Introduction to NAT and PAT

When you use dynamic NAT, you require a pool with public IP addresses. Each host that gets translated requires a public IP address from the pool.

PAT allows us to translate multiple private IP addresses to a single public IP address.

Rene is it possible when configuring NAT on a router on GNS3 to provide a simulation which will enable or facilitate actual translations in the NAT table without generating actual live production network traffic from a host(s)… on your lab gns3 router …hope this makes sense

Hi William,

You can’t simulate NAT traffic on the local router. If you want to see some NAT translations, you’ll have to send some traffic through your router. When I have to test something like this I like to use another router or switch as the “host” device. Some quick pings are enough to test NAT.

Rene

Hi Rene,
I have two questions.

  1. What is the difference between PAT and CGNAT?

  2. When using PAT, will the NAT router change the source port,no matter what source port is used by the LAN device? If yes, it should have a mapping table between host’s source port and the new source port assigned by NAT router. Isn’t it?

Hi Rakesh,

PAT means port address translation, this doesn’t mean that the source port is always changed though. Take a look at this example:

How to configure PAT on Cisco IOS Router

Look for the show ip nat translations command in that lesson. You can see the source ports remain the same, the router will only change these if two hosts happen to pick the same source port number.

CGNAT stands for Carrier Grade NAT. Some ISPs don’t give their customers public IP addresses anymore but private IP addresses. The ISP will use NAT/PAT to put many customers behind a single public IP address.

Rene

Hi Rene,

  1. If we have multiple hosts in a LAN behind a router & want to connect server in Internet. So, NAT alone doesnt work here. Both NAT+PAT should be used together. Pls confirm. (Assume, we have only one public IP)
    2)How to find PAT mapping ? any commnad?

Thanks

Hi Ashok,

If you have multiple hosts behind a single public IP address then you will need PAT yes. Right above your reply is the link to my PAT tutorial, which explains everything.

Rene

Hi Rene,

I have a question that’s been bothering me for a while. If your ISP routes you a public /24, how do you put all those 255 addresses on a single router? The router would need to have these configured to be able to use them as source addresses, right?

Thanks in advance,
Shawn

Hi Shawn,

If you are using PAT, you don’t need to assign all those public IP’s that you are getting from your ISP to your router. As explained by Rene in the lesson, using 1 Public IP which is assigned to the outside interface can be used to PAT your source address to the internet. Even-though, you can add more than 1 public IP to the interface as a secondary IP.

I recommend you to check this lab:

How to configure PAT on Cisco IOS Router

Hi, and thank you for the reply. I was talking about dynamic NAT, or Static NAT, where you would have a pool of Public IP addresses and a pool of private addresses. In order to use one of the public IP addresses as your new source address, it has to be configured on the router, right? Or can you just have your ISP route you the subnet and they will see the source ip as it get’s NAT’d and know what to do with it.

I hope this makes more sense, I am not talking about PAT (layer 4) at all.

Thanks

Hi Shawn,

If I understand your question correctly, you have a subnet of /24 public IP from your ISP and you want to use it in a Dynamic NAT by which your private internal IP’s can go to the internet. If this is the case, you don’t need to have a pool of private IP’s as you mentioned. What you need is to configure a pool of your public IP in the Dynamic NAT by which each internal host will reserve one Public IP to go to the internet.

For example: if you have configured in your router a pool of 5 public IP’s then only 5 internal private IP’s at a time can go to the internet. In other word, every private IP will reserve an available public IP from the pool.

I can refer you to this lesson for more information:
Configure Dynamic NAT

Please explain what is a bidirectional NAT

Hi Pavan,

In most NAT/PAT examples, we only translate the source IP address.

With bi-directional NAT, you can translate both the source and destination IP address at the same time.

Rene

I have a doubt about private address and public address

i perfect understand which ip address is public and private. But in the real world i’ve seen an ISP accepting RFC 1918 ip addresses in its inbound BGP filter (yes, it’s so unprofessional)

So, in the real world, we can announce any subnet, independently if its a public or private, despite all Cisco OCG mention “RFC 1918 ip address are not reacheable or routeable into internet”

I’d like to read your toughts about it

Hello Juan

The rule is that RFC1918 IP addresses are not reachable or routable on the internet. That is a rule that ISPs are responsible for adhering to and implementing. There is no technological inability to routing these addresses, but by definition, everyone is required to adhere to it and that is why you cannot do it. But even if an ISP does accept them, when they try to hand them off to other networks, the routers on the Internet at large are configured to drop any such traffic.

Cisco’s OCGs mention this because it is expected that all Internet networks are configured to adhere to this rule.

I hope this has been helpful!

Laz

1 Like

yes, it was i suspected, that is a rule but not a technological inability.

Thanks for your reply.

1 Like

Dear sir,

  How do verify in the Router the NATed translation have working correctly ? 

Thank you

Regards,
Mani

Hello Mani

There are two fundamental ways that you can check your NATting. The first is to use the show ip nat translations command which shows you how a NAT router is translating specific addresses. An example of the output can be found here:

NAT#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.23.10:4   192.168.123.1:4    192.168.23.3:4     192.168.23.3:4
--- 192.168.23.10      192.168.123.1      ---                ---
icmp 192.168.23.11:2   192.168.123.2:2    192.168.23.3:2     192.168.23.3:2
--- 192.168.23.11      192.168.123.2      ---                ---

Secondly, you can use the debug ip packet debug command that will show you the source and destination of packets that arrive and that are sent on particular interfaces. This helps in verifying that IPs have actually been translated, and you’re not just seeing regular routing taking place. An example of the output in such a situation can be seen below:

R1#
IP: s=192.168.12.1 (FastEthernet0/0), d=192.168.23.3, len 100, rcvd 1

You can see both of these techniques in action in the following lessons:


I hope this has been helpful!

Laz

Dear sir,
Public web server have static PAT in our router . And Router forward the traffic after NAT to our firewall. Then firewall forward traffic to our internal server.
Suddenly the connection have dropped from public. Internal can see the page After 3 to 4 hours then connection is up. Why such behaviour is happened ? How to check the traffic during the downtime whether router NAT traffic correctly and forward to the next hop ? How to capture the logs to show the customer if it is not network issue ?

Public IP 137.132.22.163 443 Private IP 172.25.182.43 443

During the issue can see the request coming to the firewall . And response also leaving it. But the customer cant access it from internet.

Does the syslog which includes NAT translations also ? How to store the translation in the syslog ? pls advise

Please help.

Thanks
Regards,
Mani

Hello Mani

The above statement seems to indicate that traffic from the public Internet did indeed reach the web server, and the web server sent a response. This also tells us that the NAT router is working correctly since incoming requests reached the firewall. How do you prove that this took place? There are several ways in which you can use logs to show such traffic. One is syslog, about which you can learn more here for both IOS devices as well as ASA firewalls:


If you had your devices configured to collect logs locally, you may be able to show these logs using the appropriate commands as mentioned in the lessons above. In general, however, it’s a good idea to set up a syslog server that will collect and store these messages.

NAT translations can indeed be recorded using syslog. You can find out more information about how to monitor NAT translations and connections at this Cisco documentation:

You should be able to monitor all sessions as well by installing some monitoring software/system on the web server, the router, as well as the firewall, using tools such as SNMP or Netflow or Cisco Performance Monitor.

I hope this has been helpful!

Laz