PAT Overview
PAT is a special type of NAT that allows multiple devices on a private network to share a single public IP address. These many-to-one translations are possible because not just the IP addresses are translated but also the source ports.
When a device on the private network sends a packet to the internet, besides replacing the private IP, the router also assigns a port number to the packet. By default, the same port number is used during the NAT translation unless it is already occupied, in which case the next available one is assigned for the NAT session.
Keep in mind that the key part of PAT is the translation of the ports. Since each internal device uses the same public IP address, the ports differentiate between the translations (NAT sessions) inside the NAT table. Therefore, when a response is received from the internet, the router uses the port number to determine which private IP address to forward the reply packet to.
Although dynamic NAT conserves the limited supply of public IP addresses, it can also make it more difficult to identify and track individual devices on the private network since many internal hosts use the same public IP address.
Best Use Case for PAT
PAT is the most suitable form of NAT for providing internet access in networks with many users. Such situations would be an enterprise network, where the number of employees is in the hundreds if not in the thousands, or a home network where you need internet access for several computers, smartphones, or tablets, or internet cafes, kiosks, and similar places.
Because just a single public IPv4 address is enough when using PAT, this solution is also the cheapest. However, if one IP address is not enough for the total number of devices in the network, you can also use a second one.
PAT Configuration Example
Let’s use the same example topology from the image above as a use case to configure PAT. The goal is to provide access to the internet for each device in the network by using just a single public IP address. Usually, this is the IP address on the exit interface, either statically configured or dynamically assigned by DHCP.
Just like with dynamic NAT, the configuration process consists of an ACL that specifies which private IP addresses are allowed for translation and defines an interface whose configured IP address will be used to translate the private IPs.
To map the ACL to the interface, you need to use the ip nat inside source list ACL-name interface interface-type overload in global configuration mode. The commands required for the example are as follows:
Note: PAT is also known as NAT overloading, as you may have noticed by using the “overload” attribute in the configuration command. The reason for that term is that one global IPv4 address gets overloaded until all available ports are exhausted. Theoretically, you can translate as many as 65535 IP addresses into one.
To verify the PAT configuration, you need to use the same show ip nat translation command.