Configuring Port Address Translation (PAT)

18 Mar

Configuring Port Address Translation (PAT)
Because of the rapid depletion of public IP version 4 address space and the limited number of public IP addresses that can be used on the Internet, enterprises may not be able to purchase blocks of public addresses that contain the number of private addresses being used on the inside network to perform Network Address Translation. A solution to working with the limited number of addresses being allocated to enterprises is the use Port Address Translation (PAT). PAT allows multiple hosts on the inside local network to access hosts located on outside networks using a single inside global address. PAT utilizes a NAT feature known as overloading. When overloading is
configured on the router, the router maintains enough information from the higher−layer protocols like TCP or UDP port numbers, which allows the router to translate the global address back to the originating local address. More than one inside local address can be mapped to an inside global address, and when multiple inside local addresses map to one global address, the TCP or UDP port numbers of each inside host distinguish between the local addresses.

To configure PAT, perform the following steps (these steps are similar to the steps for configuring dynamic NAT translations):

1.Use the following global configuration command to define a pool of inside global addresses to be allocated as needed:

ip nat pool <name> <start−ip address> <end−ip address> −
{netmask netmask|prefix−length prefix−length}

The start IP address is the address that NAT will begin with when creating a dynamic translation entry. The end IP address is the same IP address used for the start IP address.

2.Use this command to define an extended access list and its parameters:

access−list <access−list−number> {deny|permit}<protocol> −
<source> <source−wildcard> <destination> <destination−
wildcard>

The access list should specify which traffic arriving at the inside interface and destined to the outside interface is eligible to create a translation entry.

3.Use this command to establish an association between the local inside addresses and the pool of global addresses (notice the use of the overload keyword):

ip nat inside source list <access−list−number> pool <name> − overload

4.Use the following command to move into interface configuration mode:

interface <interface type> <interface number>

5.Use the ip nat inside interface configuration command to apply NAT to the interface that is connected to the networks with the local addresses.

6.Use this command to move into interface configuration mode:

interface <interface type> <interface number>

7.Use the ip nat outside interface configuration command to apply NAT to the interface that is connected to the networks with the inside global addresses.

Using Figure 3.7 as a reference, you can see that Router 1 must now be configured to support PAT. The figure displays a network that must use PAT to communicate with outside networks. The networks that are behind Router 1 are all allocated from RFC 1918 nonroutable address space. The clients located behind Router 1 have inside local addresses allocated from the 10.10.10.0 subnet; however, the enterprise has been allocated only one public IP address. Listing 3.17 shows the configuration needed to configure Router 1 for PAT.

Listing 3.17: PAT configuration example.

ip subnet−zero
!
ip nat pool INTERNET 192.168.10.254 192.168.10.254 −
netmask 255.255.255.128
!
ip nat inside source list 1 pool INTERNET overload
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.128
ip nat outside
!
int FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip nat inside
!
access−list 1 permit 10.10.10.0 0.0.0.255

Here is the NAT table of Router 1; notice that PAT creates an extended entry and all fields of the output are populated:

Router−1#show ip nat translations

Pro Inside global Inside local …
TCP 192.168.10.254:1036 10.10.10.3:1036 …
TCP 192.168.10.254:1037 10.10.10.162:1037 …
TCP 192.168.10.254:1056 10.10.10.15:1056 …
… Outside local Outside global
… 20.20.20.184:23
20.20.20.184:23
… 20.20.20.200:23 20.20.20.20:23
… 20.20.20.21:23 20.20.20.21:23

Note Because of the format limitations of this book, lines of code have been broken with ellipses points.

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.