NAT and PAT, Part 3
Dynamic NAT, which could allow several hosts to use the same public IP address at different times of the day, still translates on a “one-to-one” address basis. That is, each inside local address (usually private) being actively translated requires one global address (usually public).
In PAT (Port Address Translation, also known as “overloading”), many inside local addresses are simultaneously mapped to one inside global address (that is, the global address is “overloaded”). Thus, PAT is a “many-to-one” translation scheme. To configure PAT, the syntax is:
- Router(config)#ip nat inside source list 1 interface serial 0/0 overload
The translation tells the router that if a packet with source address matching a permit in ACL 1 hits the inside interface, and it is bound for the outside interface, translate the source address to the address of the Serial0/0 interface. Thus, all translated traffic has the same source address (note the keyword “overload”), and no pool is required.
What happens, then, when the return traffic hits the router? If it’s all destined for the same address, how does the router know to which local address the destination address of the returning packet should be translated? The key to PAT is that, unlike with dynamic NAT, the port numbers are also tracked, and, if necessary, manipulated.
Remember that when an application using TCP or UDP starts, it is assigned a port number by the IP stack. Specifically, server-side apps are assigned “well-known” ports below 1024. Examples are TCP 23 for Telnet, TCP 80 for HTTP (web service), and UDP 69 for TFTP. Client-side apps are assigned random port numbers in the range 1024 and above.
For example, let’s say that host 10.0.0.1 (the client) initiates a Telnet session with a host at address 126.96.36.199 (the server). The client process on host 10.0.0.1 will be assigned a TCP port by host 10.0.0.1’s IP stack, which we’ll assume is 2000 (and, of course, the Telnet server at 188.8.131.52 is using TCP port 23). When the traffic from 10.0.0.1 hits the inside interface and is bound for the outside interface, it’s checked against the ACL. Let’s assume that 10.0.0.1 is permitted by the ACL, so the translation occurs.
Since no corresponding entry yet exists in the translation table, the inside local address and port number will be entered (10.0.0.1:2000). For the corresponding inside global address, that of Serial 0/0 will be used (let’s assume that it’s 184.108.40.206), and the port number will be unchanged (220.127.116.11:2000), unless that port number already appears in the inside global list. If the port number is already in use by another host, the port will be changed to a value that is not already in use (the algorithm for this is implementation-specific).
As with dynamic NAT, timeouts are used to free up unused translation entries for ICMP and UDP. The defaults are 300 seconds for UDP and 60 seconds for ICMP, but they can be configured. TCP also has a fail-safe timeout of 24 hours.
Finally, what if you want to use a pool (dynamic NAT), but switch to PAT if the addresses in the available pool addresses are exhausted? In this case, you combine the “pool” and “overload” options, like this:
- Router(config)#ip nat inside source list 1 pool test overload
The effect of this is implementation-specific, but in my experience a Cisco router will allocate the pool addresses in ascending order, and then overload on the last address if necessary.
Author: Al Friebe
Related articles by Zemanta
- Phoenix Labs ” PeerGuardian OS X (menson.wordpress.com)
NAT and PAT Series