Peter,
I am sure there are those who could do a much better job of explaining
this, but here's a little bit of info that I had lying around that might
help.
If this is not accurate, I apologize, but in looking through it briefly it
seemed about right.
Hope it helps...
Best Regards,
Randy
----------------------------------
Randall Gale
Regional Director - New England
Information Security
Predictive Systems
vox: 781-751-9629
fax: 781-329-9343
mailto:randall(_dot_)gale(_at_)predictive(_dot_)com
http://www.predictive.com
----------------------------------
With the depletion of IP address space, The Internet Assigned Number
Authority (IANA), proposed to conserve the unique addressing space by
blocking out (reserving) a large addressing space (private space) that may
be replicated in multiple private local area networks (LANs). This pool of
set-aside addresses would also be non-routable on the Internet. These
address blocks, set up in 1993, are:
Class "A" 10.0.0.0 -> 10.255.255.255
Class "B" 172.16.0.0 -> 172.31.255.255
Class "C" 192.168.0.0 -> 192.168.255.255
The solution was called private addressing and was defined in RFC (Request
For Comments) 1918.
The process was further enhanced with a solution called Network Address
Translation (NAT) RFC 1631. NAT would be a process whereby these private
addresses could be masked with an authorized or registered (real) assigned
IP address. NAT is a "many-to-one" scheme that is based on the premise
that not all users on a private LAN will need to access the Internet at
the same time. A small pool of registered real IP addresses are registered
and assigned to the user's group. The registered IP addresses can then be
dynamically assigned and reassigned, as appropriate, by the NAT device to
users accessing the Internet.
A second NAT technique called port address translation (PAT) is a common
solution for small to mid-size companies. The PAT technique is similar to
NAT but only uses one registered IP address instead of a pool of
addresses. PAT is a true many-to-one solution in that it manipulates a
field in the public data packet which is then related back to the private
address packet. (PAT is explained in detail below.)
How NAT Works:
The network address translation (NAT) process will be active on a router,
or firewall security system, that typically connects to the Internet. This
process on a router, or firewall, is called an application proxy. The
generic use of the term "application proxy" is when the router/firewall
receives a data packet, checks its payload, manipulates it and then
redirects it&endash;in short, acts as a middleman. NAT performs a
one-to-one IP address mapping from a private to a registered "real" IP
address. In each data packet that is bound for the Internet, the NAT
process looks at the destination and source IP addresses. The process
strips off any private addressing and replaces it with one of the "real"
registered IP addresses from the pool. The NAT process will keep track,
through an internal mapping process, of the assigned registered IP
addresses to private addresses. When the remote Internet server replies,
the NAT router receives in inbound Internet packet and re-addresses the
packet to the original private a
ddress. To review and clarify the NAT process, an example network topology
is provided (Figure 1 attached). When host 10.1.1.2 wishes to contact an
Internet server 168.2.2.2, it will need to use the globally unique IP
address. The host 10.1.1.2 sends this data packet to its local Internet
router. The NAT process located in the Internet router replaces the
10.1.1.2 address with 196.20.20.2 from its source address pool. This
registered source address pool is allocated to the private users/company
from its contracted Internet Service Provider (ISP). The NAT router tracks
the one-to-one IP address mapping translations between the private and
registered addresses and waits for the reply from the destination Internet
server 168.2.2.2. The address 196.20.20.2 is a legal IP address, which
allows the 168.2.2.2 host to reply back through the Internet. Once the NAT
router receives the reply, it strips the registered IP address 196.20.20.2
and replaces it with the original private address 10.1.1.2 before routing
it on to
the user's LAN.
How PAT works:
Port Address Translation (PAT) process is similar to NAT process: a
registered IP address merely replaces the private address in an outgoing
Internet session. Referring to Figure 1 (instead of a pool of IP
addresses), there is only one assigned registered IP address,
"196.20.21.1," located in the PAT router. The local hosts 10.2.2.2 and
10.2.2.3 need to communicate with two Internet servers, 168.2.2.2,
168.2.2.3, and both local hosts send a data packet. As both Internet-bound
data packets traverse the PAT router, the private source IP addresses (on
both packets) are replaced with the singular registered IP address
"196.20.21.1." Additionally, the PAT router alters a specific field in the
outgoing data packet, the port acknowledgment field. The PAT router tracks
the new unique port assignment issued to each of the packets. Both
Internet hosts receive their respective packets, reply to the 196.20.21.1
address and then specify the different unique acknowledgment ports. The
PAT router receives these packets, rela
tes them, and then converts the acknowledgment ports to the original
private IP address and original port assignment.
Peter Burggasser <p(_dot_)burggasser(_at_)uta1002(_dot_)at>
08/15/00 02:34 PM
To: Mailinglist <ietf(_at_)ietf(_dot_)org>
cc:
Subject: PAT
hy
could anyone tell me whats PAT on cisco router is ? its in conjunction
with ip domain-lookup on the router, but i didnt find anything about.
thanks for help
cu peter