Port address translation

From Wikipedia, the free encyclopedia

Port Address Translation (PAT) is a feature of a network device that translates TCP or UDP communications made between a host and port on an outside network, and a host and port on an inside network. It allows a single IP address to be used for many internal hosts.

A PAT device can transparently and automatically modify the IP packets' destination or source host IP and port fields belonging to its internal hosts.

Note: Different vendors call PAT different names - those are : Hidden NAT (Check Point), PAT (Cisco Systems), NAPT, SNAT/MASQUERADE (Linux iptables), Internet Connection Sharing (Microsoft), but I believe that PAT is the most correct term.

Contents

[edit] Why Use PAT?

PAT may allow one public IP address to handle communication for 65 535 inside hosts. In practice, the actual number of hosts permitted may vary due to manufacturer limits.

[edit] Relationship between NAT and PAT

PAT is closely related to the concept of Network Address Translation, often calledNAT. Similar to NAT, port translation makes changes to the sender’s address or recipient’s address on data packets. However, any IP address change involves the PAT device’s outside IP address rather than a pool of addresses as in NAT.

PAT translates both the IP and port fields -- wherever those values belong to an internal host. Port numbers on packets coming from the external network, rather than destination IP addresses, are used to identify and designate traffic to different computers on the inside network.

[edit] Details of PAT

[edit] IP Packet Background

Every TCP packet contains both a source IP and source port number as well as a destination IP and destination port number.

For publicly accessible services such as web servers and mail servers the port number is important. For example, port 80 connects to the web server software and port 25 to a mail server's SMTP daemon. Additionally, the IP address of a public server is also important, similar in global uniqueness to a postal address or telephone number, it must be correctly known by all wishing to successfully communicate.

Thus server (public) IP addresses have worldwide significance and ports have significance that depend on the particular type of communication desired (e.g. web, email, FTP).

The significance of the IP address on an internal host however needs only to be limited to the organisational entity where it resides. Thus private addresses as given in RFC 1918 may be used. Additionally, the port number of an client application on a client host is significant only to that particular host. Consequently within an organisation any communicating client application can be uniquely identified by the combination of its host IP (organisational significance) and host port (host only significance).

[edit] An Analogy of PAT

A PAT device is like a post office that delivers box mail: outgoing envelopes are changed to appear to come from a post office box; incoming envelopes addressed to a valid post office box are changed to have the real street address of the box holder.

[edit] Translation of the Endpoint IP Address

With PAT all communication sent to or from external hosts actually contain the IP address and port information of the PAT device instead of internal host IPs or port numbers. This is achieved as outlined below:

  • When a computer on the inside network sends a packet to the outside network the PAT device replaces the inside IP address in the packet header’s source field (sender’s address) with the PAT device’s outside IP address. It then assigns the connection a port number from a pool of available ports, inserts this port number in the packet header source port field (much like the post office box number), and places the packet on the outside network. The NAT device then makes an entry in its translation table containing the inside IP address, inside source port, and outside port. Subsequent packets from the same connection on the inside IP address are translated to the same outside port number translation.
  • The computer receiving a data packet will move the source IP address and source port as the corresponding destination fields in any response it sends back. So, for packets arriving from the outside, the process operates on the packet header’s destination port (similar to the recipient’s post office box number). First, if the destination port number of the incoming packet is not found as an outside port in the translation table, the packet is simply dropped because the NAT device doesn’t know where to send it. Otherwise, the corresponding inside IP address and inside port number from the translation table replaces the destination IP address and the destination port number in the incoming packet header (similar to the translation from post office box number to street address). The packet is then placed on the inside network.

PAT can only translate/replace IP addresses and ports for its internal hosts. As a consequence of its function it effectively hides the true endpoint IP address and port of the internal hosts. However, PAT must of course leave the public IP address and port information of the external host unmodified.

Port translation allows many computers to share a single IP address. The PAT device periodically deletes translations from its table when they no longer appear to be in use. Because the port number field is a 16-bit unsigned number (0-65535), the likelihood of an inside computer not being able to send outside traffic is greatly reduced.

[edit] Visibility of Operation

The PAT operation is typically invisible to both the internal and external hosts.

Typically the internal host is aware of the true IP address and TCP or UDP port of the external host. Typically the PAT device may function as the default gateway for the internal host. However the external host is only aware of the public IP address for the PAT device and the particular port being used to communicate on behalf of a specific internal host.

[edit] Location in Network

The PAT device usually sits at the network perimeter where one side connects to the external network, usually the public Internet; and on the other side is internal network, usually with private IP addressing.

[edit] Uses of PAT

Firewall systems and multi-port broadband network access devices (e.g. ADSL routers, cable modems) tend to use PAT. In the configuration of those devices, the outside network is the Internet and the inside network is the LAN.

[edit] An Example of PAT

For example, a SMB or SME network perimeter device such as an ADSL router may use PAT to translate connections to TCP port 80 to a user configured port 6008 of an internal network host. This operation may allow the user to have a web server running on an internal host on port 6008, whereas the actual HTTP port 80 of that internal host may be used for other internal hosts to access an intranet web server which an external host may have no conduit to (due to the absence of a specific configuration on the PAT device).

[edit] Advantages of PAT

PAT's main advantage is that multiple internal hosts can share a single IP address for communication.

[edit] Disadvantages of PAT

Only a single public service e.g. port 80 HTTP, can be exposed per public IP address. Thus an organisation using PAT and a single IP cannot easily run more than one of the same type of public service behind a PAT e.g. two public web servers using the default port 80.

Note: The above problem may be overcome in some cases by having another internal device demultiplexing access to multiple internal hosts based on some other protocol characteristics e.g. HTTP virtual hosts.

[edit] See also

[edit] External links

In other languages