Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1297
Views
15
Helpful
10
Replies

NAT

Go to solution
Sagar4
Level 1
Level 1

‎02-18-2023 09:16 AM

What are the differences between static PAT and destination NAT?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎02-20-2023 01:29 PM - last edited on ‎02-20-2023 11:30 PM by Community Manager

Hello

@Sagar4 wrote:

If I have to allow NAT translation only via a particular destination port for any local host to access outside network, can it be performed via PAT

Yes it possible by defining a extended access-list for you internal lan hosts to a specific public ip address & destination port using dynamic PAT

example1:


ip access-list extended LAN-HOSTS
 permit tcp 10.1.123.0 0.0.0.255 host 1.1.1.1 eq www

ip nat pool Public-IP 100.100.100.10 100.100.100.10 prefix-length 30 
ip nat inside source list TST pool Public-IP

 

 

 

@Sagar4 wrote:

also configured NAT IP pool to make sure both destination ip address and port number doesn't match for multiple hosts?

Similar to example 1 however you specify a nat pool with a range of public-ip addressing so you lan hosts to match upon.

example2:


ip access-list extended LAN-HOST
permit  tcp host 10.1.123.10 host 1.1.1.1 eq 80
permit  tcp host 10.1.123.11 host 1.1.1.1 eq 80
permit  tcp host 10.1.123.12 host 1.1.1.1 eq 80
permit  tcp host 10.1.123.13 host 1.1.1.1 eq 80
permit  tcp host 10.1.123.14 host 1.1.1.1 eq 80
etc....

 

ip nat pool Public-IP 100.100.100.10 100.100.100.20 prefix-length 30 type match-host
ip nat inside source list TST pool Public-IP


Using destination nat:
Could be used as when you wish for a specific public ip address to be reachable for your lan hosts via a internal ip address

Example 3:


ip nat outside source static 1.1.1.1 10.1.123.100  <  host 1.1.1.1 will be reachable at 10.1.123.100 internally

 

Or for a quick load balancing of an internal server:

Example 4:


10.1.123.10/24 (svr1)
10.1.123.11/24 (svr2)
10.1.123.12/24 (svr3)

access-list 1 permit 100,100.100.10

ip nat pool  inside-server 10.1.123.10 10.1.123.12 prefix-length 24 type rotary
ip nat inside destination 1 pool inside-server


 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

10 Replies 10

Go to solution
MHM Cisco World
VIP
VIP

‎02-18-2023 09:37 AM - edited ‎02-20-2023 01:56 PM

check

0 Helpful

Go to solution
Sagar4
Level 1
Level 1
In response to MHM Cisco World

‎02-18-2023 09:51 AM

If I have to allow NAT translation only via a particular destination port for any local host to access outside network, can it be performed via PAT provided I have also configured NAT IP pool to make sure both destination ip address and port number doesn't match for multiple hosts?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Sagar4

‎02-18-2023 09:57 AM

can I see the config ?

0 Helpful

Go to solution
Sagar4
Level 1
Level 1
In response to MHM Cisco World

‎02-18-2023 10:06 AM

I don't have configuration. My doubt was if PAT can allow single public IP address to be used by multiple devices for NAT translation, can router also perform NAT translation only via a specific destination port number for all local host to access outside network?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Sagar4

‎02-18-2023 10:13 AM - edited ‎02-20-2023 01:56 PM

Check 

0 Helpful

Go to solution
Sagar4
Level 1
Level 1

‎02-20-2023 08:46 AM - last edited on ‎02-20-2023 11:25 PM by Community Manager

Can I get

mapping

command for both static pat and destination NAT so as to differentiate between the two?

Go to solution
MHM Cisco World
VIP
VIP
In response to Sagar4

‎02-20-2023 09:32 AM - edited ‎02-20-2023 01:50 PM

check 

 

 

0 Helpful

Go to solution
paul driver
VIP
VIP

‎02-20-2023 01:29 PM - last edited on ‎02-20-2023 11:30 PM by Community Manager

Hello

@Sagar4 wrote:

If I have to allow NAT translation only via a particular destination port for any local host to access outside network, can it be performed via PAT

Yes it possible by defining a extended access-list for you internal lan hosts to a specific public ip address & destination port using dynamic PAT

example1:


ip access-list extended LAN-HOSTS
 permit tcp 10.1.123.0 0.0.0.255 host 1.1.1.1 eq www

ip nat pool Public-IP 100.100.100.10 100.100.100.10 prefix-length 30 
ip nat inside source list TST pool Public-IP

 

 

 

@Sagar4 wrote:

also configured NAT IP pool to make sure both destination ip address and port number doesn't match for multiple hosts?

Similar to example 1 however you specify a nat pool with a range of public-ip addressing so you lan hosts to match upon.

example2:


ip access-list extended LAN-HOST
permit  tcp host 10.1.123.10 host 1.1.1.1 eq 80
permit  tcp host 10.1.123.11 host 1.1.1.1 eq 80
permit  tcp host 10.1.123.12 host 1.1.1.1 eq 80
permit  tcp host 10.1.123.13 host 1.1.1.1 eq 80
permit  tcp host 10.1.123.14 host 1.1.1.1 eq 80
etc....

 

ip nat pool Public-IP 100.100.100.10 100.100.100.20 prefix-length 30 type match-host
ip nat inside source list TST pool Public-IP


Using destination nat:
Could be used as when you wish for a specific public ip address to be reachable for your lan hosts via a internal ip address

Example 3:


ip nat outside source static 1.1.1.1 10.1.123.100  <  host 1.1.1.1 will be reachable at 10.1.123.100 internally

 

Or for a quick load balancing of an internal server:

Example 4:


10.1.123.10/24 (svr1)
10.1.123.11/24 (svr2)
10.1.123.12/24 (svr3)

access-list 1 permit 100,100.100.10

ip nat pool  inside-server 10.1.123.10 10.1.123.12 prefix-length 24 type rotary
ip nat inside destination 1 pool inside-server


 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Sagar4
Level 1
Level 1
In response to paul driver

‎02-20-2023 01:52 PM

Thanks Paul. And one more thing, destination NAT just means mapping is done for outside hosts and source NAT means mapping is done for local hosts. Correct me I'm wrong.

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Sagar4

‎02-20-2023 02:30 PM - last edited on ‎02-20-2023 11:28 PM by Community Manager

Hello

@Sagar4 wrote:

Thanks Paul. And one more thing, destination NAT just means mapping is done for outside hosts and source NAT means mapping is done for local hosts. Correct me I'm wrong.

Its based on the destination traffic 


Dnat -  Destination address translation
Snat - Source address translation


The nat order of operation is different in domain nat (inside/outside)
Outside to Inside ( nat occurs first  then routing is performed)
Inside to Outside (routing occurs first then nat)



In the first Dnat example, when the traffic for sourced from 1.1.1.1 it enters on the outside interface, So the rtr will first translate it to an internal address in this case 10.1.123.100  then a route lookup is performed and traffic is forwarded, as such when any return traffic for that NAT'D address will be forwarded to the outside interface then translated back to its original address


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents