Hey Jon,

Good to see you around! Thanks for the confirmation!

Regards,

Noob

Noob

I believe that the column in your chart is correct. I would also observe that you are identifying PAT in the dynamic implementation. What we frequently refer to as port forwarding is actually a static PAT.

HTH

Rick

Hi Rick,

Sorry, but can you elaborate further the portion " identifying PAT in the dynamic implementation." ? I thought PAT is NAT Overloading.

Over in my chart, I have assume that port forwarding is not setup. Incoming traffic is allow because outgoing traffic is triggered 1st.

Regards,
Noob

Noob

I do not know what it is that you do not understand.

Yes it is true that PAT is NAT overload.

If you are making the assumption that port forwarding is not configured then your chart is fine.

I thought that since your chart did identify NAT in both its static and dynamic forms but PAT only in its dynamic form, that it was worth mentioning that PAT could be static as well as dynamic.

HTH

Rick

Hi Rick,

I thought that since your chart did identify NAT in both its static and dynamic forms but PAT only in its dynamic form, that it was worth mentioning that PAT could be static as well as dynamic.

Can you list a scenario with PAT on dynamic form vs PAT on static form ?

Actually I do not understand what do you mean by PAT in dynamic form ? How is it dynamic in my example ? Since all internal IP will be always using 1 static IP to go out ?

Regards,
Noob

Noob

There is a simple explanation for this. In your example PAT is dynamic because when a host on the inside initiates a connection to outside IOS will dynamically create an entry in the translation table (and will dynamically remove the entry when the connection terminates or when it times out).

The question about dynamic and static really has to do with whether there are entries in the translation table that are always there (static) or whether entries in the table are created as needed and removed when not needed (dynamic).

So when you configure NAT overload on the outbound interface it will be creating dynamic entries as they are needed. If you configure port forwarding on the outbound interface so that any packet addressed to the outside interface on TCP port 80 is forwarded to your web server at 192.168.5.6 then this entry in the translation table is static.

HTH

Rick

Hi Rick,

Ahh.. I got you.

But I have always thought that Port forwarding and NAT are separate features; Although they complement each other functionally.

With port forwarding, are they also sharing the same translation table ?

-----------------------------------------------------------------------------------------------------

It is said with overloading, the router itself will its own "source port" instead of the original source port, to prevent having mapping with the same source port.

Consider with port forwarding setup in the scenario below

Will the response in transaction 2 uses another port to reply to the request in transaction 1 ?

If no, why ?

Regards,
Noob
 

PAT is not separate from NAT it is just one option.

Dynamic PAT is generally used inside to outside for clients and can use the outside interface IP of the router or a separate IP.

Your example in the table is static PAT and no the return traffic does not use a different port, it cannot, it has to be port 80.

Jon

Hi Jon, Rick,

Seems to me now that there are only 2 kinds of NAT actually

1) NAT (Static, Dynamic)

With static having a 1 to 1 mapping, pre-created

With dynamic still 1 to 1.mapping and but is being created on the fly triggered from within

2) PAT (Static, Dynamic)

With Dynamic, many to 1 mapping, (each with different src port though) but is being created on the fly triggered from within

With Static, many to 1 mapping as well but is pre-created (each mapping must have a different src port also) -- and this is also call port forwarding.

=====================================================

I remember Rick mentioned these

But with dynamic NAT and with PAT it does not enable the Internet to initiate traffic to an inside host. So if you are doing dynamic NAT or PAT and you have a server which should be accessible from the Internet then you would need to do port forwarding

So i am confuse in the sense between
Dynamic NAT + Port forwarding vs PAT static

I seems to be able to grasp the idea but again I dont seem to understand it - I am going to read up more and test further though .

Regards,
Noob

Noob

You are on the right track. I like the way that you started your most recent post with the idea that when you simplify things there are 2 kinds of address translation. One kind creates one to one relationship between the private and the public address. The other kind creates many to one relationship between the private and the public addresses. And both of these can be dynamic or static.

You seem to have become confused when I attempted to explain that doing dynamic address translation (either NAT or PAT) will not enable a host in the outside to initiate traffic to hosts in the inside. To enable traffic initiated from outside you need the static translation. And there are at least two good reasons for that. 1) the outside host needs a consistent address to use to get to the inside host. 2) the entry needs to be in the translation table all the time. The way to achieve these is with static translation.

HTH

Rick

Hi Rick,

Thanks for the compliment, really appreciate the kind words. I am actually losing confidence and moral, but you gave me an uplift ;)

Can I say that there are 2 kind of static commands available ?

Method 1) mapping IP to IP directly (202.202.202.1 to 192.168.202.1)

Method 2) mapping IP:Port to IP:port (202.202.202.1:80 to 192.168.202.1:80)

Is port forwarding method 2 then ?

Hence in order for the outside world to be able to communicate inside when using

1) Dynamic NAT - we will need static translation

- but it seems to contradict why we use dynamic in the 1st place ?
Does it means that we have a limited amount of public IPs to be shared among our internal clients/servers, hence we would only like to assign public IP on the fly when the internal devices needs to access the internet but at the same time we will also need certain devices to be accessible by the internet as well

-  hence can a NAT IP be both use in a dynamic and static translation together at the same time.

- can the Dynamic NAT be use with method 2 above

Assuming I have assigned IP 202.200.200.10 to 202.200.200.20 in a dynamic pool

I have also created static mapping for 202.200.200.20:80 to 192.168.7.20:80 (web server)

Will there be any issue, if a client (192.168.7.5) is assigned 202.202.202.20 from the pool using Dynamic NAT and at the same time an internet user access the webserver via  202.202.202.20:80 ?

Wouldn't there be a contradiction, as dynamic IP are 1:1 meaning if I talk to 202.202.202.20, i am actually finding 192.168.7.5, but in the above scenario, the external internet user actually want to talk to the webserver at 192.168.7.20.

=~~  my brain juice is running dry. I shall try some simulation too..

Regards,
Noob

Hi , i have  a question. suppose i have a specific external ip who wants to access a internal server on a particular port .can we do a static routing on firewall which is asa ?

what i did is simply create a access list for a particular ip on asa and then just opened the particular port on server. then i did simple NATing (internal ip to external public ip address).

could i just skip all this and do static (one to one)  Nating on firewall (asa)?  was it going to affect any other server's connection to the internet ?