• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 879
  • Last Modified:

1-to-1 NAT vs PAT

Hi all,

I am sure this question has been answerd but I either can'd find the answer or I need a "For Dummy" answer.

I like to know the advanvantages and disadvantages of using 1-to-1 NAS vs PAT.  I will be hosting a webserver and TS (TS will be access via VPN). I have a block of 5 IPs.

I have read a number of docs on the difference but can't find anythin on the advantages of one or the other. Any "for dommy" andswer is GREATLY apresiated. I have
1 Solution
Craig BeckCommented:
1-1 NAT will allow access on all ports from public IP address to private IP address.  If I connect to on port 54827 it will be forwarded to on port 54827.  This can be very dangerous if you don't adequately firewall the device.

PAT is port translation, so you only forward access to the ports you need.  If you connect to on port 80 you can forward it to any port you like on (for example).  This is more secure as you only open the ports you need.
^ wht craigbeck said. How you describe your question it looks as though by 1-1 NAT you are referring to a firewall feature called DMZ (demilitarized zone), which essentially hands over all inbound traffic to the DMZ target without any protection.

If you have a /29 subnet (assuming your 5 IP's from a block is from a block of 8 minus netid, router, and broadcast) you won't need NAT (or PAT) at all. You should be using a proper routed topology instead and not bother using private IP addresses -- use your public IP addresses internally too. I do this with my /28 subnet (16 addresses).

A routed configuration means you don't need NAT (or PAT) at all, and can just punch holes in your firewall as you please -- even to multiple addresses within your network. If you do decide to do this ensure you configure a default rule that blocks all unspecified inbound connections, or you're just going to end up with a big DMZ.
first of all both were created to solve the depletion pf public ip addresses. A second reason that came along was security because your are able to hide your servers (on private addresses) behind the public ip addresses but this can only deter a poor hacker. This isn't a problem for a real hacker.

To go back to the issue of depletion  of public IP addresses;
 1. With NAT, you are able to translate one private IP to one public IP . For example if you are using NAT with your 5 public IPs,you can have IP translation for as many as 5 servers and no more.

2. With PAT, the translation is 65535 private IPs to one public IP. Now that is theoretical. In realiity it depends on how many session your NAT device can handle which is dependent on the CPU, memory and OS running on your routing device.

So to answer your question , ti depends on how many servers/services you want to run . With my explanation, is 5 addresses adequate for your requirement, if yes go with NAT, if no go for PAT . And you could mix the two. You could use NAT with a couple of addreses and PAT on others.


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now