| Port Address Translation |
Article Index for Port |
Website Links For Port |
Information AboutPort Address Translation |
| CATEGORIES ABOUT PORT ADDRESS TRANSLATION | |
| network address translation | |
| internet architecture | |
|
Port Address Translation (PAT) is a feature of a Network device that translates TCP or UDP communications made between hosts on a private network and hosts on a public network. It allows a single public IP address to be used by many hosts on the private network, which is usually called a Local Area Network or LAN . A PAT device transparently modifies IP Packet s as they pass through it. The modifications make all the packets which it sends to the public network from the multiple hosts on the private network appear to originate from a single Host - the PAT device - on the public network. Note: ''Different vendors call PAT different names - those are : Hidden NAT (Check Point), PAT ( Cisco Systems ), NAPT, SNAT/MASQUERADE (Linux iptables), Internet Connection Sharing (Microsoft), but PAT is the most common term. However, since Cisco are the largest supplier of internet infrastructure, particularly at the high end/backbone areas of the market PAT as a term, will probably come to dominate.'' RELATIONSHIP BETWEEN NAT AND PAT PAT is closely related to the concept of Network Address Translation, often called NAT . IN NAT, generally only the IP addresses are modified; generally on there is a 1:1 correspondence between publicly exposed IP addresses and privately held IP addresses. In PAT, both the sender's private IP and port number are modified; the PAT device chooses the port numbers which will be seen by hosts on the public network. In NAT, incoming packets are routed to their destination IP address on the private network by reference to the incoming destination IP address given by the host on the public network. In PAT there is generally only one publicly exposed IP address and incoming packets from the public network are routed to their destinations on the private network by reference to a table held within the PAT device which keeps track of public and private port pairs. This is often called connection tracking. DETAILS OF PAT IP Packet Background Every TCP packet contains both a source IP and source port number as well as a destination IP and destination port number. For publicly accessible services such as web servers and mail servers the port number is important. For example, port 80 connects to the web Server software and port 25 to a mail server's SMTP Daemon . Additionally, the IP address of a public server is also important, similar in global uniqueness to a postal address or telephone number, it must be correctly known by all wishing to successfully communicate. Thus server (public) IP addresses have worldwide significance and ports have significance that depend on the particular type of communication desired (e.g. web, email, FTP ). The significance of the IP address on an internal host however needs only to be limited to the organisational entity where it resides. Thus private addresses as given in RFC 1918 may be used. Additionally, the port number of a client application on a client host is significant only to that particular host. Consequently within an organisation any communicating client application can be uniquely identified by the combination of its host IP (organisational significance) and host port (host only significance). An Analogy of PAT A PAT device is like a ; incoming envelopes addressed to a valid post office box are changed to have the real Street Address of the box holder. Translation of the Endpoint IP Address With PAT all communication sent to or from external hosts actually contain the IP address and port information of the PAT device instead of internal host IPs or port numbers. This is achieved as outlined below:
Example: a host at IP address 192.168.0.2 on the private network may ask for a connection to a remote host on the public network giving the source address and port as 192.168.0.2:15345. The PAT device (which we assume has a public IP of 1.2.3.4) might for example translate this source address:port pair to 1.2.3.4:16529 and make an entry in its internal table that port 16529 is now in use by 192.168.0.2 on the private network. When a packet is received from the public network by the PAT device for address 1.2.3.4:16529 the packet is forwarded to the host on 192.168.0.2 with the port destination changed to 15345. PAT can only translate/replace IP addresses and ports for its internal hosts. As a consequence of its function it effectively hides the true endpoint IP address and port of the internal hosts. However, PAT must of course leave the public IP address and port information of the external host unmodified. Visibility of Operation The PAT operation is typically transparent to both the internal and external hosts. Typically the internal host is aware of the true IP address and TCP or UDP port of the external host. Typically the PAT device may function as the default gateway for the internal host. However the external host is only aware of the public IP address for the PAT device and the particular port being used to communicate on behalf of a specific internal host. Location in Network The PAT device usually sits at the network perimeter where one side connects to the external network, usually the public Internet; and on the other side is internal network, usually with private IP addressing. USES OF PAT Firewall systems and multi-port Broadband network access devices (e.g. ADSL Routers , Cable Modem s) tend to use PAT. In the configuration of those devices, the outside network is the Internet and the inside network is the LAN . AN EXAMPLE OF PAT For example, an SMB or SME network perimeter device such as an ADSL router may use PAT to translate connections to TCP port 80 to a user configured port 6008 of an internal network host. This operation may allow the user to have a Web Server running on an internal host on port 6008, whereas the actual HTTP port 80 of that internal host may be used for other internal hosts to access an intranet web server which an external host may have no conduit to (due to the absence of a specific configuration on the PAT device). ADVANTAGES OF PAT
DISADVANTAGES OF PAT Only a single public service e.g. port 80 HTTP , can be exposed per public IP address. Thus an organisation using PAT and a single IP cannot easily run more than one of the same type of public service behind a PAT e.g. two public web servers using the default port 80. Obviously if many hosts on the private network make many connections to the public network, the PAT device may not have sufficient room in its internal table to keep track of the connections or it may simply run out of unused ports. SEE ALSO EXTERNAL LINKS
|
|
|