How to Configure Port Address Translation (PAT)

/ /

Port Address Translation (PAT) is also known as NAT overload. Port Address Translation preserves addresses in the inside global address pool. Port Address Translation (PAT) allows the router to simultaneously use one inside global address for several inside local addresses.

We can use a single public IPv4 address for hundreds, even thousands of internal private IPv4 addresses. Router with Port Address Translation (PAT) configuration maintains information from higher-level protocols, such as TCP or UDP port numbers, for example, translate the inside global address back into the accurate inside local address while multiple inside local addresses map to one inside global address. This is possible due to each inside host’s correct TCP or UDP port numbers.

There are 65536 port numbers that we can bind with inside local addresses. So, theoretically, we can translate 65,536 inside local addresses per one global IP address.

But practically, this is too difficult for the router and impossible. A single IP address can be assigned around 4,000 internal addresses. We can configure the Port Address Translation (PAT) in two ways: for a single public IPv4 address and multiple IPv4 addresses.

Configuring Port Address Translation for a Pool of Public IP Addresses

To configure Port Address Translation (PAT) on a Cisco router, first create a NAT pool with a range of public IP addresses allotted by the internet service provider.

After pool configuration, you must create a standard access list to identify and permit the group of private inside IP addresses allowed for NAT translation.

After creating a pool of global IP addresses and an IP access list to identify the traffic, you must configure NAT using “ip nat” command.

Finally, you must specify which is inside the interface and which is the outside interface. The main difference between configuring Dynamic NAT and Port Address Translation (PAT) is using the keyword “overload”.

Example Configuration

The example configuration shown in the figure below establishes overload translation for the NAT pool named Global_pool. The pool contains the same addresses used in the previous lesson, from 202.128.54.3 to 202.128.54.14. Hosts in the 192.168.10.0/24 and 192.168.11.0/24 networks are needed to translate.

The sub-interface S0/0/0.101 is an outside interface, and g0/0 and g0/1 are inside interfaces. The router R2 is the Port Address Translation (PAT) router. We are using the same topology used in the previous lesson, “Dynamic NAT Configuration.”

Port Address Translation PAT

Now look at the commands executed on R2 for NAT overload configuration on router R2.

R2(config)#ip nat pool Global_pool 202.128.54.3 202.128.54.14 netmask 255.255.255.240

R2(config)#access-list 1 permit 192.168.10.0 0.0.0.255

R2(config)#ip nat inside source list 1 pool Global_pool overload

R2(config)#interface gigabitEthernet 0/0

R2(config-if)#ip nat inside

R2(config-if)#exit

R2(config)#interface serial 0/0/0.101

R2(config-subif)#ip nat outside

After the above configuration, the network 192.168.10.0/24 can access the internet but network 192.168.11.0/24 is still can’t access the internet. The network 192.168.11.0 is still required configuration:

R2(config)#access-list 1 permit 192.168.11.0 0.0.0.255

R2(config)#interface gigabitEthernet 0/0

R2(config-if)#ip nat inside

Now, the network 192.168.11.0 can access the internet. The outside NAT interface is already configured for network 192.168.10.0/24. It will use the same interface for outside. We have configured the “ACL permission” and “ip nat inside” interfaces.

Configuring Port Address Translation for a Single Public IPv4 Address

If only a public IPv4 address is available, the overload configuration typically assigns the public address to the outside interface connecting to the ISP. When leaving the outside interface, all inside addresses are translated to a single IPv4 address. The steps to follow to configure Port Address Translation (PAT) with a single IPv4 address are as follows:

Define an ACL to permit the traffic to be translated.

Configure source translation using the interface and overload keywords. The interface keyword defines which interface IP address to use when translating inside addresses. The overload keyword instructs the router to track port numbers with each NAT entry.

Identify which interfaces are inside and which are outside in relation to NAT. The inside interface is any interface that connects to the inside network, and the outside interface is an interface connected to the outside network.

The configuration is similar to dynamic NAT, except that the interface keyword is used to identify the outside IPv4 address instead of a pool of addresses. Therefore, no NAT pool is defined. Now look at the below configuration on R2 for a single IPv4 address on the same topology. The commands for Port Address Translation (PAT) -single IP configuration is the following:

R2(config)#access-list 1 permit 192.168.10.0 0.0.0.255

R2(config)#ip nat inside source list 1 interface serial 0/0/0.101 overload

R2(config)#interface gigabitEthernet 0/0

R2(config-if)#ip nat inside

R2(config-if)#exit

R2(config)#interface serial 0/0/0.101

R2(config-subif)#ip nat outside

Configuration for network 192.168.11.0 is as under:

R2(config)#access-list 1 permit 192.168.10.0 0.0.0.255

R2(config)#interface gigabitEthernet 0/0

R2(config-if)#ip nat inside

Analyzing Port Address Translation

The process of NAT overload is similar to the process of NAT, except there is only one address for translation. Analyzing the above-configured example using a single public IPv4 address, PC1 wants to communicate with the web server, and Laptop0 also wants to communicate with the web server. Both PC1 and PC2 are configured with private IPv4 addresses, with R2 enabled for Port Address Translation (PAT).

PC to Server Process

The figure below illustrates PC1 and Laptop0 sending packets to the web server simultaneously. PC1 has the source IPv4 address 192.168.11.100 and uses TCP source port 1025. Laptop0 has the source IPv4 address 192.168.10.101 and is also assigned the source port 1025.

The packet from PC1 reaches R2 first. Using PAT, R2 translates the source IPv4 address to 202.128.54.1 inside the global address. Since no other devices in the NAT table are using port 1025, PAT maintains the same port number. The packet is then forwarded to the webserver at 201.128.35.2.

PAT is configured to use a single inside global IPv4 address for all translations, so when a packet from Laptop0 arrives on R2, similar to PC1, PAT translates Laptop0’s source IPv4 address to the inside global address 202.128.54.1.

However, the Laptop’s source port number is the same as that of a current PAT entry, the translation for PC1. PAT increases the source port number until it becomes unique in its table. In this example, the source port entry in the NAT table is increased to 1025.

Both hosts use the same translated address, the inside global address of 202.128.54.1, and the same source port number of 1024; however, the R2 process modifies the port number for Laptop0 to 1025. This will become evident in the packets sent from the servers back to the clients.

Server-to-PC Process

The servers use the source port from the received packet as the destination port and the source address as the destination address for the return traffic. The servers give the impression that they are communicating with the same host at 202.128.35.1, but this is not actual.

When the router receives the packet at interface serial 0/0/0.101 on R2, it looks up its NAT table for a unique entry using the packet’s destination address and port.

Multiple entries were received from the server with the destination IPv4 address 202.128.54.1 but only one with the destination port 1025. R2 matched the entry with the NAT table and changed the packet’s destination IPv4 address to 192.168.11.101. No change was required for the destination port. The packet was then forwarded to PC1.

When a packet is received with destination port 1026 to R2, R2 performs a similar translation. The destination IPv4 address of 202.128.54.1 is found again with multiple entries. But R2 uses the destination port of 1026 to uniquely identify the translation entry. The destination IPv4 address is translated to 192.168.10.101.

Verifying Port Address Translation

We can use the commands discussed in “Static NAT Configuration and Dynamic NAT Configuration” to verify Port Address Translation (PAT). The figure below illustrates the output of the show ip nat translations command. The figure displays the translations from two different hosts to a single web server.

We can also use the show ip nat statistics command to verify that NAT-POOL2 has allocated a single address. The running-config command is another command we can use for the PAT configuration.