Solved

1-to-1 NAT vs PAT

Posted on 2011-03-17
3
859 Views
Last Modified: 2012-06-22
Hi all,

I am sure this question has been answerd but I either can'd find the answer or I need a "For Dummy" answer.

I like to know the advanvantages and disadvantages of using 1-to-1 NAS vs PAT.  I will be hosting a webserver and TS (TS will be access via VPN). I have a block of 5 IPs.

I have read a number of docs on the difference but can't find anythin on the advantages of one or the other. Any "for dommy" andswer is GREATLY apresiated. I have
0
Comment
Question by:rudym88
3 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 35156380
1-1 NAT will allow access on all ports from public IP address to private IP address.  If I connect to 1.1.1.1 on port 54827 it will be forwarded to 10.0.0.1 on port 54827.  This can be very dangerous if you don't adequately firewall the device.

PAT is port translation, so you only forward access to the ports you need.  If you connect to 1.1.1.1 on port 80 you can forward it to any port you like on 10.0.0.1 (for example).  This is more secure as you only open the ports you need.
0
 
LVL 3

Expert Comment

by:CombatGold1
ID: 35156450
^ wht craigbeck said. How you describe your question it looks as though by 1-1 NAT you are referring to a firewall feature called DMZ (demilitarized zone), which essentially hands over all inbound traffic to the DMZ target without any protection.

If you have a /29 subnet (assuming your 5 IP's from a block is from a block of 8 minus netid, router, and broadcast) you won't need NAT (or PAT) at all. You should be using a proper routed topology instead and not bother using private IP addresses -- use your public IP addresses internally too. I do this with my /28 subnet (16 addresses).

A routed configuration means you don't need NAT (or PAT) at all, and can just punch holes in your firewall as you please -- even to multiple addresses within your network. If you do decide to do this ensure you configure a default rule that blocks all unspecified inbound connections, or you're just going to end up with a big DMZ.
0
 
LVL 6

Accepted Solution

by:
602650528 earned 500 total points
ID: 35158289
first of all both were created to solve the depletion pf public ip addresses. A second reason that came along was security because your are able to hide your servers (on private addresses) behind the public ip addresses but this can only deter a poor hacker. This isn't a problem for a real hacker.

To go back to the issue of depletion  of public IP addresses;
 1. With NAT, you are able to translate one private IP to one public IP . For example if you are using NAT with your 5 public IPs,you can have IP translation for as many as 5 servers and no more.

2. With PAT, the translation is 65535 private IPs to one public IP. Now that is theoretical. In realiity it depends on how many session your NAT device can handle which is dependent on the CPU, memory and OS running on your routing device.

So to answer your question , ti depends on how many servers/services you want to run . With my explanation, is 5 addresses adequate for your requirement, if yes go with NAT, if no go for PAT . And you could mix the two. You could use NAT with a couple of addreses and PAT on others.

cheers
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now