Solved: i go for : •Dynamic Port

AdamBudzinski · ‎05-26-2015

hi all,

my ISP is providing internet via a coaxial cable and Internet modem. It has one Public IP Address assigned. Now i was reading about various types of NAT. My question is if i have 1 Public IP and few internals hosts (with Private IP's ) how the NAT functionality is being achieved ?

I mean which of those

•Static NAT—A consistent mapping between a real and mapped IP address. Allows bidirectional traffic initiation.

•Dynamic NAT—A group of real IP addresses are mapped to a (usually smaller) group of mapped IP addresses, on a first come, first served basis. Only the real host can initiate traffic.

•Dynamic Port Address Translation (PAT)—A group of real IP addresses are mapped to a single IP address using a unique source port of that IP address.

thank you

Jon Marshall · ‎05-28-2015

Adam

Obviously there are a number of different ways of doing this but a few examples specifically based on internet access because internal NAT can be different in terns of what you use -

1) you have one public IP address which is assigned to your router/firewall's external interface -

you would use dynamic PAT for your internal clients to have internet access

if you also had a server or servers that you want to give access to from the internet you would have to use static PAT because you only have one public IP

2) you have multiple public IPs.

Again you would use dynamic PAT for your internal clients.

This time you could use static NAT for your servers ie. each server gets it's own public IP address.

3) you have servers you want to give access to from the internet but need to change the ports.

Whether you have one public IP or multiple here you would need to use static PAT.

So put simply for internal clients to access the internet it is usually dynamic PAT ie. you rarely see dynamic NAT (one to one mappings dynamically allocated) because that is a waste of public IPs and most companies can't afford to do that.

For servers you host and want to give access to from the internet it depends on the number of public IPs you have and what you want to do with the ports (if anything).

Dynamic PAT is quite secure in that you cannot make connections from the internet to internal clients. Only return traffic is allowed back for connections already made.

Static PAT is arguably a little more secure than static NAT because you are only allowing the specific ports through but bear in mind that you usually have a firewall between you and the internet so your primary form of control is using acls rather than relying purely on which ports you allow with NAT and which you don't.

Jon

View solution in original post

Jon Marshall · ‎05-26-2015

Depends on what you want to do.

If you just want to provide internet access to internal hosts with private IPs then PAT is the solution.

If you want to also give access to an internal server or servers from the internet for specific applications then you can use a combination of static PAT and dynamic PAT.

Jon

AdamBudzinski · ‎05-26-2015

can i run both (PAT and static PAT/dynamic PAT) at the same time ?

also I'm confused with static NAT and static PAT.

Static NAT:

"Static NAT creates a fixed translation of a real address to a mapped address". so no ports are used ?? what about the transport layer ??

Static NAT with Port Address Translation :

"When you specify the port with static NAT, you can choose to map the port to the same value or to a different value. Using the same value lets you translate ipA/port1 to ipX/port1 while translating ipA/port2 to ipY/port2."

Jon Marshall · ‎05-26-2015

You can use static and dynamic PAT at the same time using the same IP address if needed.

With static NAT it maps all ports ie. it is a mapping between IPs only so all ports are mapped.

Jon

AdamBudzinski · ‎05-27-2015

thank you.

so with static NAT ports will be assigned dynamically , so even the Private to Public IP will be all the time the same , each connection can/will have random ports assigned.

and with Static NAT with Port Address Translation it's a persistent mapping between IP's and port numbers so for each connection they will be all the time the same.

is this correct ?

Jon Marshall · ‎05-27-2015

With static NAT the ports don't change ie. it is simply a mapping between IPs so the ports are not modified.

With static PAT yes you map a specific port so it will not change.

That may not be what you were asking ie. bear in mind that with any connection the client port is usually random and the server port is usually a well known port.

If the above hasn't answered your question please clarify.

Jon

AdamBudzinski · ‎05-28-2015

"With static NAT the ports don't change ie. it is simply a mapping between IPs so the ports are not modified. "

Yes, this is clear for me.

"bear in mind that with any connection the client port is usually random and the server port is usually a well known port. "

This is also clear. But if Static NAT is IP to IP mapping (without port mapping) and if i place a Web Server for example in my DMZ. So the routers external IP is let's say 201.190.2.1 and the Web Servers IP is 10.0.0.2. External clients (on the internet) will "talk" to the web server via the Routers Public IP (201.190.2.1). So when the Internet client initiates a connection it will pick a random port and that with it's IP will create a socket (10.0.0.2:234). I'm having hard time to understand which port will be selected for the routers Public IP if there is no Port mapping used, or because it is an HTTP request it will per default connect to the routers Public IP on port 80 ? If yes, after the packet arrives on the routers Public Interface, the destination IP will be changed from the routers Public IP to the Web Servers Private IP), but again what will be the port (random? or 80 ? ) or this is than up to the Web Servers setting (for example in IIS bindings ?).

Jon Marshall · ‎05-28-2015

or because it is an HTTP request it will per default connect to the routers Public IP on port 80 ?

Yes to the above ie. the clients makes a connection to the public IP with a destination port of 80.

If yes, after the packet arrives on the routers Public Interface, the destination IP will be changed from the routers Public IP to the Web Servers Private IP), but again what will be the port (random? or 80 ? )

Because it is a one to one mapping between IPs the port is not changed, only the IP is translated so it arrives at the web server with the same destination port number ie. port 80.

If you wanted the web server to use a different port number but still wanted clients on the internet to use port 80 then that is when you would use a static PAT ie. so you can change the port number when it is translated.

Jon

AdamBudzinski · ‎05-28-2015

Got it.

So, static NAT combined with PAT allows me to map not only IP to IP (like static NAT) but also ports.

It looks to me that NAT with PAT adds a bit more security , yes ?

and to close this topic. What could be real world scenarios of using either static NAT or static NAT with PAT.

thank you

Adam

Jon Marshall · ‎05-28-2015

Adam

Obviously there are a number of different ways of doing this but a few examples specifically based on internet access because internal NAT can be different in terns of what you use -

1) you have one public IP address which is assigned to your router/firewall's external interface -

you would use dynamic PAT for your internal clients to have internet access

if you also had a server or servers that you want to give access to from the internet you would have to use static PAT because you only have one public IP

2) you have multiple public IPs.

Again you would use dynamic PAT for your internal clients.

This time you could use static NAT for your servers ie. each server gets it's own public IP address.

3) you have servers you want to give access to from the internet but need to change the ports.

Whether you have one public IP or multiple here you would need to use static PAT.

So put simply for internal clients to access the internet it is usually dynamic PAT ie. you rarely see dynamic NAT (one to one mappings dynamically allocated) because that is a waste of public IPs and most companies can't afford to do that.

For servers you host and want to give access to from the internet it depends on the number of public IPs you have and what you want to do with the ports (if anything).

Dynamic PAT is quite secure in that you cannot make connections from the internet to internal clients. Only return traffic is allowed back for connections already made.

Static PAT is arguably a little more secure than static NAT because you are only allowing the specific ports through but bear in mind that you usually have a firewall between you and the internet so your primary form of control is using acls rather than relying purely on which ports you allow with NAT and which you don't.

Jon

AdamBudzinski · ‎05-29-2015

Hello John,

thank you very much for you time and professional help, I appreciate it. Now everything is clear to me!

Have a great day!

@William Benson thank you for you comment as well !

Adam

AdamBudzinski · ‎05-26-2015

i go for :

•Dynamic Port Address Translation (PAT)—A group of real IP addresses are mapped to a single IP address using a unique source port of that IP address. - See more at: https://supportforums.cisco.com/discussion/12517136/isp-nat-one-public-ip#sthash.yI3zWP4z.dpuf

William Benson · ‎05-27-2015

The connection from your internal hosts to the internet is achieved via PAT translation. As each sends traffic outside of your local network their internal IP address is NAT'd to the external IP address of your cable modem. When the host receiving traffic outside of your network from your client tries to send data back, they send it back to the public IP address your client was NAT'd to. Your router receives the data back from the Internet and inside that packet is information that allows it to map it back to the client that originally sent the traffic. This is the magic of NAT, allowing your internal clients to all share one publicly reachable IP address. The hosts outside of your network send requested information back and the NAT table handles getting the right traffic back to the right client.

Now, if you want to setup a NAT to allow say a "Web Server" to be reachable on that private ip address, you can setup a static NAT by specific port so that your Web Server is reachable on your internal network via the same public IP address your clients are using.

i.e.

Public IP address: 100.100.100.100

Internal Web Server: 192.168.1.100

You can setup a static nat so that traffic coming in on IP address 100.100.100.100 on either port 80 or 443, is then NAT'd to 192.168.1.100

This is often also referred to as "Port Forwarding" or "Port Redirection".

ISP NAT one public ip