PAT vs NAT
Can someone tell me any benefits to using NAT instead of PAT? I know with PAT, you can translate up to 64,000 addresses, but with NAT it is one to one. Thanks, Nathan Richie _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PAT vs NAT
NAT like u said is a one to one translation between the external IP and the internal one (at its purest form) When u use NAT overloading u r also using PAT, hence u really cannot compare the twoThey work in cunjunction I personally like to think of PAT as what most people refer to as NAT I like to think of NAT as just a fancy term for IP Spoofing ""Richie, Nathan"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Can someone tell me any benefits to using NAT instead of PAT? I know with PAT, you can translate up to 64,000 addresses, but with NAT it is one to one. Thanks, Nathan Richie _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PAT vs NAT
As you all have mentioned PAT is a many to one scenerio vs. NAT a one-to-one. Be careful with these terms, some people don't use the word PAT and NAT means different things to different people (masking, spoofing) PAT is generally a Cisco used phrase. But why use NAT vs. PAT? Well though it is very atrractive to use PAT (many-to-one) it is limited in it's use. Things like H.323 and IPsec have issues with PAT. Though there has been some fixes for items like H.323 and others there are still issues with IPsec clients accessing end-points from behind PAT. So in the perfect world, use NAT. That is if you have enough address space and the time to put in static mappings for each node. In the real world use PAT and make NAT available for nodes that require it i.e. externally accessable boxes and nodes needing to run unsupported apps. Also it is only a claim and a mathematical possibility that PAT can support 64k connections. In reallity the ports are broken down into ranges (for example, all port 80 traffice will be assinged to ports 1-200, again just an example and a guess.) Look thorugh Cisco NAT/PAT docs for the actual REAL limitations. Moe Tavakoli. --- Santosh Koshy [EMAIL PROTECTED] wrote: NAT like u said is a one to one translation between the external IP and the internal one (at its purest form) When u use NAT overloading u r also using PAT, hence u really cannot compare the twoThey work in cunjunction I personally like to think of PAT as what most people refer to as NAT I like to think of NAT as just a fancy term for IP Spoofing ""Richie, Nathan"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Can someone tell me any benefits to using NAT instead of PAT? I know with PAT, you can translate up to 64,000 addresses, but with NAT it is one to one. Thanks, Nathan Richie _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] = _ Moe __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PAT vs NAT
With the number of hosts you mentioned, you should be able to easily use a single IP address as your outside global IP and not require a one-to-one mapping of inside to outside addresses. In other words, all traffic from your site to the Internet would appear on the outside as 1 IP address. (this is PAT) This works by allocating a separate port for each translation: orginal src ip/port -translated src ip/port --- --- 10.1.1.1/1024 175.1.1.1/1025 10.1.1.2/1024 175.1.1.1/1026 etc. etc. This is normally done dynamically, however a cisco router allows you to create static mappings that include port numbers, so if you only had a single IP address, you could still provide access to internal servers. For example, if you had a web server using address 10.1.1.3: ip nat inside source static tcp 10.1.1.3 80 175.1.1.1 80 would send all incoming traffic to IP address 175.1.1.1 on port 80 to internal address 10.1.1.3 on port 80. The limitiation is that you can't have multiple servers using the same outside port. For example, you couldn't create a second static mapping it tell the router to send traffic inbound on port 80 to a second server. You could, however, have multiple mappings for different ports: ip nat inside source static tcp 10.1.1.4 25 175.1.1.1 25 ip nat inside source static tcp 10.1.1.5 110 175.1.1.1 110 etc etc As I said, this feature is useful if you only have a single or very few registered IP addresses. This feature is available on cisco routers, but not on the PIX. I would recommend you take a look at the cisco nat information: http://www.cisco.com/warp/public/732/nat/ Several examples of NAT are also included in "Cisco Access Lists Field Guide", of which I am co-author. HTH, Kent [EMAIL PROTECTED] wrote: I am confused, I generally set up the NAT pool separate from my IP's that I will statically map to my inside hosts. Are you saying that I can use an IP address from my NAT range for this? And, please ellaborate on mapping hosts using the PATed address on a cisco router. How could you statically map more than one internal host using a PAT address? -Original Message- From: Kent Hundley To: Duncan Maccubbin; [EMAIL PROTECTED] Sent: 6/6/00 2:04 PM Subject: Re: PAT vs NAT The PAT implementation on the PIX does not currently support the ability to include port information in its static mappings. You need an additional IP address for every host you want to be globally accessible. For example, you couldn't reserve port 80 for an internal web server to be reachable via the PATed address. (you can do this on a cisco router) If you have a requirement for globally accessible servers, this would be a situation where you would need NAT instead of PAT on the PIX. HTH, Kent Duncan Maccubbin wrote: I'm wondering what NAT gives me over PAT. On my PIX I believe it can do 65,000 translations on PAT. If I have 100 users behind it what is the advantage of using NAT? Duncan === Duncan Maccubbin | [EMAIL PROTECTED] Senior Network Engineer MCP+I,MCSE,CCNA,CCDA,CCNP CapuNet, LLC - Corporate Internet Solutions (301) 881-4900 x8039 === ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- ## Kent HundleyLucent Networkcare CISSP, CCSE Sr. Network Consultant ## ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PAT vs NAT
I'm wondering what NAT gives me over PAT. On my PIX I believe it can do 65,000 translations on PAT. If I have 100 users behind it what is the advantage of using NAT? Duncan === Duncan Maccubbin | [EMAIL PROTECTED] Senior Network Engineer MCP+I,MCSE,CCNA,CCDA,CCNP CapuNet, LLC - Corporate Internet Solutions (301) 881-4900 x8039 === ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PAT vs NAT
Hi Duncan, With NAT you will need 100 ip address to allow 100 connections or you can limit the amount of web connectivity by only allowing say 10 connections. However with PAT you only need one outside address because you are using the port addresses. Regards Robert Duncan Maccubbin wrote: I'm wondering what NAT gives me over PAT. On my PIX I believe it can do 65,000 translations on PAT. If I have 100 users behind it what is the advantage of using NAT? Duncan === Duncan Maccubbin | [EMAIL PROTECTED] Senior Network Engineer MCP+I,MCSE,CCNA,CCDA,CCNP CapuNet, LLC - Corporate Internet Solutions (301) 881-4900 x8039 === ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- -- Robert LAKE MSc - Customer Support Engineer | | E-Mail: [EMAIL PROTECTED] | | Phone : +32 2 704 5434 ||| ||| Fax : +32 2 704 5804 | | Parc Pegasus ..:|||:...:|||:.. De Kleetlaan, 6C i s c o S y s t e m s B-1831 - Diegem - Belgium Euro TAC - Brussels -- Cisco Systems - Empowering the Internet Generation -- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PAT vs NAT
The PAT implementation on the PIX does not currently support the ability to include port information in its static mappings. You need an additional IP address for every host you want to be globally accessible. For example, you couldn't reserve port 80 for an internal web server to be reachable via the PATed address. (you can do this on a cisco router) If you have a requirement for globally accessible servers, this would be a situation where you would need NAT instead of PAT on the PIX. HTH, Kent Duncan Maccubbin wrote: I'm wondering what NAT gives me over PAT. On my PIX I believe it can do 65,000 translations on PAT. If I have 100 users behind it what is the advantage of using NAT? Duncan === Duncan Maccubbin | [EMAIL PROTECTED] Senior Network Engineer MCP+I,MCSE,CCNA,CCDA,CCNP CapuNet, LLC - Corporate Internet Solutions (301) 881-4900 x8039 === ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- ## Kent HundleyLucent Networkcare CISSP, CCSE Sr. Network Consultant ## ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PAT vs NAT
I'm wondering what NAT gives me over PAT. On my PIX I believe it can do 65,000 translations on PAT. If I have 100 users behind it what is the advantage of using NAT? Duncan First, you are slightly high on the architectural limit of the number of port translations that are possible on one IP address. The basic limit is the 16-bit port number field, with a maximum of 65535. 2K of that space, however, is reserved for well-known and registered ports. Second, for any NAT-family mechanism, you may have higher-layer protocol confusions with reverse DNS, etc., if multiple application services are associated with the same address. I'm no HTTP expert, but I understand that HTTP 1.0 has definite problems here. Might be less of an issue if you only have outgoing clients. Third, especially if you have UDP-based applications, some ports may not be available periodically because the protocol driver holds them inactive until a timer expires. For UDP, this imposes pseudo-sessions to avoid multiple processes using the same address/port. If you dig into TCP, however, you will find the TCP-WAIT timer also affects availability of ports. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PAT vs NAT
I am confused, I generally set up the NAT pool separate from my IP's that I will statically map to my inside hosts. Are you saying that I can use an IP address from my NAT range for this? And, please ellaborate on mapping hosts using the PATed address on a cisco router. How could you statically map more than one internal host using a PAT address? -Original Message- From: Kent Hundley To: Duncan Maccubbin; [EMAIL PROTECTED] Sent: 6/6/00 2:04 PM Subject: Re: PAT vs NAT The PAT implementation on the PIX does not currently support the ability to include port information in its static mappings. You need an additional IP address for every host you want to be globally accessible. For example, you couldn't reserve port 80 for an internal web server to be reachable via the PATed address. (you can do this on a cisco router) If you have a requirement for globally accessible servers, this would be a situation where you would need NAT instead of PAT on the PIX. HTH, Kent Duncan Maccubbin wrote: I'm wondering what NAT gives me over PAT. On my PIX I believe it can do 65,000 translations on PAT. If I have 100 users behind it what is the advantage of using NAT? Duncan === Duncan Maccubbin | [EMAIL PROTECTED] Senior Network Engineer MCP+I,MCSE,CCNA,CCDA,CCNP CapuNet, LLC - Corporate Internet Solutions (301) 881-4900 x8039 === ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- ## Kent HundleyLucent Networkcare CISSP, CCSE Sr. Network Consultant ## ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]