Vous êtes sur la page 1sur 5

Introduction to NAT and PAT

Posted on February 18, 2013


by Rene Molenaar
in CCNA R&S, Cisco, Network Services
Without network address translation (NAT) or port address translation (PAT) you probably wouldnt be able to access the internet from your computer
or at least youll be the only one in the house having internet accessin this article I want to give you an explanation of why and how we use NAT/PAT
for Internet access. Lets start with a topology:

On the left side we have a computer on our LAN with the IP address 192.168.1.1 connected to a router. From our ISP we got the IP address 4.4.4.4 and
theres a server on the Internet using IP address 1.2.3.4. If our computer send something to the server what would be the source and destination IP
address of the IP packet it will send?

The source IP address will be our computer and the destination IP address will be the server as you can see in the IP packet in the picture above.

Once our server responds it will create an IP packet specifying the computers IP address as the destination and the source IP address will be its own IP
address.
Is there anything wrong with this example? No, its perfectly fine except for one detailthe IP address of the computer and the IP address on the router
are private IP addresses. Private IP addresses are meant for our LANs and public IP addresses are for the Internet.
This time we are going to configure NAT (Network Address Translation) and see what the difference is.

Same story, our computer is going to send something to the server but now our router has been configured for NAT. The NAT router has been
configured so IP address 192.168.1.1 has to be translated to IP address 4.4.4.4. Heres what happens. Our NAT router will rewrite the source IP address
from 192.168.1.1 to 4.4.4.4 as you can see in the IP packet above.

The server thinks its talking to IP address 4.4.4.4 which is why you see this IP address as the destination in the IP packet its sending.
Once this IP packet reaches the router it will look again at its NAT table and translate the IP address 4.4.4.4 back into 192.168.1.1 and send it towards
the computer.
The example I just showed you is called static NAT. There is a 1:1 relationship between the IP address of our computer on the LAN and the IP address
we got from our ISP. So what are we going to do if we have more computers on our LAN? We can use something called dynamic NAT.
Dynamic NAT is different compared to static NAT because:
You can use a pool of IP addresses to translate into.
You can use an access-list to match the hosts on your LAN which should be translated.
To give you an example, in our static NAT picture we used the 4.4.4.4 IP address from the ISP to translate. Our ISP is very generous and instead of
giving us a single IP address we get a range of IP addresses, in fact we got the whole 4.4.4.0/24 subnet.
Besides our computer 192.168.1.1 there are 10 other computers that need Internet access. Whats going to happen now? We now have a pool of IP
addresses from the ISP we can use to translate into.
Lets discuss an example:
1.

The computer with 192.168.1.1 is visiting a server on the Internet, our NAT router will translate this IP address to the first IP address from the
pool, 4.4.4.1.
2. The next computer with 192.168.1.2 is now visiting a server on the Internet, our NAT router will translate this IP address to the second IP
address from the pool, 4.4.4.2.
3. The third computer with 192.168.1.3 is also visiting something on the Internet, the NAT router will translate this IP addres to the third IP
address from the pool, 4.4.4.3.
4. Etc.
This is what we call dynamic NAT.
Now maybe I got you puzzledyou probably have more than one device at your LAN accessing the Internet but you only got a single IP address from
your ISP. How can this work?

This is where we introduce PAT or Port Address Translation. NAT only gives us a 1:1 relationship between two IP addresses. If we have multiple
computers on our LAN and only a single IP address from our ISP we need to translate port numbers as well. This way we can have multiple computers
behind a single public IP address from the ISP. Lets take a look at an example:

Look at the network above, we have two computers on our LAN with IP address 192.168.1.1 and 192.168.1.2. Our router is configured for NAT:
The following situation is happening:
1. Computer with IP address 192.168.1.1 is going to connect to the server.
2. Our NAT router will translate 192.168.1.1 to 4.4.4.4.
3. Our other computer with IP address 192.168.1.2 is also connecting to the server.
4. Our NAT router now has a problem since 192.168.1.1 is already translated to 4.4.4.4. You cant have two IP addresses translated.
This is where PAT kicks in, with PAT this is what will happen:
1. Computer with IP address 192.168.1.1 is going to connect to the server.
2. Our NAT router will translate 192.168.1.1 to 4.4.4.4 but will also keep track of the source and destination port!
3. Our other computer with IP address 192.168.1.2 is also connecting to the server.
4. Since our NAT router also does PAT it will translate 192.168.1.2 to 4.4.4.4 as well and use another source port number.
And thats how you can have multiple computers on your LAN and make all of them access the Internet behind a single public IP address from your
ISP.
The server thinks its only talking to 4.4.4.4 so it has no idea there is a computer with IP address 192.168.1.1 or 192.168.1.2. Does this mean NAT or
PAT is a security protocol? This is a big debate but in my opinion its no security mechanism. Not seeing the true hosts at your LAN doesnt mean you
are unable to connect. As soon as your router is doing network and/or port address translation those hosts are reachable. Security is something you
implement by using access-lists, firewalls, intrusion prevention systems and security policies.
Since NAT and/or PAT are changing the IP packet there are some applications that dont work too well with this translation of IP addresses and ports,
IPSEC is an example. FTP is also troublesome behind a NAT router.
Thats everything I wanted to share about NAT/PAT for now. I hope this is useful to you! In another article well take a look at the configuration of
NAT/PAT on some Cisco IOS routers.

tp://networklessons.com/network-services/introduction-to-nat-and-pat/#ixzz38UI58Ebi