PAT configuration

With Port Address Translation (PAT), one public IP address is used for all internal devices, but a different port is assigned to each private IP address. This type of NAT is also known as NAT Overload. This is the typical form of NAT used in today’s networks and is supported by most consumer-grade routers.

PAT allows you to support many hosts with only a few public IP addresses. It works by creating the dynamic NAT mapping, in which an global (public) IP address and a unique port number are selected. The router keeps a NAT table entry for every unique combination of private IP address and port, with translation to the global address and a unique port number.

The following example will help you understand the concept behind PAT:

pat explanation

As you can see in the picture above, PAT used unique source port numbers on the inside global IP address to distinguish between translations. For example, if the host with the IP address of 10.0.0.101 wants to access S1 on the Internet, the host’s private IP address will be translated by R1 as 155.4.12.1:1056 and the request will be sent to S1. S1 will respond to 155.4.12.1:1056. R1 will receive that response, look up in its NAT translation table, and forward the request to the host.

To configure PAT, the following commands are required:

1. configure the router’s inside interface using the ip nat inside command.
2. configure the router’s outside interface using the ip nat outside command.
3. configure an access list that has a list of the inside source addresses that should be translated.
4. enable PAT with the ip nat inside source list ACL_NUMBER interface TYPE overload global configuration command.

Here is how we would configure PAT for the network picture above.

First, we will define the outside and inside interfaces:

pat interfaces

Next, we will define an access list that will include all private IP addresses we would like to translate:

pat define acl

Note that the access list defined above includes all IP addresses from the 10.0.0.0 – 10.0.0.255 range.

Now we need to enable NAT and refer to the ACL created in the previous step and to the interface whose IP address will be used for translations:

enable pat

To verify the NAT translations, we can use the show ip nat translations command:

show ip nat translations pat

Notice how the same IP address (155.4.12.1) has been used to translate two private IP addresses (10.0.0.100 and 10.0.0.101).

Geek University 2022