NAT vs PAT

NAT vs PAT

March 5, 2013 3 By Eric Shanks

I often hear Port Address Translation (PAT)referred to as Network Address Translation (NAT).  Its a pretty common to hear this and is really not a big deal because the two are similar and I know what is meant.  But to clear things up I decided to put together a quick post.

Network Address Translation

NAT is the process of “translating” an IP Address in a router or firewall.  This is most commonly done to present a private IP Address into a Public IP Address that is accessible on the Internet.  For instance, you may want to have your E-mail server have a public address so that it can route mail.

How does it work?

The router will have a mapping of the internal and external IP Address Mappings.  When any traffic from the inside interface travels over the outside interface, the router changes the source IP Address.  When the return traffic gets back to the router the destination address will be the outside IP Address and will then be “translated” back to the internal IP Address.

NAT1

 

One of the obvious limitations to this is that you have to have a  static IP Address on your servers, and you must have a NAT address for each one of them.  This doesn’t do you a whole lot of good if you’re trying to save on Public IP Addresses that you need to register.  In comes Port Address Translation.

 

Port Address Translation

PAT works in a very similar manner to the description of NAT above.  The difference being that all of the internal machines can share a single translation address.

When an inside machine sends traffic to the router, the router builds a table with the inside IP Address, the source port and then uses a translated address and a new port ID.  This way it can track where the traffic came from, so when the destination machine returns the traffic, the router knows where to send it.

PAT1

 

Dynamic NAT

Dynamic NAT uses a pool of Public IP Addresses for translation.  This allows you to “overcommit” your IP Addresses because you aren’t using all of them at the exact same time.  An very simplistic example might be having 5 PCs inside your network, and having only 3 Public Addresses available.

Here, each time one of the inside machines wanted to traverse the router, the router would look to see what Public IP Addresses are available and assign an unused one.

In the below example there are 2 machines on the inside of the network.  When they traverse the firewall, a translation is done and the firewall marks the 209.252.1.1 address as in use.  If the 192.1.1.2 machine needed to traverse the firewall as well during this time, only the other two IP Addresses in the NAT Pool could be used.

Obviously this could create an issue if have more traffic than your NAT Pool can handle, as well as causing issues because your servers keep changing their outside IP Addresses.  This might not be a good technique to use for a mail server.

DynamicNAT2

 

Some of the translation methods mentioned in this article may be used simultaneously.  It’s not uncommon for a company to use NAT for specific servers such as Email, Terminal Services Gateways etc, and PAT for their desktops.

Also, each of these methods has it’s own little purpose…until we’re on IPv6 that is.