NAT Overloading or Port Address Translation (PAT) is a modified form of dynamic NAT where the number of inside local addresses is greater than the number of inside global addresses. Mostly, there is just a single inside global IP address providing Internet access to all inside hosts. NAT Overloading is the only flavor of NAT that actually conserves IP addresses and it is also the most popular form of NAT as well.
Figure 10-4 Port Address Translation (PAT)
PAT allows overloading or the mapping of more than on inside local address to the same inside global address. But this also means that return packets would all have the same destination address as they reach the NAT router. How would the router know which inside local address each return packet belongs to? In order to deal with this scenario, the NAT entries in the translation table are extended entries; the entries not only track the relevant IP addresses, but also the protocol types and ports. By translating both the IP address and the port number of a packet, up to 65535 inside local addresses could theoretically be mapped to a single inisde global address (based on the 16-bit port number).
But keep in mind that a single NAT entry uses approximately 160 bytes of router memory, so 65535 entries would take more than 10 MB of memory and also large amounts of CPU power. In practical PAT configurations, nowhere near this number of addresses are mapped, but it is definitely a theoretical limit.
Here is a sample configuration for NAT overloading or PAT according to Figure 10-4.
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip nat pool MyPool 22.214.171.124 126.96.36.199 ?
netmask Specify the network mask
prefix-length Specify the prefix length
R1(config)#ip nat pool MyPool 188.8.131.52 184.108.40.206 netmask 255.255.255.0
R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
R1(config)#ip nat inside source list 1 pool MyPool overload
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#ip nat inside
R1(config-if)#ip address 220.127.116.11 255.255.255.0
R1(config-if)#ip nat outside
The above configuration may appear very similar to the configuration for dynamic NAT, however there are important differences. First, the pool of IP addresses has been shrunk to a single IP address assigned to the outside interface of router R1.
Second, access list 1 matches the entire class C network 192.168.1.0/24 which means any inside local address from this network will be translated. If you want a specific host from this network not to be translated, you have to explicitly specify by adding a deny statement to the access list. Let’s assume we want to deny translation to a single host 192.168.1.2 while allowing all other hosts:
R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Also there is an addition of overload keyword with the ip nat inside source list 1 pool MyPool command.
Let’s start our usual verification by issuing the show ip nat translations command:
R1#show ip nat translations
There are no static mappings and hence the blank output above. Let’s generate some traffic from inside hosts to the server and issue the show ip nat translations command again:
Pro Inside global Inside local Outside local Outside global
icmp 18.104.22.168:18 192.168.1.2:18 22.214.171.124:18 126.96.36.199:18
icmp 188.8.131.52:19 192.168.1.3:19 184.108.40.206:19 220.127.116.11:19
icmp 18.104.22.168:20 192.168.1.4:20 22.214.171.124:20 126.96.36.199:20
As you can see in the output above, all inside local addresses are translated into the same inside global address, which is the essence of NAT overload or PAT. You may have noticed that the router has preserved the source port numbers as inside local addresses were translated to inside global addresses. This is the usual behavior but when the router creates a new translation entry such that the source port number is already in use, the port number also gets translated to a different number. The occurrence of two inside hosts choosing the same source port number is not very common, but it still may happen especially when the number of connections from inside to outside is significant.
Let’s also issue the show ip nat statistics command:
Total active translations: 3 (0 static, 3 dynamic; 3 extended)
Hits: 135 Misses: 15
CEF Translated packets: 150, CEF Punted packets: 0
Expired translations: 12
— Inside Source
[Id: 2] access-list 1 pool MyPool refcount 3
pool MyPool: netmask 255.255.255.0
start 188.8.131.52 end 184.108.40.206
type generic, total addresses 1, allocated 1 (100%), misses 0
Queued Packets: 0
You should keep two things in mind. First, NAT overload is useful in any situation when the number of inside hosts is larger than public addresses you have. In many situations you only have a single public IP address that is assigned to the outside interface of your Internet facing router. In this case your pool would consist of a single IP address as the configuration above shows. However, you may have more than one public IP addresses available, one of which may be assigned to the Internet facing interface of your router. In such case, your NAT pool may consist of more than one IP addresses still using NAT overload to accommodate a larger number of inside hosts wanting to connect to the Internet. In short, you may have a single overloaded public address or you may have more than one overloaded public addresses.
NAT Overload or PAT is the most prevalent NAT configuration for the obvious reason that it is the flavor of NAT that actually preserves global IP addresses, the primary reason for NAT usage.