Improve company productivity with a Business Account.Sign Up

x
?
Solved

1-to-1 NAT vs PAT

Posted on 2011-03-17
3
Medium Priority
?
883 Views
Last Modified: 2012-06-22
Hi all,

I am sure this question has been answerd but I either can'd find the answer or I need a "For Dummy" answer.

I like to know the advanvantages and disadvantages of using 1-to-1 NAS vs PAT.  I will be hosting a webserver and TS (TS will be access via VPN). I have a block of 5 IPs.

I have read a number of docs on the difference but can't find anythin on the advantages of one or the other. Any "for dommy" andswer is GREATLY apresiated. I have
0
Comment
Question by:rudym88
3 Comments
 
LVL 47

Expert Comment

by:Craig Beck
ID: 35156380
1-1 NAT will allow access on all ports from public IP address to private IP address.  If I connect to 1.1.1.1 on port 54827 it will be forwarded to 10.0.0.1 on port 54827.  This can be very dangerous if you don't adequately firewall the device.

PAT is port translation, so you only forward access to the ports you need.  If you connect to 1.1.1.1 on port 80 you can forward it to any port you like on 10.0.0.1 (for example).  This is more secure as you only open the ports you need.
0
 
LVL 3

Expert Comment

by:CombatGold1
ID: 35156450
^ wht craigbeck said. How you describe your question it looks as though by 1-1 NAT you are referring to a firewall feature called DMZ (demilitarized zone), which essentially hands over all inbound traffic to the DMZ target without any protection.

If you have a /29 subnet (assuming your 5 IP's from a block is from a block of 8 minus netid, router, and broadcast) you won't need NAT (or PAT) at all. You should be using a proper routed topology instead and not bother using private IP addresses -- use your public IP addresses internally too. I do this with my /28 subnet (16 addresses).

A routed configuration means you don't need NAT (or PAT) at all, and can just punch holes in your firewall as you please -- even to multiple addresses within your network. If you do decide to do this ensure you configure a default rule that blocks all unspecified inbound connections, or you're just going to end up with a big DMZ.
0
 
LVL 6

Accepted Solution

by:
602650528 earned 2000 total points
ID: 35158289
first of all both were created to solve the depletion pf public ip addresses. A second reason that came along was security because your are able to hide your servers (on private addresses) behind the public ip addresses but this can only deter a poor hacker. This isn't a problem for a real hacker.

To go back to the issue of depletion  of public IP addresses;
 1. With NAT, you are able to translate one private IP to one public IP . For example if you are using NAT with your 5 public IPs,you can have IP translation for as many as 5 servers and no more.

2. With PAT, the translation is 65535 private IPs to one public IP. Now that is theoretical. In realiity it depends on how many session your NAT device can handle which is dependent on the CPU, memory and OS running on your routing device.

So to answer your question , ti depends on how many servers/services you want to run . With my explanation, is 5 addresses adequate for your requirement, if yes go with NAT, if no go for PAT . And you could mix the two. You could use NAT with a couple of addreses and PAT on others.

cheers
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question