12-11-2013 12:07 PM - edited 03-11-2019 08:16 PM
Could anyone explain or point me to a document available somewhere that explains Flat and Extended PAT in a little more detail?
Thanks in advance
Solved! Go to Solution.
12-11-2013 01:20 PM
Not sure of any document but perhaps if i try to explain it might help. In the example we will use
H1 with an IP 192.168.5.1
S1 with an IP 10.10.10.1 . S1 is a web server (port 80) and also an SSH server (port 22)
H1 src IP is PAT to 172.16.10.1
Flat PAT
=======
H1 makes an http connection to S1. Now lets say for argument the source ports is 501 (it normally wouldn't be, it would be much higher but for this example we will use 501). Without Flat PAT this is what happens -
1) the ASA receive the packet from H1 and do a PAT on the src IP and port. The IP will change to 172.16.10.1. If the src port number has not already been used in another PAT then it will leave it unchanged. But if it is in use then it needs to find a new unused port number.
2) the ASA will use ranges to find an unused port to use. These ranges are -
1 - 511
512 - 1023
1024 - 65535
the source port is 501 so the ASA needs to find an unused port within the 1 - 511 range. It cannot use any of the other ranges. If there are no unused ports available in that range because they have already been used up for other translations then it cannot do the translation.
3) Enabling Flat PAT means that restriction is lifted so the ASA can use any unused port in the 1024 - 65535 range for translation ie it does not have to use a port from the same range. If you want ports below 1024 to be included in the available range then use the "include-reserve" keyword.
As i say http is not in the real world a practical example because the client does not use low ports as the src port but there are applications that do and you could in theory run out.
Extended PAT
===========
H1 connects to S1 on port 22 and port 80
Without extended PAT you would need two ports for the translation ie.
192.168.5.1 src port 1151 -> PAT 172.16.5.1 1224 -> S1 (port 22)
192.168.5.1 src port 1152 > PAT 172.16.5.1 1225 -> S1 (port 80)
Note i have assumed in the above that ports 1151 and 1152 were already in use in other PATs so the port needs to be changed.
Now what happens if there are more than 65535 PAT connections using 172.16.5.1 ? The ASA has run out of ports to use for address translations. This could happen because remember in the real world PAT is used primarily on public IPs and a lot of companys do not have many public IPs. So they have many private IPs and they use PAT to change all the private IPs to 172.16.5.1.
With extended PAT instead of only allowing 65535 address translations per IP address as above you can have 65535 address translations per service ie. per application. So the above translations could be redone as -
192.168.5.1 src port 1151 -> PAT 172.16.5.1 1224 -> S1 (port 22)
192.168.5.1 src port 1152 -> PAT 172.16.5.1 1224 -> S1 (port 80)
notice that the translated port is now the same for both connections ie. 1224. This can be done because the ASA can now keep track of the service in use as well. It does this by using the destination IP and destination port as part of the PAT.
So instead of using up 2 ports for PAT you have used up one. Obviously if 192.168.5.1 connected to S1 on 100 different ports without extended PAT you would use up 100 ports but with extended PAT still only one.
Does the above make any sense or have i just confused the issue for you ?
Jon
12-11-2013 01:20 PM
Not sure of any document but perhaps if i try to explain it might help. In the example we will use
H1 with an IP 192.168.5.1
S1 with an IP 10.10.10.1 . S1 is a web server (port 80) and also an SSH server (port 22)
H1 src IP is PAT to 172.16.10.1
Flat PAT
=======
H1 makes an http connection to S1. Now lets say for argument the source ports is 501 (it normally wouldn't be, it would be much higher but for this example we will use 501). Without Flat PAT this is what happens -
1) the ASA receive the packet from H1 and do a PAT on the src IP and port. The IP will change to 172.16.10.1. If the src port number has not already been used in another PAT then it will leave it unchanged. But if it is in use then it needs to find a new unused port number.
2) the ASA will use ranges to find an unused port to use. These ranges are -
1 - 511
512 - 1023
1024 - 65535
the source port is 501 so the ASA needs to find an unused port within the 1 - 511 range. It cannot use any of the other ranges. If there are no unused ports available in that range because they have already been used up for other translations then it cannot do the translation.
3) Enabling Flat PAT means that restriction is lifted so the ASA can use any unused port in the 1024 - 65535 range for translation ie it does not have to use a port from the same range. If you want ports below 1024 to be included in the available range then use the "include-reserve" keyword.
As i say http is not in the real world a practical example because the client does not use low ports as the src port but there are applications that do and you could in theory run out.
Extended PAT
===========
H1 connects to S1 on port 22 and port 80
Without extended PAT you would need two ports for the translation ie.
192.168.5.1 src port 1151 -> PAT 172.16.5.1 1224 -> S1 (port 22)
192.168.5.1 src port 1152 > PAT 172.16.5.1 1225 -> S1 (port 80)
Note i have assumed in the above that ports 1151 and 1152 were already in use in other PATs so the port needs to be changed.
Now what happens if there are more than 65535 PAT connections using 172.16.5.1 ? The ASA has run out of ports to use for address translations. This could happen because remember in the real world PAT is used primarily on public IPs and a lot of companys do not have many public IPs. So they have many private IPs and they use PAT to change all the private IPs to 172.16.5.1.
With extended PAT instead of only allowing 65535 address translations per IP address as above you can have 65535 address translations per service ie. per application. So the above translations could be redone as -
192.168.5.1 src port 1151 -> PAT 172.16.5.1 1224 -> S1 (port 22)
192.168.5.1 src port 1152 -> PAT 172.16.5.1 1224 -> S1 (port 80)
notice that the translated port is now the same for both connections ie. 1224. This can be done because the ASA can now keep track of the service in use as well. It does this by using the destination IP and destination port as part of the PAT.
So instead of using up 2 ports for PAT you have used up one. Obviously if 192.168.5.1 connected to S1 on 100 different ports without extended PAT you would use up 100 ports but with extended PAT still only one.
Does the above make any sense or have i just confused the issue for you ?
Jon
12-12-2013 09:56 AM
Jon,
Thanks! That hit the nail on the head!
02-25-2017 06:14 AM
Great explanation. I had always thought that if the destination (outside) IP / Port was kept as part of the PAT translation rule then we shouldn't be limited to 65,535 total translations per public IP, but I hadn't thought it through fully.
Your explanation really helped me understand thanks.
04-18-2018 03:25 PM
The explanation is crystal clear!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide