Port Address Translation
Port and Address Translation (PAT) or Network Address Port Translation (NAPT) is a technique used in computer networks. It is a special form of NAT (1 to n NAT). In contrast to NAT, not only the IP addresses but also the port numbers are rewritten. PAT is used when several private IP addresses are to be translated from a LAN to one public IP address. Without exchanging the source port, a conflict can arise if several computers from the local network establish a connection to a socket at the same time and use the same source port.
example
Assuming that 192.168.0.0/24
the public IP address 205.0.0.2
is available for the local network .
Outgoing packets (LAN → WAN)
local area network (LAN) | public network (WAN) | |||
Source IP: Port | Destination IP: Port | Router ===========> Port Translation |
Source IP: Port | Destination IP: Port |
---|---|---|---|---|
192.168.0.2:5000 | 170.0.0.1:80 | 205.0.0.2:6000 | 170.0.0.1:80 | |
192.168.0.3:5000 | 170.0.0.1:80 | 205.0.0.2:6001 | 170.0.0.1:80 | |
192.168.0.5:5002 | 170.0.0.1:80 | 205.0.0.2:6002 | 170.0.0.1:80 |
The source IP addresses are replaced by the (only) public IP address. The internal port numbers are replaced by unique public port numbers. The router uses a table to note the internal source IP address including port number and the public port number of the outgoing packet :
-
192.168.0.2:5000
⇔6000
-
192.168.0.3:5000
⇔6001
-
192.168.0.5:5002
⇔6002
As can be seen in the example, this also works when several devices call the same IP with the same port at the same time. The data packets all have the same destination IP and the same destination port, but the replies are sent to the source IP, each with different ports. The calling device (router or similar) can send an HTTP request via port 80, but specify port 6001 as its own port. The response from the HTTP server is then sent to the router on port 6001, which translates back to the appropriate IP and port of the calling device.
Incoming packets (LAN ← WAN)
local area network (LAN) | public network (WAN) | |||
Source IP: Port | Destination IP: Port | Router <=========== Port Translation |
Source IP: Port | Destination IP: Port |
---|---|---|---|---|
170.0.0.1:80 | 192.168.0.2:5000 | 170.0.0.1:80 | 205.0.0.2:6000 | |
170.0.0.1:80 | 192.168.0.3:5000 | 170.0.0.1:80 | 205.0.0.2:6001 | |
170.0.0.1:80 | 192.168.0.5:5002 | 170.0.0.1:80 | 205.0.0.2:6002 |
For incoming packets based on the port number of the destination IP and the table entry (can connection tracking ) can be determined which computer had requested the packets (in this case 192.168.0.2
, 192.168.0.3
and 192.168.0.5
). The router can by the destination IP by the original source IP 192.168.0.2
, 192.168.0.3
or 192.168.0.5
exchange and the public port number by the original internal port number.
Since each IP address is translated into a single IP address, it is called an N: 1 translation. If several IP addresses are mapped to fewer IP addresses, then it is an N: M translation.
See also
Web links
- RFC 3022 - Traditional IP Network Address Translator (Traditional NAT)
- Animated example (Flash; 55 kB)