NAT stands for Network Address Translation.
PAT stands for Port Address Translation.
Two common problems are tackled here :
|Internet Security - this has become the most important goal of network administrators. The first step of any security plan, is to make users anonymous.|
|Internet Addresses - these are limited, and have become a very valuable commodity.|
NAT enhances security by changing the IP address and port of each user, so that the outside world (the Internet) sees them as someone else (much like the Government's witness protection program). Their identities are changed, and they become anonymous. PAT allows groups of users to share one common IP address, which is a Godsend to corporations, small businesses, and the Internet itself, which is running out of available IP addresses. NAT and PAT are very simple, yet extremely powerful concepts.
NAT vs PAT
NAT translates IP addresses only. PAT translates ports only, but is always used with NAT - never alone. This means you can configure a router for pure NAT, or NAT with PAT. Sounds like a movie, eh . . . The "Adventures of Nat and Pat".
NAT (1 to 1 translation) – utilizes Source IP addresses and maps them to outside Internet IP addresses. This is also called Static NAT. As shown in the following NAT example, it takes a network address 10.0.0.1, and “translates” it to another network address 188.8.131.52. It is a simple lookup table, where each row is created by a router command with the two addresses. The user address is behind the router on the LAN interface, and the Internet address is sent out across the serial interface.
NAT with PAT (Many to 1 translation - overload) - utilizes Source Port IP addresses and ports to uniquely identify user workstations by their socket. A socket is simply an IP address and a port number. This allows mapping of up to 65,536 inside "socket" addresses to 1 outside address (hence the term 'overload'). This is also called Dynamic NAT.
In the following PAT example, suppose local private hosts 10.6.1.2 and 10.6.1.6 both send packets to www.google.com. A PAT device might translate these to a single public IP address 184.108.40.206 but two different source ports, say 2031 and 1506. Response traffic received for port 2031 is routed to 10.6.1.2 while port 1506 traffic is routed to 10.6.1.6.
NAT with PAT is also given yet another name - NAPT (Network Address Port Translation) and may be used to allow many hosts to share a single IP address by multiplexing streams differentiated by TCP/UDP port numbers as well as IP addresses.
In this example, we mentioned terms "Inside Local IPv4 Address" and "Inside Global IPv4 Address".
Cisco defines these terms as:
- Inside local address—The IP address assigned to a host on the inside network. This is the address configured as a parameter of the computer OS or received via dynamic address allocation protocols such as DHCP. The address is likely not a legitimate IP address assigned by the Network Information Center (NIC) or service provider.
- Inside global address—A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.
- Outside local address—The IP address of an outside host as it appears to the inside network. Not necessarily a legitimate address, it is allocated from an address space routable on the inside.
- Outside global address—The IP address assigned to a host on the outside network by the host owner. The address is allocated from a globally routable address or network space.
NAT (Network Address Translation)
Network Address Translation (NAT) is simply that – it takes a network address, and “translates” it to another network address. It is a simple lookup table, where each row is created by a router command with the two addresses. The user address is behind the router on the LAN interface, and the Internet address is sent out across the serial interface.
The NAT table (lookup table) in the router can be configured in two ways. So, for "n" users:
Static NAT - for security - requires n Internet IP addresses - assign unique, unregistered local IP addresses to all users, and use unique Internet addresses as well. Users can all use the same port !!!
Static NAT offers enhanced security - the actual IP address of the user is hidden. A router running NAT (RFC1631) allows the users to maintain anonymity, because their addresses are not sent out to the world. Users will typically use addresses from one of three reserved address spaces, the most famous being the “10” Class A address range. For example, host A, B and C have different IP addresses and NAT IP Addresses, they can use the same port or use different ports for TCP/UDP communication.
Dynamic NAT (NAT & PAT) - for overloading - requires 1 outside Internet IP address - assign unique, unregistered local IP addresses to all users. Must use unique ports for each user !!!
Dynamic NAT allows overloading - multiple users access the Internet via one IP address. This is used by Microsoft ICS (Internet Connection Sharing) and by DSL routers that have several home user PC’s connected. In fact, every Cable/DSL Broadband Router on the market accomplishes its job with NAT. For example: host A, B and C have different IP addresses, but they have the same NAT IP Address, they have to use different ports for TCP/UDP communication.
Unregistered IP Ranges
IANA has actually set aside specific ranges of IP addresses for use as non-routable internal network addresses. These addresses are considered unregistered, ( for more information check out Address Allocation for Private Internets which defines these address ranges) which means that no company or agency can claim ownership of them and use them on public computers. Routers are designed to not forward unregistered addresses. What this means is that a packet from a computer with an unregistered address could reach a registered destination computer, but the reply would be discarded by the first router it came to.
There is a range for each of the three classes of IP addresses used for networking.
- Range 1 is for Class A: 10.0.0.0 through 10.255.255.255
- Range 2 is Class B: 172.16.0.0 through 172.31.255.255
- Range 3 is Class C: 192.168.0.0 through 192.168.255.255
The following image shows how 3 users can all communicate on the Internet with just one IP address. The router shown must be capable of performing NAT:
In the next post, we will take a close look at a NAT overloading example, and understand exactly how routers handle NAT overloading.
On cisco routers, the NAT and PAT translation table can be viewed with the command “show ip nat translations“, the command “clear ip nat translation” clears all dynamic address translation entries from the NAT translation table.