Configuring Port Address Translation
Port Address Translation (PAT) can be configured using the same command as NAT. PAT
maps a single global IP address to many local addresses. PAT extends the range of available
outside addresses at your site by dynamically assigning unique port numbers to the outside
address as a connection is requested. A single IP address has up to 65,535 ports available for
making connections. For PAT, the port number uniquely identifies each connection.
PAT translates a group of local addresses to a single global IP address with a unique source
port (above 1024). When a local host accesses the destination network, the Firewall services
module assigns it the global IP address and then a unique port number. Each host receives
the same IP address, but because the source port numbers are unique, the responding traffic,
which includes the IP address and port number as the destination, can be assigned to the
correct host. It is highly unlikely that you would run out of addresses in PAT configuration
because there are more than 64,000 ports available.
PAT enables you to use a single global address, thus conserving routable addresses. You can
even use the destination actual interface IP address as the PAT IP address (this type of
configuration is used, but not limited to, the outside interface). PAT does not work with
multimedia applications that have an inbound data stream different from the outgoing
control path.
In large enterprise environments, to use NAT, you must have a large number of routable
addresses in the global pool. If the destination network requires registered addresses, such as
the Internet, you might encounter a shortage of usable addresses. This can be a disadvantage.
PAT does not work with applications that have an inbound data stream on one port and the
outgoing control path on another, such as multimedia applications. For those situations, it is
more advantageous to use NAT. Example 6-5 shows a sample configuration for PAT.
Example 6-4 Sample Configuration for the nat Command
nat (inside) 1 10.10.10.0 255.255.255.0 0 0
nat (inside) 2 172.16.1.0 255.255.255.0 0 0
Example 6-5 Sample Configuration for Configuring PAT on the Inside Interface
nat (inside) 1 10.10.30.0 255.255.255.0