Configure Port Address Translation

Port Address Translation (PAT) is an extension of Network Address Translation (NAT). PAT adds a unique identifier to the outside translation entry of each inside host. Using PAT allows many inside IP addresses to use a single outside IP address because the outside address has a unique port number mapped to each inside host. NAT allows IP addresses to be changed as they pass through a router in order to be properly routed on another network. For NAT to work properly, some additional information and planning is necessary. Inside and outside interfaces must be defined.

Inside interfaces are those that exist on the internal, private network. In this case, inside interfaces are those with IP addresses on the subscriber's home network. This is typically a nonroutable address as defined by RFC 1918:

■ Inside local—Configured IP address assigned to a host on the inside network

■ Inside global—The IP address of an inside host as it appears to the outside network

Outside interfaces are those that exist on the external provider network and/or public Internet. Depending on the implementation, this may be a nonroutable RFC 1918 address or a public routable address:

■ Outside local—The IP address of an outside host as it appears to the inside network

■ Outside global—The configured IP address assigned to a host in the outside network

Figure 5-2 illustrates the concepts of NAT with PAT. Figure 5-2 NAT with PAT

Physical Int: Eth0/1 or ATM0/0 Logical Int: Dialer0 ip address negotiated ip nat outside


Eth0/0 IP NAT Inside

DSL Aggregation Router


Eth0/0 IP NAT Inside


Figure 5-2 shows the subscriber host (inside local address) sending a web request to A DNS lookup resolves the host name in the URL to its public IP address. The resolved address is then placed in the Destination IP Address field (inside global address). In this example, NAT is performed in only one direction. Additional subscriber hosts would have a unique inside local address but be assigned the same inside global address and a unique port number. The coupling of an IP address with a port number is known as a socket.

NOTE The process can be performed bidirectionally to translate addresses inbound and outbound. This is one method for dealing with overlapping address space in merged, acquired, or mismanaged networks by effectively concealing outside addresses from inside hosts. For bidirectional NAT to work, DNS must be configured internally to map outside hosts to the proper inside addresses (that is, outside local addresses). The NAT process will translate the outside local address to its actual address (that is, the outside global address).

With NAT alone, each subscriber host inside local address would be translated to an individual, unique inside global address (one-to-one). With PAT, each subscriber inside local address is translated to a single inside global address (many-to-one) to conserve IP address space utilization. To keep the individual hosts organized and pass the proper traffic flows to and from each host, the source port number is attached to the IP address. In theory, up to 65,535 inside addresses can be translated to a single outside address. However, in practice, this might not be the best theory to test on a router not designed for very high user density.

PAT uses unique source port numbers on the inside global IP address to distinguish between translations. PAT attempts to preserve the original source port. If the source port is already in use, PAT attempts to use the first available port from the appropriate port group 0-5111, 5112-1023, or 1024-65535. If there is still no port available from the appropriate group and more than one IP address is configured, PAT moves to the next IP address and tries to allocate the original source port again. This continues until PAT runs out of available ports and IP addresses.

Example 5-4 shows the NAT/PAT portion of the configuration. Note that there is no configuration on the Interface Ethernet0/1 (or ATM0/0 as the case may be). This is intentional, because the logical dialer0 interface represents the physical Ethernet0/1 or ATM0/0 interface configuration.

Example 5-4 NAT/PAT Configuration

interface Ethernet0/0

ip nat inside

interface Dialer0

ip nat outside

ip nat inside source list 100


dialer0 overload

access-list 100 permit ip 172 !

16.0.0 0.«

5.255.255 any

This configuration is added to the examples presented to this point, so the IP addresses and so on are not shown. In the example, the Ethernet interface is defined as inside while the dialer interface is outside. The access list defines hosts that are eligible for translation, in this case all 172.16.X.X source addresses. The NAT definition uses access-list 100 as the "inside source" list and maps it to dialer0. The overload parameter enables PAT on the interface. The configuration then uses the provider-assigned address of dialer0 as the outside address for traffic flow. For this reason, no NAT pool is necessary. Without the overload parameter, a NAT pool would be defined for one-to-one translations.

Was this article helpful?

0 0

Post a comment