, DNAT...how to tell which one?

I've gone through some practice test questions that talk about network translation - PAT, NAT, DNAT. I'm still not sure which one applies to which situation. Can anyone help me understand how these are used correctly?

Find more posts tagged with

Comments

SecurityThroughObscurity

make some examples.

f0rgiv3n

Without examples I would say that it would be best for you to understand what the acronyms mean:
PAT - PORT address translation
NAT - Network address translation
DNAT - Destination NAT

PAT basically means that you're translating one port to another. A common use for this is if you only have one public IP address but need to have multiple services published out to the Internet. Say your public IP is 2.2.2.2:

Customer

> Port 3389 -> [2.2.2.2] -> 3389 -> 192.168.1.10(RDP server)
Customer

> Port 80 -> [2.2.2.2] -> 80 -> 192.168.1.11 (HTTP server)

You don't have to keep the ports the same, i just did it for simplicity sake.

NAT:

Insider[192.168.1.11] --> [2.2.2.2]

> google.com

What happens is google.com never sees that the real request is coming from 192.168.1.11, it sees 2.2.2.2 because the [source] address was translated to the public IP address of the router/firewall.

DNAT:

Insider[192.168.1.22]---going to 192.168.1.24--> [firewall/router] -> destination changed to going to 192.168.20->>> [192.168.1.20]

instant000

NAT - network address translation
DNAT - dynamic network address translation
PAT - port address translation (also called NAT overload)
static NAT - static network address translation

NAT - is network address translation.
NAT is basically a translation from one network address, to another one.
static NAT - means that the address ALWAYS translates to the same address, every single time
dynamic NAT - means that the address may translate to one of several addresses, it doesn't necessarily have a one-to-one correspondence, like the static NAT. dynamic NAT is used with a pool of addresses that addresses could be translated to
PAT - means that the translation is to a address/port combination, such that one address can "overload" the NAT.
that is, one address can translate to 10.10.10.1:50000 and another address can translate to 10.10.10.1:40000, for example.

The form of NAT most familiar to you would probably be PAT, as your home internet connection uses a PAT so that multiple devices inside your home network connect out through a single global address. Each of your internal devices translates to a different address/port combination.

About the only way this can make more sense, is if you configure it

Hope this helps!

EDIT: I may have made an example of this before somewhere. If I can find it, I'll try to post it here. (No need to reinvent the wheel.)

David_P

If I understanding you guys correctly, NAT just changes a private IP to a public IP to get out onto the internet, a one-one relationship, right? And PAT takes all my devices on my private network and changes it to a single public address to get out onto the internet? A many to one relationship?

I just found an example that makes sense to me about DNAT:

Assume for a moment that Joe has an internal network at his home. It has a firewall performing traditional network address translation (NAT) between public IP addresses on the Internet, and private IP addresses on his internal network. Within his internal network, Joe has created a web server with a private IP address of 192.168.1.100. Joe wants to be able to access this web server while he’s away from home.

He can configure port forwarding (or DNAT) on the firewall mapping port 8080 traffic to 192.168.1.100 port 80 As long as he knows the public IP address of his router, he can connect to his internal web server using port 8080 with a standard web browser. For example, if his router was assigned a public IP address of 70.160.136.150, he could plug this into a web browser while away from home: 70.160.136.150:8080

When the traffic hit the firewall, DNAT would change the destination IP address and port to 192.168.1.100 and port 80, and the packet would be rerouted to the web server.

Hopefully I'm understanding the difference between the 3 now.

f0rgiv3n

Check which DNAT you're referring to. DNAT as I described is "Destination NAT" which is different than what instant000 described which is "Dynamic NAT".

f0rgiv3n

David_P wrote: »

If I understanding you guys correctly, NAT just changes a private IP to a public IP to get out onto the internet, a one-one relationship, right? And PAT takes all my devices on my private network and changes it to a single public address to get out onto the internet? A many to one relationship?

No, NAT is the fundamental process of translating one IP to another. You can do a one-to-one NAT or a many-to-one NAT. PAT is almost always involved when it's a many-to-one NAT. No PAT necessary for a one-to-one NAT. Why is PAT necessary or not? If all of your PCs are sharing a single IP address and say two PCs just sent a request to a web server (destination port 80, source port 2343). The firewall would translate the source IP to the public IP of the firewall. Without PAT the source port would still be 2343. Can you see the problem there? You now have two requests from two different PCs with the same exact source IP and Port. This is where PAT comes into play (also why it's called NAT overload). PAT dynamically assigns a source port when it does the NAT. So the source IP will still be the public IP address but the source port will be different... Hopefully I'm making sense

David_P wrote: »

I just found an example that makes sense to me about DNAT:
When the traffic hit the firewall, DNAT would change the destination IP address and port to 192.168.1.100 and port 80, and the packet would be rerouted to the web server.

While this is technically correct it's a bit of a weird way to think about it IMHO. Don't relate port forwarding to DNAT. Port forwarding is something that is more related to PAT. the NAT portion is always an IP->different IP it doesn't matter if it's changing destination or source, it's always NAT. From a pool of addresses (dynamic) or a single IP (static).

Destination NAT literally changes the destination IP to a different one, it's redirecting the request elsewhere.

David_P

f0rgiv3n wrote: »

Check which DNAT you're referring to. DNAT as I described is "Destination NAT" which is different than what instant000 described which is "Dynamic NAT".

Destination Network Address Translation

instant000

Thanks for clarifying destination NAT versus dynamic NAT. I was way off.

I found an example, but it was from a school assignment, and it doesn't say much more than whats here, other than including a few screenshots from a router.

Not sure that helps, though, at this point.

One of the best ways to learn this would be if you configured this yourself and saw what happened.

David_P

Is there a link or attachment for your example Instant?

David_P

I couldn't find the practice test question yesterday, and I just found it.

Sara, the security administrator, must configure the corporate firewll to allow all public IP addresses on the internal interface of the firewall to be translated to one public IP address on the external interface of the same firewall. Which of the following would Sara configure?

A PAT
B NAP
C DNAT
D NAC

Book says, A. But to me from the descriptions mentioned above, it would be C. I guess I'm still confused.

m4uri

which book ?

instant000

The book is correct.

Port address translation is probably what they're looking for.

This attachment should explain the "port address translation" a little better. It was an assignment I did about SOHO routers configuration.

Attachment not found.

It covers it within the first 10 pages, I believe.

EDIT: From looking at the paper, I used the term "NAT overload" that's the same one as what your book calls port address translation (PAT).

EDIT2: My paper also used the term dynamic NAT, and not destination NAT.

Hope this helps.

TASK.pdf

David_P

Thank you. Your paper did help clear it up.

ralbertos21

instant000 wrote: »

NAT - network address translation
DNAT - dynamic network address translation
PAT - port address translation (also called NAT overload)
static NAT - static network address translation

NAT - is network address translation.
NAT is basically a translation from one network address, to another one.
static NAT - means that the address ALWAYS translates to the same address, every single time
dynamic NAT - means that the address may translate to one of several addresses, it doesn't necessarily have a one-to-one correspondence, like the static NAT. dynamic NAT is used with a pool of addresses that addresses could be translated to
PAT - means that the translation is to a address/port combination, such that one address can "overload" the NAT.
that is, one address can translate to 10.10.10.1:50000 and another address can translate to 10.10.10.1:40000, for example.

The form of NAT most familiar to you would probably be PAT, as your home internet connection uses a PAT so that multiple devices inside your home network connect out through a single global address. Each of your internal devices translates to a different address/port combination.

About the only way this can make more sense, is if you configure it

Hope this helps!

EDIT: I may have made an example of this before somewhere. If I can find it, I'll try to post it here. (No need to reinvent the wheel.)

now I get it Lol