Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Port address translation

Posted on 2011-10-31
Medium Priority
Last Modified: 2012-05-12
How does PAT work?

Can you only use less the 65,000 hosts per one real ip address?

My understanding is this.

One external address for example and two internal addresses of and

Both internal clients want to go to yahoo.com on port 80

So one client sends packet destination source and the other client sends packet destination source

Router performing PAT keeps the destinations but changes the source to and

When yahoo replies the destination is and but the source is and

Our external router sees destination ports of 1500 and 1501 and knows which internal hosts to send to?

Where is the port translation? It seems that the ports remain the same but only the source ip address changes?

Would a better name be SAT? Source address translation?

The 65,000 limit comes from the fact that there are less than 65,000 unique source ports.

Or maybe I don't understand what is actually happening in PAT?
Question by:Dragon0x40
LVL 18

Accepted Solution

Don S. earned 400 total points
ID: 37060506
You are basically correct.  A normal conversation would occur all over port 80 - both source and destination.  However, with PAT, the firewall/router translates a private address:port 80 into a single public address with some other source port.  The reply comes back to that address and port and gets translated into the real private address and real source port.

Assisted Solution

Mike_Bickford earned 800 total points
ID: 37060526
What you are describing is NAT... network address translation.  The translations are dynamic.  The "conversation" always starts from the inside (private address) address.  The router creates and tracks the translation without user intervention.

Port Forwarding is a slightly different thing that is usually done in combination with NAT.   In port forwarding, you manually pre-assign a translation so that any host who knows the translation can reach the host with a private address.  The conversation can start from outside the local net

In the most common example you want to assign a well known port like 80 (HTTP) to a machine with a private address inside your network.   So on the router, you pre-assign the translation that says traffic that arrives addressed to port 80 on the public interface of the router is translated instead to port 80 of the internal host that runs your web server.   I

n most small routers, turning on one automatically enables the other... so you usually see them together, but they are seperate serviced.
LVL 17

Assisted Solution

by:Marius Gunnerud
Marius Gunnerud earned 400 total points
ID: 37061001
You have correctly described PAT (NAT-overload aka. many to one).

The reason it is called NAT is that when you have a network of that all want to use the IP address of the router needs some way of identifying what IP certain traffic originated from. The only way a router knows how to do that is by associating ports to the traffic.  this is why it is called PAT and not SAT.

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.


Author Comment

ID: 37063582
Does the only time Port Address Translation happen is when two internal hosts both try to use the same source port at the same time?

If one host client source is and the other host client source is then one source port will have to be "translated" to 1506 or some other port?

This is because if both hosts use source port of 1505 then yahoo will respond back to both requests streams with the destination address of and the external translating router would not be able to determine which packets should be sent to or

Assisted Solution

Mike_Bickford earned 800 total points
ID: 37065247
No, if the inside hosts are on a private network like 10.x.x.x  it happens every time.  They must use translation in order to connect to any host on the public internet.   Routers reject the private ranges ( 10.x.x.x and 192.168.x.x)  by default.   Without translation they can't participate in the public internet.

 Some routers support dyamic port assignment, where an inside host that transmits on a port automatically gets assigned that port inbound... but only until some other inside host claims the port.

This is all theoretical anyway if you are talking about the maximum number of translations available.  In practical fact this is controlled by the size of the translation table supported by the router.   It will be way less than 65,000 translations.

LVL 17

Assisted Solution

rochey2009 earned 400 total points
ID: 37072895

Say for example that both clients use the same source port. source and the other client sends packet destination source

If both clients are using the same source port then PAT keeps the first 1500 but changes the second 1500 source port to 1501.
Sources from the outside are (translates to and (translates to


Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question