Description:
Port Address Translation (PAT) {also known as Network Address Port Translator (NAPT)}.
Port Address Translation (PAT), is an extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of PAT is to conserve IP addresses.
Port Address Tranlation is also called porting, port overloading, port-level multiplexed NAT and single address NAT.
Complete Definition:
Port Address Translation (PAT) is a feature of a network device that translates TCP or UDP communications made between hosts on a private network and hosts on a public network. It allows a single public IP address to be used by many hosts on the private network, which is usually called a Local Area Network or LAN.
A PAT device transparently modifies IP packets as they pass through it. The modifications make all the packets which it sends to the public network from the multiple hosts on the private network appear to originate from a single host - the PAT device - on the public network.
Translation method that allows the user to conserve addresses in the global address pool by allowing source ports in TCP connections or UDP conversations to be translated. Different local addresses then map to the same global address, with port translation providing the necessary uniqueness. When translation is required, the new port number is picked out of the same range as the original following the convention of Berkeley Standard Distribution (SD).
This prevents end stations from seeing connection requests with source ports apparently corresponding to the Telnet, HTTP, or FTP daemon, for example. As a result, Cisco IOS PAT supports about 4000 local addresses that can be mapped to the same global address.
Configuring PAT:
To configure PAT/NAT correctly the first time, you need to understand the Cisco NAT terminology and how your IP networks/addresses map to each of the entities listed below:
Inside Local—This is the local IP address of a private host on your network (e.g., a workstation's IP address).
Inside Global—This is the public IP address that the outside network sees as the IP address of your local host.
Outside Local—This is the local IP address from the private network, which your local host sees as the IP address of the remote host.
Outside Global—This is the public IP address of the remote host (e.g., the IP address of the remote Web server that a workstation is connecting to).
You'll configure your Cisco router using seven commands. Let's assume that your Internet service provider gave you a 30-bit network containing two public IP addresses. This configuration would allow one address for your router and one address for your internal clients and devices.
The first command you'll execute will tell the router which public IP address you want to use for PAT:
ip nat pool mypool 63.63.63.2 63.63.63.2 prefix 30
This command configures a pool (range) of IP addresses to use for your translation. In this case, we want only one address in our pool, which we will overload. We do this by assigning the same IP address (63.63.63.2) for the start and end of the pool.
The next command will tell your router which IP addresses it is allowed to translate:
access-list 1 permit 10.10.10.0 0.0.0.255
It's not a good idea to put “permit any” in the access list, even though you will occasionally see that as a recommendation in some sample configurations.
The next command is:
ip nat inside source list 1 pool mypool overload
This command puts the pool definition and the access list together. In other words, it tells the router what will be translated to what. The overload keyword turns this into a PAT configuration. If you left out overload, you would be able to translate only one IP address at a time, so only one client could use the Internet at a time.
Next, you need to tell PAT/NAT what interfaces are the inside network and what interfaces are the outside network. Here's an example:
interface <interface_name>
ip nat inside
interface <interface_name>
ip nat outside
With these commands, your PAT configuration is finished.
Finally, verify that NAT works. This can be as simple as doing a ping command from your inside local host to an outside global host. If the ping succeeds, chances are you have everything configured correctly. You can also use the following Cisco IOS commands to confirm and troubleshoot:
show ip nat translations [verbose]
show ip nat statistics
With the translations command, you should see the translation that was created from your ping test. But watch out: The translations will disappear after their time-out expires. If you have configured overload, these time-outs are configurable by traffic type.
RFCs
- RFC 5135 IP Multicast Requirements for a Network Address Translator (NAT) and a Network Address Port Translator (NAPT)
- RFC 1918 - Address Allocation for Private Internets
Also See
