Solved

1-to-1 NAT vs PAT

Posted on 2011-03-17
3
861 Views
Last Modified: 2012-06-22
Hi all,

I am sure this question has been answerd but I either can'd find the answer or I need a "For Dummy" answer.

I like to know the advanvantages and disadvantages of using 1-to-1 NAS vs PAT.  I will be hosting a webserver and TS (TS will be access via VPN). I have a block of 5 IPs.

I have read a number of docs on the difference but can't find anythin on the advantages of one or the other. Any "for dommy" andswer is GREATLY apresiated. I have
0
Comment
Question by:rudym88
3 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 35156380
1-1 NAT will allow access on all ports from public IP address to private IP address.  If I connect to 1.1.1.1 on port 54827 it will be forwarded to 10.0.0.1 on port 54827.  This can be very dangerous if you don't adequately firewall the device.

PAT is port translation, so you only forward access to the ports you need.  If you connect to 1.1.1.1 on port 80 you can forward it to any port you like on 10.0.0.1 (for example).  This is more secure as you only open the ports you need.
0
 
LVL 3

Expert Comment

by:CombatGold1
ID: 35156450
^ wht craigbeck said. How you describe your question it looks as though by 1-1 NAT you are referring to a firewall feature called DMZ (demilitarized zone), which essentially hands over all inbound traffic to the DMZ target without any protection.

If you have a /29 subnet (assuming your 5 IP's from a block is from a block of 8 minus netid, router, and broadcast) you won't need NAT (or PAT) at all. You should be using a proper routed topology instead and not bother using private IP addresses -- use your public IP addresses internally too. I do this with my /28 subnet (16 addresses).

A routed configuration means you don't need NAT (or PAT) at all, and can just punch holes in your firewall as you please -- even to multiple addresses within your network. If you do decide to do this ensure you configure a default rule that blocks all unspecified inbound connections, or you're just going to end up with a big DMZ.
0
 
LVL 6

Accepted Solution

by:
602650528 earned 500 total points
ID: 35158289
first of all both were created to solve the depletion pf public ip addresses. A second reason that came along was security because your are able to hide your servers (on private addresses) behind the public ip addresses but this can only deter a poor hacker. This isn't a problem for a real hacker.

To go back to the issue of depletion  of public IP addresses;
 1. With NAT, you are able to translate one private IP to one public IP . For example if you are using NAT with your 5 public IPs,you can have IP translation for as many as 5 servers and no more.

2. With PAT, the translation is 65535 private IPs to one public IP. Now that is theoretical. In realiity it depends on how many session your NAT device can handle which is dependent on the CPU, memory and OS running on your routing device.

So to answer your question , ti depends on how many servers/services you want to run . With my explanation, is 5 addresses adequate for your requirement, if yes go with NAT, if no go for PAT . And you could mix the two. You could use NAT with a couple of addreses and PAT on others.

cheers
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Two of my three WiFi Routers lose connection 6 52
HSRP needed? 4 46
Move configuration from Cisco 3560 to 3750X 6 42
What is CPU in "RP/0/RSP0/CPU0:router#"? 6 27
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now