Network Address Translation
Port Address Translation
Normally, NAT maps each private address that needs to be routed to the outside network to a unique IP address from the pool. However, it is possible for the global address pool to have fewer addresses than the number of private addresses. In this case, you can configure the HP device to use Port Address Translation. Port Address Translation maps a client’s IP address and TCP or UDP port number to both an IP address and a TCP or UDP port number. In this way, the HP device can map many private addresses to the same public address and use TCP or UDP port numbers to uniquely identify the private hosts.
NOTE: This type of feature is sometimes called Overloading an Inside Global Address.
In the example in Figure 11.1, the pool contains enough addresses to ensure that every host on the private network can be mapped to an Internet address in the pool. However, suppose the enterprise implementing this configuration has only 20 Internet addresses. For example, the pool might be 209.157.1.1/24 – 209.157.1.20/24. In this case, the pool does not contain enough addresses to ensure that all the hosts in the private network can be mapped to Internet addresses.
Without Port Address Translation, it is possible that the device will not be able to provide NAT for some hosts. However, with Port Address Translation, the device can provide NAT for all the hosts by using a unique TCP or UDP port number in addition to the IP address to map to each host. For example, the device can map the following addresses:
Inside address | Outside address |
10.10.10.2:6000209.157.1.2:4000
10.10.10.3:6000209.157.1.2:4001
10.10.10.4:6000209.157.1.2:4002
NAT is mapping the same global IP address to three different private addresses along with their TCP or UDP ports, but uses a different TCP or UDP port number for each private address to distinguish them. Notice that the Port Address Translation feature does not attempt to use the same TCP or UDP port number as in the client’s packet.
The way NAT deals with the client’s TCP or UDP port number depends on whether Port Address Translation is enabled:
•Port Address Translation enabled – NAT treats the client’s IP address and TCP or UDP port number as a single entity, and uniquely maps that entity to another entity consisting of an IP address and TCP or UDP port number. The NAT entry the device creates in the NAT translation table therefore consists of an IP address plus a TCP or UDP port number. The device maintains the port type in the translation address:
•If the client’s packet contains a TCP port number, the device uses a TCP port in the translation address.
•If the client’s packet contains a UDP port, the device uses a UDP port in the translation address.
The device does not try to use the same TCP or UDP port number for the untranslated and translated addresses. Instead, the device maps the client IP address plus the TCP or UDP port number to a unique combination of IP address plus TCP or UDP port number. When the device receives reply traffic to one of these hosts, NAT can properly translate the Internet address back into the private address because the TCP or UDP port number in the translation address uniquely identifies the host.
To enable Port Address Translation, use the overload option when you configure the source list, which associates a private address range with a pool of Internet addresses. See “Configuring Dynamic NAT Parameters” on page
•Port Address Translation disabled – The device translates only the client’s IP address into another IP address and retains the TCP or UDP port number unchanged.
11 - 3