Port Address Translation (PAT) Configuration

Port Address Translation (PAT) is also known as NAT overload. Port Address Translation preserve addresses in the inside global address pool. Port Address Translation (PAT) allows the router to use one inside global address for many inside local addresses simultaneously.

We can use a single public IPv4 address for hundreds, even thousands of internal private IPv4 addresses. Router with PAT configuration maintains information from higher-level protocols, such as TCP or UDP port numbers, for example, translate of the inside global address back into the accurate inside local address while multiple inside local addresses maps to one inside global address. This possible due to correct TCP or UDP port numbers of each inside host

There are a total of 65536 port numbers that we can bind with inside local addresses. So, theoretically, we can translate 65,536 inside local addresses per one global IP address. But practically this is too difficult for the router and is not possible. Practically, the number of internal addresses that can be assigned a single IP address is around 4,000. We can configure the PAT using two ways: for single public IPv4 address and multiple IPv4 addresses.

Configuring PAT for a Pool of Public IP Addresses

To configure Port Address Translation (PAT) on a Cisco router first create a NAT pool, with a range of public IP addresses allotted from the internet service provider.

After pool configuration, you need to create a standard access list to identify and permit the group of private inside IP addresses, which are allowed for NAT translation.

After creating a pool of global IP addresses and an IP access list to identify the traffic, you must configure NAT using “ip nat” command.

Finally, you must specify which is inside the interface and which is the outside interface. The main difference between configuring Dynamic NAT and Port Address Translation (PAT) is the use of keyword “overload”.

Example Configuration

The example configuration displays in the figure below establish overload translation for the NAT pool named Global_pool. The pool contains the same addresses used in the previous lesson from 202.128.54.3 to 202.128.54.14. Hosts in the 192.168.10.0/24 and 192.168.11.0/24 network are needed to translate. The sub-interface S0/0/0.101 is outside interface and g0/0 and g0/1 as an inside interface. The router R2 is the PAT router. We are using the same topology used in the previous lesson “Dynamic NAT Configuration”.

Port Address Translation (PAT) Configuration 4

Now lookit, the commands executed on R2 for NAT overload configuration on router R2.

R2(config)#ip nat pool Global_pool 202.128.54.3 202.128.54.14 netmask 255.255.255.240

R2(config)#access-list 1 permit 192.168.10.0 0.0.0.255

R2(config)#ip nat inside source list 1 pool Global_pool overload

R2(config)#interface gigabitEthernet 0/0

R2(config-if)#ip nat inside

R2(config-if)#exit

R2(config)#interface serial 0/0/0.101

R2(config-subif)#ip nat outside

After the above configuration, the network 192.168.10.0/24 can access the internet but network 192.168.11.0/24 is still can’t access the internet. The network 192.168.11.0 is still required configuration:

R2(config)#access-list 1 permit 192.168.11.0 0.0.0.255

R2(config)#interface gigabitEthernet 0/0

R2(config-if)#ip nat inside

Now the network 192.168.11.0 can access the internet. The outside NAT interface is already configured for network 192.168.10.0/24, it will use the same interface for outside. We have just configured the “ACL permission” and “ip nat inside” interface.

Configuring PAT for a Single Public IPv4 Address

If only a single public IPv4 address is available, the overload configuration typically assigns the public address to the outside interface that connects to the ISP. All inside addresses are translated to the single IPv4 address when leaving the outside interface. The steps to follow to configure PAT with a single IPv4 address are following

Define an ACL to permit the traffic to be translated.

Configure source translation using the interface and overload keywords. The interface keyword defines which interface IP address to use when translating inside addresses. The overload keyword instructs the router to track port numbers with each NAT entry.

Identify which interfaces are inside and which interface is outside in relation to NAT. The inside interface is any interface that connects to the inside network and the outside interface is an interface connected to the outside network.

The configuration is alike to dynamic NAT, except that instead of a pool of addresses, the interface keyword is used to identify the outside IPv4 address. Therefore, no NAT pool is defined. Now lookit, the below configuration on R2 for single IPv4 address on the same topology. The commands for PAT-single IP configuration is following:

R2(config)#access-list 1 permit 192.168.10.0 0.0.0.255

R2(config)#ip nat inside source list 1 interface serial 0/0/0.101 overload

R2(config)#interface gigabitEthernet 0/0

R2(config-if)#ip nat inside

R2(config-if)#exit

R2(config)#interface serial 0/0/0.101

R2(config-subif)#ip nat outside

Configuration for network 192.168.11.0 is as under:

R2(config)#access-list 1 permit 192.168.10.0 0.0.0.255

R2(config)#interface gigabitEthernet 0/0

R2(config-if)#ip nat inside

Port Address Translation (PAT) Configuration 4

Analyzing PAT

The process of NAT overload is similar to the process of NAT except there is the only single address for translation. Analyzing the above-configured example using a single public IPv4 address, PC1 wants to communicate with the webserver, meanwhile, the Laptop0 also want to communicate with the webserver. Both PC1 and PC2 are configured with private IPv4 addresses, with R2 enabled for PAT.

PC to Server Process

The figure below illustrates both PC1 and Laptop0 sending packets to the web server simultaneously. PC1 has the source IPv4 address 192.168.11.100 and is using TCP source port 1025. Laptop0 has the source IPv4 address 192.168.10.101 and is also assigned the source port of 1025.

The packet from PC1 reaches R2 first. Using PAT, R2 translate the source IPv4 address to 202.128.54.1 inside global address. There are no other devices in the NAT table using port 1025, so PAT maintains the same port number. The packet is then forwarded towards webserver at 201.128.35.2.

PAT is configured to use a single inside global IPv4 address for all translations, so when a packet from Laptop0 arrives on R2. Similar to PC1, PAT translates Laptop0 source IPv4 address to the inside global address 202.128.54.1.

But the Laptop has the same source port number as a current PAT entry, the translation for PC1. PAT increases the source port number until it becomes unique in its table. In this example, the source port entry in the NAT table is increased to 1025.

Both hosts use the same translated address, the inside global address of 202.128.54.1, and also use the same source port number of 1024; but the R2 process modifies the port number for Laptop0 to 1025. This will turn into evident with the packets sent from the servers back to the clients.

Server to PC Process

The servers use the source port from the received packet as the destination port and the source address as the destination address for the return traffic. The servers give the impression as if they are communicating with the same host at 202.128.35.1 but, this is not actual.

When the router receives the packet at the interface serial 0/0/0.101 on R2, the router lookup its NAT table for unique entry using the destination address including the destination port of each packet. There are multiple entries received from the server with the destination IPv4 address 202.128.54.1 but only one with the destination port 1025. R2 match the entry with NAT table and changes the destination IPv4 address of the packet to 192.168.11.101. There is no change required for the destination port. The packet is then forwarded to PC1.

When packet received with destination port 1026 to R2, R2 performs a similar translation. The destination IPv4 address of 202.128.54.1 is found, again with multiple entries. But, R2 use the destination port of 1026, to uniquely identify the translation entry. The destination IPv4 address is translated to 192.168.10.101.

Verifying PAT

We can use the same commands already discussed in “Static NAT Configuration and Dynamic NAT Configuration” for verification of Port Address Translation (PAT). The figure below illustrates the output of the show ip nat translations command. The figure displays the translations from two different hosts to a single web server.

Port Address Translation (PAT) Configuration 6

We can also use the show ip nat statistics command verifies that NAT-POOL2 has allocated a single address. Another command we can use the PAT configuration is show running-config command.