9/8/2020 Introduction to NAT and PAT
Search …
You are here: Home » Cisco » CCNP ENCOR 350-401
Introduction to NAT and PAT Course Contents
CCNP ENCOR 350-401
Without network address translation (NAT) or port address translation (PAT) you
probably wouldn’t be able to access the internet from your computer or at least you’ll be Unit 1: Switching
the only one in the house having internet access…in this lesson I want to give you an Unit 2: Routing
explanation of why and how we use NAT/PAT for Internet access. Unit 3: Wireless
Unit 4: Multicast
Unit 5: Network Architecture
Unit 6: Services
6.1 NTP
6.2 NAT/PAT
Introduction to NAT and PAT
Static NAT Con guration
IP NAT Inside Source vs Outside
Source
Dynamic NAT Con guration
PAT Con guration
NAT Virtual Interface
NAT Port Forwarding
06:10
6.3 First Hop Redundancy Protocols
6.4 Quality of Service (QoS)
Unit 7: Network Assurance
Let’s start with a topology:
Unit 8: Security
Unit 9: Automation
Unit 10: Virtualization
Unit 11: Practice Exam
On the left side we have a computer on our LAN with the IP address 192.168.1.1
connected to a router. From our ISP we got the IP address 4.4.4.4 and there’s a server on
the Internet using IP address 1.2.3.4. If our computer send something to the server what
would be the source and destination IP address of the IP packet it will send?
The source IP address will be our computer and the destination IP address will be the
server as you can see in the IP packet in the picture above.
https://networklessons.com/cisco/ccnp-encor-350-401/introduction-to-nat-and-pat 1/5
�9/8/2020 Introduction to NAT and PAT
Once our server responds it will create an IP packet specifying the computer’s IP address
as the destination and the source IP address will be its own IP address.
Is there anything wrong with this example? No, it’s perfectly ne except for one detail…
the IP address of the computer and the IP address on the router are private IP
addresses. Private IP addresses are meant for our LANs and public IP addresses are for
the Internet.
This time we are going to con gure NAT (Network Address Translation) and see what the
di erence is…
Same story, our computer is going to send something to the server but now our router
has been con gured for NAT. The NAT router has been con gured so IP address
192.168.1.1 has to be translated to IP address 4.4.4.4. Here’s what happens. Our NAT
router will rewrite the source IP address from 192.168.1.1 to 4.4.4.4 as you can see in the
IP packet above.
The server thinks it’s talking to IP address 4.4.4.4 which is why you see this IP address as
the destination in the IP packet it’s sending.
Once this IP packet reaches the router it will look again at its NAT table and translate the
IP address 4.4.4.4 back into 192.168.1.1 and send it towards the computer.
The example I just showed you is called static NAT. There is a 1:1 relationship between
the IP address of our computer on the LAN and the IP address we got from our ISP. So
what are we going to do if we have more computers on our LAN? We can use something
called dynamic NAT.
Dynamic NAT is di erent compared to static NAT because:
You can use a pool of IP addresses to translate into.
You can use an access-list to match the hosts on your LAN which should be
translated.
https://networklessons.com/cisco/ccnp-encor-350-401/introduction-to-nat-and-pat 2/5
�9/8/2020 Introduction to NAT and PAT
To give you an example, in our static NAT picture we used the 4.4.4.4 IP address from the
ISP to translate. Our ISP is very generous and instead of giving us a single IP address we
get a range of IP addresses, in fact we got the whole 4.4.4.0/24 subnet.
Besides our computer 192.168.1.1 there are 10 other computers that need Internet
access. What’s going to happen now? We now have a pool of IP addresses from the ISP
we can use to translate into.
Let’s discuss an example:
1. The computer with 192.168.1.1 is visiting a server on the Internet, our NAT router
will translate this IP address to the rst IP address from the pool, 4.4.4.1.
2. The next computer with 192.168.1.2 is now visiting a server on the Internet, our
NAT router will translate this IP address to the second IP address from the pool,
4.4.4.2.
3. The third computer with 192.168.1.3 is also visiting something on the Internet, the
NAT router will translate this IP addres to the third IP address from the pool,
4.4.4.3.
4. Etc.
This is what we call dynamic NAT.
Now maybe I got you puzzled…you probably have more than one device at your LAN
accessing the Internet but you only got a single IP address from your ISP. How can this
work?
This is where we introduce PAT or Port Address Translation. NAT only gives us a 1:1
relationship between two IP addresses. If we have multiple computers on our LAN and
only a single IP address from our ISP we need to translate port numbers as well. This
way we can have multiple computers behind a single public IP address from the ISP. Let’s
take a look at an example:
Look at the network above, we have two computers on our LAN with IP address
192.168.1.1 and 192.168.1.2. Our router is con gured for NAT:
The following situation is happening:
1. Computer with IP address 192.168.1.1 is going to connect to the server.
2. Our NAT router will translate 192.168.1.1 to 4.4.4.4.
3. Our other computer with IP address 192.168.1.2 is also connecting to the server.
4. Our NAT router now has a problem since 192.168.1.1 is already translated to
4.4.4.4. You can’t have two IP addresses translated.
This is where PAT kicks in, with PAT this is what will happen:
1. Computer with IP address 192.168.1.1 is going to connect to the server.
2. Our NAT router will translate 192.168.1.1 to 4.4.4.4 but will also keep track of the
source and destination port!
3. Our other computer with IP address 192.168.1.2 is also connecting to the server.
https://networklessons.com/cisco/ccnp-encor-350-401/introduction-to-nat-and-pat 3/5
�9/8/2020 Introduction to NAT and PAT
4. Since our NAT router also does PAT it will translate 192.168.1.2 to 4.4.4.4 as well
and use another source port number.
And that’s how you can have multiple computers on your LAN and make all of them
access the Internet behind a single public IP address from your ISP.
The server thinks it’s only talking to 4.4.4.4 so it has no idea there is a computer with IP
address 192.168.1.1 or 192.168.1.2. Does this mean NAT or PAT is a security protocol?
This is a big debate but in my opinion it’s no security mechanism. Not seeing the true
hosts at your LAN doesn’t mean you are unable to connect. As soon as your router is
doing network and/or port address translation those hosts are reachable. Security is
something you implement by using access-lists, rewalls, intrusion prevention systems
and security policies.
Since NAT and/or PAT are changing the IP packet there are some applications that don’t
work too well with this translation of IP addresses and ports, IPSEC is an example. FTP is
also troublesome behind a NAT router.
That’s everything I wanted to share about NAT/PAT for now. I hope this is useful to you!
In another lesson we’ll take a look at the con guration of NAT/PAT on some Cisco IOS
routers.
« Previous Lesson
Troubleshooting NTP
Next Lesson
Static NAT Con guration »
Tags: NAT, Network Services, PAT
Forum Replies
ReneMolenaar
Hi William,
You can’t simulate NAT tra c on the local router. If you want to see some NAT translations, you’ll have to send some tra c through your router. When I
have to test something like this I like to use another router or switch as the “host” device. Some quick pings are enough to test NAT.
Rene
ReneMolenaar
Hi Rakesh,
PAT means port address translation, this doesn’t mean that the source port is always changed though. Take a look at this example:
How to con gure PAT on Cisco IOS Router
Look for the show ip nat translations command in that lesson. You can see the source ports remain the same, the router will only change these if two
hosts happen to pick the same source port number.
CGNAT stands for Carrier Grade NAT. Some ISPs don’t give their customers public IP addresses anymore but private IP addresses. The ISP will use
NAT/PAT to put many customers behind a single public IP address.
Rene
https://networklessons.com/cisco/ccnp-encor-350-401/introduction-to-nat-and-pat 4/5
�9/8/2020 Introduction to NAT and PAT
ReneMolenaar
Hi Pavan,
In most NAT/PAT examples, we only translate the source IP address.
With bi-directional NAT, you can translate both the source and destination IP address at the same time.
Rene
lagapides
Hello Juan
The rule is that RFC1918 IP addresses are not reachable or routable on the internet. That is a rule that ISPs are responsible for adhering to and
implementing. There is no technological inability to routing these addresses, but by de nition, everyone is required to adhere to it and that is why you
cannot do it. But even if an ISP does accept them, when they try to hand them o to other networks, the routers on the Internet at large are con gured to
drop any such tra c.
Cisco’s OCGs mention this because it is expected that all Internet network
... Continue reading in our forum
castrojuanj
yes, it was i suspected, that is a rule but not a technological inability.
Thanks for your reply.
15 more replies! Ask a question or join the discussion by visiting our Community Forum
© 2013 - 2020 NetworkLessons.com 32729 Disclaimer Privacy Policy Support About
https://networklessons.com/cisco/ccnp-encor-350-401/introduction-to-nat-and-pat 5/5
