How Does a Layer 3 Router Translate Port Address in PAT?

layer3layer4nat;router

While I was reading about PAT i.e Port Address Translation.The router was configured to translate all the private IP addresses to one single public IP.Since router is a layer-3 device, it can do that translation by changing the source IP in the IP header. But how does it change the port number in the Transport Layer Header.Can a router do such kind of translation and on what basis does it translates those ports.

Kindly help me with this.Please do let me know If am missing something or I am going in wrong direction.

Thanks!

Best Answer

What you are missing is that there is a difference between the functionality of a router as concieved by the people who designed the Internet protocol and the functionality of a modern device that says "router" on the box.

A router as originally invisaged by the creators of the Internet only cared about layer 3 and below. It would strip off the link type specific headers (layers 1/2), perform IP routing (layer 3) and then build a new set of link type specific headers for the next hop.

But modern devices that say "router" on the box often do far more than that. They can and do implement functionality that involves inspecting and modifying the layer 4 headers.

Related Solutions

Router – NAT translation thestery

This doesn't really answer my question why did NAT always use the 80th port as source port for outgoing traffic, but at least I figured out how to fix the problem.

I created an access list to match traffic from the mail server and also created a pool of one public address for it.

ip access-list extended 109
 !!! Restrict NAT for branch office destinations
 deny ip host 192.168.7.7. 192.168.0.0 0.0.255.255
 permit ip host 192.168.7.7 any
ip nat pool MAIL 198.51.100.7 198.51.100.7 prefix-length 27
ip nat inside source list 109 pool MAIL

And...Voilà! It now preserves the source port number as it sends traffic. And our mail is no longer blocked by some external MTA mail servers.

Update:

So now I tried reverting back to:

ip nat source static 192.168.7.7 198.51.100.7 route-map Deny_On_VPN

And it actually started to translate addresses and ports as expected - one to one. I don't really understand what the deal was with it, maybe a bug? Hopefully it will keep running like this from now on. I guess, I'll have a look at IOS release notes

Cisco – ASA 5525-X PAT only for one IP subnet

You are trying to specify a NO-NAT for your 187.87.7.0/27 but I don't know why.

Simply having "nat (inside,outside) source dynamic PRIVATE interface" will dynamically PAT your 191.167.1.0/24 to 198.98.9.1

Then traffic traversing your inside to outside will not hit the NAT statement therefore pass through without NAT?

Isn't this what you want?

Best Answer

Related Solutions

Router – NAT translation thestery

Update:

Cisco – ASA 5525-X PAT only for one IP subnet

Related Topic