NAT vs PAT
March 5, 2013I often hear Port Address Translation (PAT)referred to as Network Address Translation (NAT). Its a pretty common to hear this and is really not a big deal because the two are similar and I know what is meant. But to clear things up I decided to put together a quick post.
Network Address Translation
NAT is the process of “translating” an IP Address in a router or firewall. This is most commonly done to present a private IP Address into a Public IP Address that is accessible on the Internet. For instance, you may want to have your E-mail server have a public address so that it can route mail.
How does it work?
The router will have a mapping of the internal and external IP Address Mappings. When any traffic from the inside interface travels over the outside interface, the router changes the source IP Address. When the return traffic gets back to the router the destination address will be the outside IP Address and will then be “translated” back to the internal IP Address.
One of the obvious limitations to this is that you have to have a static IP Address on your servers, and you must have a NAT address for each one of them. This doesn’t do you a whole lot of good if you’re trying to save on Public IP Addresses that you need to register. In comes Port Address Translation.
Port Address Translation
PAT works in a very similar manner to the description of NAT above. The difference being that all of the internal machines can share a single translation address.
When an inside machine sends traffic to the router, the router builds a table with the inside IP Address, the source port and then uses a translated address and a new port ID. This way it can track where the traffic came from, so when the destination machine returns the traffic, the router knows where to send it.
Dynamic NAT
Dynamic NAT uses a pool of Public IP Addresses for translation. This allows you to “overcommit” your IP Addresses because you aren’t using all of them at the exact same time. An very simplistic example might be having 5 PCs inside your network, and having only 3 Public Addresses available.
Here, each time one of the inside machines wanted to traverse the router, the router would look to see what Public IP Addresses are available and assign an unused one.
In the below example there are 2 machines on the inside of the network. When they traverse the firewall, a translation is done and the firewall marks the 209.252.1.1 address as in use. If the 192.1.1.2 machine needed to traverse the firewall as well during this time, only the other two IP Addresses in the NAT Pool could be used.
Obviously this could create an issue if have more traffic than your NAT Pool can handle, as well as causing issues because your servers keep changing their outside IP Addresses. This might not be a good technique to use for a mail server.
Some of the translation methods mentioned in this article may be used simultaneously. It’s not uncommon for a company to use NAT for specific servers such as Email, Terminal Services Gateways etc, and PAT for their desktops.
Also, each of these methods has it’s own little purpose…until we’re on IPv6 that is.
[…] The Edge appliance keeps track of all of the requests made and adds the source, destination and port information to a table. When return traffic comes back, it can match the response to the table and know how to send the traffic back. See the following post for more information: NAT vs. PAT […]
Thank you. Your diagram and explanation was very helpful
Very helpful, thank you.