Networks Training

You are here: Home / General Networking / Comparison of NAT vs PAT in TCP/IP Networks for IP Translation

Comparison of NAT vs PAT in TCP/IP Networks for IP Translation

Written By

Network Address Translation (NAT) is a feature that enables the translation of IPv4 addresses.  It is most often used to translate private IPv4 addresses to public routable IPv4 addresses. 

This feature has almost singlehandedly vastly increased the longevity of the IPv4 protocol as the primary Network Layer protocol running on the Internet, since it resolves to a large degree, the exhaustion of the IPv4 address space.

Let’s take a closer look at what NAT is by examining the various mechanisms involved in the implementation of this feature. 

Through our journey, we’ll also compare NAT with Port Address Translation (PAT), and we’ll examine the vital functionality of each.

First let’s start with a high-level overview and comparison Table between the two technologies:

NAT vs PAT Comparison Table

The following table summarizes the differences between NAT and PAT:

Characteristic NAT PAT
Description Translates IPv4 addresses on a one-to-one basis Translates IPv4 addresses on a one-to-many basis by leveraging Transport Layer port numbers
Translates IPv4 addresses IPv4 addresses and port numbers
Types Static NAT

Dynamic NAT

 Static PAT

Dynamic or Overloaded PAT
Traffic Flow Used for both inbound and outbound traffic Used mainly for outbound traffic (internal network to external)
Main Use Case To allow access from Internet to a corporate server (e.g Web Server) which is behind a router or firewall (using static NAT) To allow access of a whole LAN subnet to the Internet using a single public IP.
Scope/

Relationship

 Superset of PAT. Subset of the general NAT technology.

A bit about terminology

Depending upon the context, the term NAT can refer to several things.  First and foremost, it is an umbrella term that encompasses all NAT functionalities.  NAT can be broken down into two primary components:

  • Basic NAT which performs a one-to-one translation of IP addresses. This may also be called “one-to-one NAT” or is simply referred to as NAT.
  • Port Address Translation (PAT) performs one-to-many translation of IP addresses. Other names for this include IP masquerading and NAT overload.  It is this particular feature that has extended the lifetime of the IPv4 address space.

Both of these are defined in RFC 2663. Both can be applied either statically or dynamically from a pool of predefined addresses.

Where does NAT take place?

NAT is a Layer 3 mechanism and is implemented within a router (or firewall device).  Typically, it is performed at the edge of the network where the local enterprise LAN meets the Internet. 

NAT can translate any IPv4 address to any other IPv4 address, however, as mentioned before, the most common scenario of the implementation of NAT is to translate private non-routable IPv4 addresses, as defined in RFC 1918 to routable public IPv4 addresses. 

The private IPv4 address ranges should be familiar to most of us, and as follows:

  • 10.0.0.0 – 10.255.255.255  (10.0.0.0/8)
  • 172.16.0.0 – 172.31.255.255  (172.16.0.0/12)
  • 192.168.0.0 – 192.168.255.255 (192.168.0.0/16)

Let’s now examine NAT and PAT and see how they operate and compare.  For the remainder of this article, unless otherwise stated, when we use the term NAT, we are referring to basic NAT.

Basic NAT (Network Address Translation)

When a packet traverses a NAT-enabled router, the IPv4 addresses found within the source and destination fields can be replaced or translated to a different set of IPv4 addresses.  For example, take a look at the following diagram:

NAT example diagram

Image Source from Wendell Odom (2013) (in English) Cisco CCENT/CCNA ICND1 100-101 Official Cert Guide (Academic ed.), Pearson Education, Inc., p. 582

When traffic goes from the Host to the Server, it uses a source private IP address of 10.0.0.1.  When the packet traverses the NAT router, that source IP address is replaced with, or translated to the public address of 150.150.0.1. 

Return traffic from the Server to the Host also gets translated, but this time, it is the destination address that is translated, from 150.150.0.1 back to 10.0.0.1.

These addresses have specific names:

  • Inside local address—The IP address assigned to a host on the inside network. This is the address configured as a parameter of the computer OS or received via dynamic address allocation protocols such as DHCP.
  • Inside global address—A public IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.
  • Outside local address—The IP address of an outside host as it appears to the inside network.
  • Outside global address—The IP address assigned to a host on the outside network by the host owner. The address is allocated from a globally routable address or network space.

On the above diagram, the following addresses correspond to each type:

  • Inside local address: 0.0.1
  • Inside global address: 150.0.1
  • Outside local address: 100.10.1
  • Outside global address: 100.10.1

PAT (Port Address Translation)

PAT can be used to map multiple inside local addresses to a single inside global address, thus allowing dozens or even hundreds of internal hosts to share a single routable IPv4 address. 

This is achieved by leveraging the use of the TCP or UDP ports in the Transport Layer to ensure the uniqueness of each communication that takes place. 

Even though the same inside global address is used for multiple hosts, a different Transport Layer port is used to distinguish between data flows.  For example, take a look at the following diagram:

port address translation diagram

Image Source  from Wendell Odom (2013) (in English) Cisco CCENT/CCNA ICND1 100-101 Official Cert Guide (Academic ed.), Pearson Education, Inc., p. 586

Here you can see three hosts on the inside with three different IP addresses.  These are translated using PAT to the same outside IP address of 200.100.10.1 but using different port numbers. 

The IP address/port number combination is the unique identifier of each flow.  The NAT router is smart enough to perform the appropriate translation so that each flow corresponds correctly with the appropriate host, and communications can take place successfully. 

Note that in the above diagram, the acronym NAPT is used to refer to the Network Address and Port Translation.  This is equivalent to a router performing PAT, but just goes to show how the understanding of terms in context is of utmost importance.

Limitations and other concerns of all types of NAT

The following are some limitations and concerns of both NAT and PAT that you should keep in mind whenever implementing these features:

  • Since TCP and UDP port numbers are used to map one-to-many IPv4 addresses, only TCP and UDP traffic can be translated using PAT. However, the vast majority of network traffic is either TCP or UDP, so this limitation is not of great concern.
  • NAT of all types can cause problems in the communication of some network services that use multiple streams of data, such as Voice over IP (VoIP) and FTP sessions.
  • The number of translations that a router can perform depends upon its CPU and memory resources.
  • Even if the router has enough CPU and memory resources, PAT has a hard limit of 65536 maximum PAT entries in its table at a time for each inside global address (since it uses port numbers which have a range of 0 to 65535).
  • NAT supports IPv6 in what is known as NAT66, however, it is not generally implemented since it is not needed since address space exhaustion is not an issue with IPv6.

Related Posts

Filed Under: General Networking

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Lazaros Agapidis

Lazaros Agapidis is a Telecommunications and Networking Specialist with over twenty years of experience.
He works primarily with IP networks, VoIP, Wi-Fi, and 5G, has extensive experience in training professionals for Cisco certifications, and his expertise extends into telecommunications services and infrastructure from both an enterprise and a service provider perspective.
In addition to his numerous vendor certifications, Lazaros has a solid online presence as an expert in his field, having worked in both public and private sectors within North America and in Europe.
He has enjoyed sharing his practical experiences in writing as well as through engaging online training.
LinkedIn: Lazaros Agapides

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx