Log In

Join TechRepublic

FAQ

Go Pro!

ZDNet

SmartPlanet

TechRepublic

TechRepublic

IT Management Development IT Support Data Center Networks Security

Home

Blogs Downloads

Newsletters Q&A Discussions

Training Research Library

Search

All of TechRepublic

Publications

Library

3Comments

more +

Set up Port Address Translation (PAT) in the Cisco IOS

By David "Davis CCIE, MCSE+I, SCSA" May 14, 2002, 7:00am PDT Port Address Translation (PAT) is a special kind of Network Address Translation (NAT). It can provide an excellent solution for a company that has multiple systems that need to access the Internet but that has only a few public IP addresses. Let's take a look at the distinctions between NAT and PAT and see how they are typically used. Then, I'll show you how to configure PAT on a Cisco router. Understanding PAT and NAT Before discussing PAT, it will help to describe what NAT does in general. NAT was designed to be a solution to the lack of public IP addresses available on the Internet. The basic concept of NAT is that it allows inside/internal hosts to use the private address spaces (10/8, 172.16/12, and 192.168/16 networkssee RFC1918), go through the internal interface of a router running NAT, and then have the internal addresses translated to the router's public IP address on the external interface that connects to the Internet. If you dig into NAT a little deeper, you will discover that there are really three ways to configure it. From these configurations, you can perform a variety of functions. The three configurations are: PAT PAT is commonly known as NAT overload (or sometimes just overload). In this configuration, you have multiple clients on your inside network wanting to access an outside network (usually the Internet). You have few public IP addresses, many more than the number of clients, so you have to overload that real Internet IP address. In other words, you are mapping many inside clients to a single Internet IP address (many to one). For an illustration of PAT, see Figure A. Figure A

Pooled NAT Pooled NAT is similar to PAT except you have the luxury of having a one-to-one mapping of addresses. In other words, you have just as many inside network clients as you do outside network IP

addresses. You tell the NAT router the pool of IP addresses that are available, and each client receives its own IP addresses when it requests a NAT translation. The client does not get the same address each time it requests a translation; it merely gets the next available address from the pool. In my article "Set up NAT using the Cisco IOS," I explain how to configure Pooled NAT. For an illustration of Pooled NAT, see Figure B. Figure B

Static NAT Static NAT is the simplest form of NAT. The most likely example is a mail server on the inside of a private network. The private network connects to the public Internet. In between the two networks, a router performs NAT. For a dedicated server, like a mail server, you would want a static (not changing) IP address. This way, every time someone on the Internet sends e-mail to the mail server, that server has the same public IP address. For an illustration of Static NAT, see Figure C. Figure C

As I said, you can perform a variety of functions with these three configurations. For the purpose of this article, we will focus on configuring PAT. Configuring PAT To configure PAT/NAT correctly the first time, you need to understand the Cisco NAT terminology and how your IP networks/addresses map to each of the entities listed below:

Inside LocalThis is the local IP address of a private host on your network (e.g., a workstation's IP address). Inside GlobalThis is the public IP address that the outside network sees as the IP address of your local host. Outside LocalThis is the local IP address from the private network, which your local host sees as the IP address of the remote host. Outside GlobalThis is the public IP address of the remote host (e.g., the IP address of the remote Web server that a workstation is connecting to).

You'll configure your Cisco router using seven commands. Let's assume that your Internet service provider gave you a 30-bit network containing two public IP addresses. This configuration would allow one address for your router and one address for your internal clients and devices. The first command you'll execute will tell the router which public IP address you want to use for PAT: ip nat pool mypool 63.63.63.2 63.63.63.2 prefix 30 This command configures a pool (range) of IP addresses to use for your translation. In this case, we want only one address in our pool, which we will overload. We do this by assigning the same IP address (63.63.63.2) for the start and end of the pool. The next command will tell your router which IP addresses it is allowed to translate: access-list 1 permit 10.10.10.0 0.0.0.255 It's not a good idea to put permit any in the access list, even though you will occasionally see that as a recommendation in some sample configurations. The next command is: ip nat inside source list 1 pool mypool overload This command puts the pool definition and the access list together. In other words, it tells the router what will be translated to what. The overload keyword turns this into a PAT configuration. If you left out overload, you would be able to translate only one IP address at a time, so only one client could use the Internet at a time. Next, you need to tell PAT/NAT what interfaces are the inside network and what interfaces are the outside network. Here's an example: interface ethernet 0 ip nat inside interface serial 0 ip nat outside With these commands, your PAT configuration is finished. You have told the Cisco IOS you are translating your network A into a single IP address from network B, that network A is on the ethernet 0 interface and network B is on the serial 0 interface, and that you want to allow the inside network to overload the single IP address on the outside network. Finally, verify that NAT works. This can be as simple as doing a ping command from your inside local host to an outside global host. If the ping succeeds, chances are you have everything configured correctly. You can also use the following Cisco IOS commands to confirm and troubleshoot: show ip nat translations [verbose] show ip nat statistics With the translations command, you should see the translation that was created from your ping test. But watch out: The translations will disappear after their time-out expires. If you have configured overload, these time-outs are configurable by traffic type. Summary You should now understand the differences between PAT, Pooled NAT, and Static NAT, and you should be able to do a basic PAT configuration with the Cisco IOS. For more information, check out the links below. Additional resources TechRepublic: "Learn why NAT can cause VPN connection problems" TechRepublic: "Set up NAT using the Cisco IOS" TechRepublic: "Use NAT to connect your network to the Internet" Cisco: NAT Technical Tips Index Cisco: How NAT Works Cisco: Configuring Network Address Translation: Getting Started Cisco: Frequently Asked Questions about Cisco IOS NAT Cisco: IOS 12.2 Configuring Network Address Translation Cisco: IOS 12.2 Overloading an Inside Global Address (PAT) Cisco: IOS 12.2 IP Addressing Command Reference (including NAT commands) PCWebopedia: NAT Definition RFC1631: The IP Network Address Translator (NAT) RFC1918: Address Allocation for Private Internets Network Computing: Network Address Translation: Hiding in Plain Sight Verizon: How Network Address Translation Works Da Lan Tech: Network Address Translation for Beginners

3
Comments

Add Your Opinion

Join the conversation!

Follow via: RSS

Email Alert
Go to comment

Just In

Pooled Nat with PAT

jatin.kapoor@... 24th Apr 2008

i firmly believe that u should go with both pooled nat{dynamic nat} with PAT.Assign a pool of 14 public addresses for dynamic translation and keep the last one for PAT.So that if more than 14... Read Whole Comment +

Community Preferences

View: Expanded

Show: 50

0Votes +-

NAT
Ore' 4th May 2005

If I have 30 private IP addresses, and 15 public IP addresses, what is the best NAT configuration to deploy - would it be dynamic or PAT.

Reply

Favorite

PreviousNext PreviousNext 0Votes +-

Pooled Nat with PAT

jatin.kapoor@... 24th Apr 2008

i firmly believe that u should go with both pooled nat{dynamic nat} with PAT.Assign a pool of 14 public addresses for dynamic translation and keep the last one for PAT. So that if more than 14 concurrent users are logged in simultaneously , they can connect using Port mapping i.e PAT. hope this will be helpful for u.

Reply

Favorite

0Votes +-

RE: Set up Port Address Translation (PAT) in the Cisco IOS

meshack_baloyi@... 2nd Sep 2007

the information has helped me to grasp the basics of nat and basic configuration. thank you.

Reply

Favorite

Join the TechRepublic Community and join the conversation! Signing-up is free and quick, Do it now, we want to hear your opinion. JoinLogin Loading Talkback...

Keep Up with TechRepublic

Five Apps

Google in the Enterprise Subscribe Today Follow us however you choose!

Facebook Twitter

Linkedin Digg RSS Android iPhone

View All

Hot Discussions

Why Android tablets failed: A postmortem

238

Here's my ridiculous looking ahead to 2012 list

30

FOSS is the end of the world as we know it

120

The first 25 geek movies of 2012

24

Start a Discussion
View All

Hot Questions

That there should be no restrictions what can be posted on internet?

setting up of an entire IT department from scratch!

How do create 2 bootable partitions running win 7 on the same hard drive?

How to remove Conficker from Network?

Ask a Question

A CNET PROFESSIONAL BRAND On TechRepublic DIY: How to replace the UI on your Android smartphone

TechRepublic

Search

Trending Topics

operating system apple windows xp tips newsletter

Unified Communications imap and pop3

SOFTWARE

Strategy

Compliance mobile development

CAREER Operating systems sm bus controller driver

IT OPERATIONS HARDWARE

Featured TechRepublic Pro Downloads

Windows 7: An IT Pro's Overview

Quick Reference: Linux Commands

500 Things You Need To Know To Succeed In Your IT career

Windows Server 2008 Reference Pack

Explore

Blogs Downloads Members Q&A DIscussions Training Store Research Library Photos Videos

Services

About Us Membership Newsletters RSS Feeds Site Map Site Help & Feedback FAQ Advertise Reprint Policy
Popular on CBS sites: US Open | PGA Championship | iPad | Video Game Reviews | Cell Phones

2011 CBS Interactive. All rights reserved. Privacy Policy | Ad Choice | Terms of Use | Advertise | Jobs

A ZDNet Web Site | Visit other CBS Interactive Sites: