Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


1-to-1 NAT vs PAT

Posted on 2011-03-17
Medium Priority
Last Modified: 2012-06-22
Hi all,

I am sure this question has been answerd but I either can'd find the answer or I need a "For Dummy" answer.

I like to know the advanvantages and disadvantages of using 1-to-1 NAS vs PAT.  I will be hosting a webserver and TS (TS will be access via VPN). I have a block of 5 IPs.

I have read a number of docs on the difference but can't find anythin on the advantages of one or the other. Any "for dommy" andswer is GREATLY apresiated. I have
Question by:rudym88
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 47

Expert Comment

by:Craig Beck
ID: 35156380
1-1 NAT will allow access on all ports from public IP address to private IP address.  If I connect to on port 54827 it will be forwarded to on port 54827.  This can be very dangerous if you don't adequately firewall the device.

PAT is port translation, so you only forward access to the ports you need.  If you connect to on port 80 you can forward it to any port you like on (for example).  This is more secure as you only open the ports you need.

Expert Comment

ID: 35156450
^ wht craigbeck said. How you describe your question it looks as though by 1-1 NAT you are referring to a firewall feature called DMZ (demilitarized zone), which essentially hands over all inbound traffic to the DMZ target without any protection.

If you have a /29 subnet (assuming your 5 IP's from a block is from a block of 8 minus netid, router, and broadcast) you won't need NAT (or PAT) at all. You should be using a proper routed topology instead and not bother using private IP addresses -- use your public IP addresses internally too. I do this with my /28 subnet (16 addresses).

A routed configuration means you don't need NAT (or PAT) at all, and can just punch holes in your firewall as you please -- even to multiple addresses within your network. If you do decide to do this ensure you configure a default rule that blocks all unspecified inbound connections, or you're just going to end up with a big DMZ.

Accepted Solution

602650528 earned 2000 total points
ID: 35158289
first of all both were created to solve the depletion pf public ip addresses. A second reason that came along was security because your are able to hide your servers (on private addresses) behind the public ip addresses but this can only deter a poor hacker. This isn't a problem for a real hacker.

To go back to the issue of depletion  of public IP addresses;
 1. With NAT, you are able to translate one private IP to one public IP . For example if you are using NAT with your 5 public IPs,you can have IP translation for as many as 5 servers and no more.

2. With PAT, the translation is 65535 private IPs to one public IP. Now that is theoretical. In realiity it depends on how many session your NAT device can handle which is dependent on the CPU, memory and OS running on your routing device.

So to answer your question , ti depends on how many servers/services you want to run . With my explanation, is 5 addresses adequate for your requirement, if yes go with NAT, if no go for PAT . And you could mix the two. You could use NAT with a couple of addreses and PAT on others.


Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
In this article, we’ll look at how to deploy ProxySQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question