Peter, I am sure there are those who could do a much better job of explaining this, but here's a little bit of info that I had lying around that might help. If this is not accurate, I apologize, but in looking through it briefly it seemed about right. Hope it helps... Best Regards, Randy ---------------------------------- Randall Gale Regional Director - New England Information Security Predictive Systems vox: 781-751-9629 fax: 781-329-9343 mailto:[EMAIL PROTECTED] http://www.predictive.com ---------------------------------- With the depletion of IP address space, The Internet Assigned Number Authority (IANA), proposed to conserve the unique addressing space by blocking out (reserving) a large addressing space (private space) that may be replicated in multiple private local area networks (LANs). This pool of set-aside addresses would also be non-routable on the Internet. These address blocks, set up in 1993, are: Class "A" 10.0.0.0 -> 10.255.255.255 Class "B" 172.16.0.0 -> 172.31.255.255 Class "C" 192.168.0.0 -> 192.168.255.255 The solution was called private addressing and was defined in RFC (Request For Comments) 1918. The process was further enhanced with a solution called Network Address Translation (NAT) RFC 1631. NAT would be a process whereby these private addresses could be masked with an authorized or registered (real) assigned IP address. NAT is a "many-to-one" scheme that is based on the premise that not all users on a private LAN will need to access the Internet at the same time. A small pool of registered real IP addresses are registered and assigned to the user's group. The registered IP addresses can then be dynamically assigned and reassigned, as appropriate, by the NAT device to users accessing the Internet. A second NAT technique called port address translation (PAT) is a common solution for small to mid-size companies. The PAT technique is similar to NAT but only uses one registered IP address instead of a pool of addresses. PAT is a true many-to-one solution in that it manipulates a field in the public data packet which is then related back to the private address packet. (PAT is explained in detail below.) How NAT Works: The network address translation (NAT) process will be active on a router, or firewall security system, that typically connects to the Internet. This process on a router, or firewall, is called an application proxy. The generic use of the term "application proxy" is when the router/firewall receives a data packet, checks its payload, manipulates it and then redirects it&endash;in short, acts as a middleman. NAT performs a one-to-one IP address mapping from a private to a registered "real" IP address. In each data packet that is bound for the Internet, the NAT process looks at the destination and source IP addresses. The process strips off any private addressing and replaces it with one of the "real" registered IP addresses from the pool. The NAT process will keep track, through an internal mapping process, of the assigned registered IP addresses to private addresses. When the remote Internet server replies, the NAT router receives in inbound Internet packet and re-addresses the packet to the original private a ddress. To review and clarify the NAT process, an example network topology is provided (Figure 1 attached). When host 10.1.1.2 wishes to contact an Internet server 168.2.2.2, it will need to use the globally unique IP address. The host 10.1.1.2 sends this data packet to its local Internet router. The NAT process located in the Internet router replaces the 10.1.1.2 address with 196.20.20.2 from its source address pool. This registered source address pool is allocated to the private users/company from its contracted Internet Service Provider (ISP). The NAT router tracks the one-to-one IP address mapping translations between the private and registered addresses and waits for the reply from the destination Internet server 168.2.2.2. The address 196.20.20.2 is a legal IP address, which allows the 168.2.2.2 host to reply back through the Internet. Once the NAT router receives the reply, it strips the registered IP address 196.20.20.2 and replaces it with the original private address 10.1.1.2 before routing it on to the user's LAN. How PAT works: Port Address Translation (PAT) process is similar to NAT process: a registered IP address merely replaces the private address in an outgoing Internet session. Referring to Figure 1 (instead of a pool of IP addresses), there is only one assigned registered IP address, "196.20.21.1," located in the PAT router. The local hosts 10.2.2.2 and 10.2.2.3 need to communicate with two Internet servers, 168.2.2.2, 168.2.2.3, and both local hosts send a data packet. As both Internet-bound data packets traverse the PAT router, the private source IP addresses (on both packets) are replaced with the singular registered IP address "196.20.21.1." Additionally, the PAT router alters a specific field in the outgoing data packet, the port acknowledgment field. The PAT router tracks the new unique port assignment issued to each of the packets. Both Internet hosts receive their respective packets, reply to the 196.20.21.1 address and then specify the different unique acknowledgment ports. The PAT router receives these packets, rela tes them, and then converts the acknowledgment ports to the original private IP address and original port assignment. Peter Burggasser <[EMAIL PROTECTED]> 08/15/00 02:34 PM To: Mailinglist <[EMAIL PROTECTED]> cc: Subject: PAT hy could anyone tell me whats PAT on cisco router is ? its in conjunction with ip domain-lookup on the router, but i didnt find anything about. thanks for help cu peter
