Port Address Translation (PAT) is a type of Network address translation (NAT) used when there is a shortage of public IP addresses .One of the public IP address of the same subnet or the interface address is used for translation.
Port Address Translation (PAT):
This is also known as NAT overload. In this, many local (private) IP addresses get translated to single public IP address .Sometimes, the private addresses are translated into the interface address (single). In this, Port numbers are used to distinguish the traffic i.e which traffic belongs to which IP address.
The procedure is almost same as done in Dynamic NAT but remember in PAT, more than one Private IP address is translated into a single public IP address.
- Step-1: Configure the access-list
Build the access-list stating the permit condition i.e who should be permit and what protocol should be permit.
- Step-2: Apply the access-list to an interface
The access-group command will be used to state the direction (out or in) in which the action (specified above) should be taken place.
- Step-3: Create network group or network object
Network group will state the subnet or different subnets on which PAT will be applied. While the network object states a single subnet which can be further used in the PAT process for translation. It can be said that network group contains more than one network object.
- Step-4: PAT statement
This step will specify the direction in which PAT should takes place and on what IP address (Public IP address) the private IP address should be translated.
Three routers namely Router1 (IP address – 10.1.1.1/24), Router2 (IP address – 184.108.40.206/24) and Router3 (IP address – 220.127.116.11) are connected to ASA (IP address- 10.1.1.2/24, name – INSIDE and security level – 100 on Gi0/0, IP address – 18.104.22.168/24, name – DMZ and security level – 50 on Gi0/1, IP address – 22.214.171.124/24, name-OUTSIDE and security level – 0 on Gi0/2) as shown in the above figure.
In this task, we will enable PAT for the traffic generating from INSIDE to OUTSIDE and for the traffic going from DMZ to OUTSIDE.
Configuring IP addresses on all routers and ASA.
Configure IP address on Router1:
Router1(config)#int fa0/0 Router1(config-if)#ip address 10.1.1.1 255.255.255.0 Router1(config-if)#no shut
Configuring IP address on Router2:
Router2(config)#int fa0/0 Router2(config-if)#ip address 126.96.36.199 255.255.255.0 Router2(config-if)#no shut
Configuring IP address on Router3:
Router3(config)#int fa0/0 Router3(config-if)#ip address 188.8.131.52 255.255.255.0 Router3(config-if)#no shut
Configuring IP address, name and security level on the interface of ASA:
asa(config)#int Gi0/0 asa(config-if)#no shut asa(config-if)#ip address 10.1.1.2 255.255.255.0 asa(config-if)#nameif INSIDE asa(config-if)#security level 100 asa(config-if)#exit asa(config)#int Gi0/1 asa(config-if)#no shut asa(config-if)#ip address 184.108.40.206 255.255.255.0 asa(config-if)#nameif DMZ asa(config-if)#security level 50 asa(config-if)#exit asa(config)#int Gi0/2 asa(config-if)#no shut asa(config-if)#ip address 220.127.116.11 255.255.255.0 asa(config-if)#nameif OUTSIDE asa(config-if)#security level 0
Now giving static routes to the routers. Configuring static route to Router1:
Router1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
Configuring static route to Router2:
Router2(config)#ip route 0.0.0.0 0.0.0.0 18.104.22.168
Configuring static route to Router3:
Router3(config)#ip route 0.0.0.0 0.0.0.0 22.214.171.124
At last configuring static route to ASA:
asa(config)#route INSIDE 10.1.1.0 255.255.255.0 10.1.1.1 asa(config)#route OUTSIDE 126.96.36.199 255.255.255.0 188.8.131.52 asa(config)#route DMZ 184.108.40.206 255.255.255.0 10.1.1.1
For ICMP, either inspect or use ACL to allow the ICMP echo reply from the lower security level to higher security level (This is to be done because by default, no traffic is allowed from lower security level to higher security level).
asa(config)#access-list traffic_out permit icmp any any asa(config)#access-list traffic_dmz permit icmp any any
Here, two access-list has been made.
First access-list name is traffic_out which will allow ICMP traffic from OUTSIDE to INSIDE (having any IP address any mask).
Second access-list has been made named as traffic_dmz which will allow ICMP traffic from OUTSIDE to DMZ (having any IP address any mask) .
Apply these access-list to the ASA interfaces:
asa(config)#access-group traffic_out in interface OUTSIDE asa(config)#access-group traffic_dmz in interface DMZ
First statement states that the access-list traffic_out is applied in the inwards direction to the OUTSIDE interface
Second statement states that the access-list traffic_dmz is applied in the inwards direction to the DMZ interface.
INSIDE devices will be able to ping OUTSIDE and DMZ devices.
The task is to enable PAT on ASA whenever the whole subnet (10.1.1.0/24) traffic goes out from INSIDE to OUTSIDE and traffic of network (220.127.116.11/24) from DMZ to OUTSIDE, it should get translated into OUTSIDE interface address.
asa(config)#object network inside_nat asa(config-network-object)#subnet 10.1.1.0 255.255.255.0 asa(config-network-object)#exit
First, specify that which subnet should get translated.
Direction of NAT translation will be specified:
asa(config)#nat (INSIDE, OUTSIDE) source dynamic INSIDE interface
Applying NAT for traffic going out from DMZ to OUTSIDE:
asa(config)#object network dmz_nat asa(config-network-object)#subnet 18.104.22.168 255.255.255.0 asa(config-network-object)#exit
Creating NAT pool for this traffic:
asa(config)#object network dmz_nat_pool asa(config-network-object)#range 22.214.171.124 126.96.36.199 asa(config-network-object)#exit
Tirection for nat translation is specified.
asa(config)#nat (DMZ, OUTSIDE) source dynamic DMZ interface
The above command specifies that the subnet in dmz_nat should get translated into the IP address of the DMZ interface using PAT. By this, the process of configuring PAT is almost similar to dynamic NAT. The main difference is that to configure the outside interface IP address instead of a NAT pool from which one of the IP address will get translated.
This is most frequently used as it is cost effective as thousands of users can be connected to the Internet by using only one real global (public) IP address.
- Java program to find IP address of your computer
- How DHCP server dynamically assigns IP address to a host?
- Program to determine class, Network and Host ID of an IPv4 address
- Explicitly assigning port number to client in Socket
- What is Information Security?
- Types of Network Address Translation (NAT)
- C Program to find IP Address, Subnet Mask & Default Gateway
- How Address Resolution Protocol (ARP) works?
- Introduction of MAC Address in Computer Network
- C Program to display hostname and IP address
- Python | Remove leading zeros from an IP address
- Hash Functions in System Security
- Extracting MAC address using Python
- Active and Passive attacks in Information Security
- Port Security in Computer Network
If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to firstname.lastname@example.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.