WAN and NAT

Discussion in 'General Cisco Certifications' started by sendalot, Feb 6, 2013.

  1. sendalot

    sendalot Nibble Poster

    63
    0
    18
    Have some questions on WAN concepts.

    1st, So, we have PAT and NAT. As Odom's book states, is PAT simply one of the ways of implementing NAT?

    2nd, And for connecting WAN between locations,

    (1) Leased Line: PSTN
    (2) Packet Switching: ATM, Frame-Relay
    (3) Circuit-Switch: ISDN.
    (4) Cell Switching: ATM

    Now if we have multiple or several virtual circutis, do I still use ISDN or switch to ATM?

    Thanks.
     
    Certifications: Many
  2. BraderzTheDog

    BraderzTheDog Kilobyte Poster

    276
    2
    49
    Hi,

    In response to your 1st question PAT and NAT are effectively the same thing, however PAT is just a flavour of what a specific type of NAT can do.

    PAT is effectively Source NAT. When a packet from the Local area network hits the router interface it will be subject to source NAT. The Source IP address from the LAN will come to the router something like this 192.168.1.50 -> 84.154.22.130. The router will strip away the source IP that it arrived on and use its own public IP address. The communicate POST NAT will look something like this 142.17.25.11 -> 84.154.22.130.

    If you only have 1 Public IP address (142.17.25.11) and lets say 100 hosts browsing web pages, they will all be using the same Public NATed address. This is where PAT comes in, if you have 192.168.1.50 and 192.168.1.51 using the same public IP address how does the router know which host to send the reply packets to? If one user is browsing facebook and the other ebay how does the router know which host to send each http request back to?

    What PAT does is open a random port per request on your public address so the request will look like this 142.17.25.11:4587 -> 84.154.22.130:80. This way when the destination address sends a reply it includes in the packet header the port number so when the router in your office receives the packet, it know 4587 translates to 192.168.1.50 locally :)

    Bring up a command prompt and type netstat. You will be able to see this.

    Here's an example of a request from my machine:

    172.16.25.180:53171 141.101.117.31:http ESTABLISHED

    You can see my source IP is being PATed.

    In terms of your second question,I'm not sure however I know for ADSL connections ususally you use PPP over ATM so for the leased line PSTN I'm guessing this is an ADSL connection running across the public switched telephone network? You will more than likely use ATM.

    Hope that's clarified things some what.
     
    Certifications: CCNA R&S, CCNA-SEC, CCSA, JNCIA FWV, MCITP, MCTS, MTA, A+
  3. danielno8

    danielno8 Gigabyte Poster

    1,306
    49
    92
    Good post and clarifies PAT well.

    However, netstat does not prove you are being "PAT'd"......it only shows your local IP address, the source port used, and the destination address, and destination port.

    OP:

    ISDN and ATM both can carry virtual circuits......Not quite sure exactly what you are getting at with your question. It is confusing the number of terms, don't let it put you off though :)
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  4. BraderzTheDog

    BraderzTheDog Kilobyte Poster

    276
    2
    49
    Good point made above, unfortunately I didn't at that time have anything other than command prompt to show you as an example. However I do now! :D

    The following below is a TCPdump that was taken on my Juniper ScreenOS firewall. It shows really well the NAT & PAT process from Private (LAN IP to Public to Destination).

    brd1fw1-> get session src-ip 10.0.0.10
    id 1830/s**,vsys 0,flag 00000000/0000/0001,policy 1,time 179, dip 2 module 0
    if 2(nspflag 801801):10.0.0.10/50435->173.194.41.79/443,6,f46d04484921,sess token 3,vlan 0,tun 0,vsd 0,route 1,wsf 0
    if 1(nspflag 10003800):80.229.30.240/1897<-173.194.41.79/443,6,000000000000,sess token 4,vlan 0,tun 0,vsd 0,route 5,wsf 0
    id 1832/s**,vsys 0,flag 00000000/0000/0001,policy 1,time 130, dip 2 module 0
    if 2(nspflag 801801):10.0.0.10/49466->23.46.112.60/443,6,f46d04484921,sess token 3,vlan 0,tun 0,vsd 0,route 1,wsf 0
    if 1(nspflag 10003800):80.229.30.240/1488<-23.46.112.60/443,6,000000000000,sess token 4,vlan 0,tun 0,vsd 0,route 5,wsf 0
    id 1835/s**,vsys 0,flag 00000000/0000/0001,policy 1,time 28, dip 2 module 0
    if 2(nspflag 801801):10.0.0.10/49840->31.186.225.23/80,6,f46d04484921,sess token 3,vlan 0,tun 0,vsd 0,route 1,wsf 0
    if 1(nspflag 10003800):80.229.30.240/1985<-31.186.225.23/80,6,000000000000,sess token 4,vlan 0,tun 0,vsd 0,route 5,wsf 0
    id 1843/s**,vsys 0,flag 00000000/0000/0001,policy 1,time 177, dip 2 module 0
    if 2(nspflag 801801):10.0.0.10/50245->66.211.181.192/443,6,f46d04484921,sess token 3,vlan 0,tun 0,vsd 0,route 1,wsf 0
    if 1(nspflag 10003800):80.229.30.240/2872<-66.211.181.192/443,6,000000000000,sess token 4,vlan 0,tun 0,vsd 0,route 5,wsf 0
    id 1845/s**,vsys 0,flag 00000000/0000/0001,policy 1,time 28, dip 2 module 0

    What Daniel said is correct the bit I've highlighted in red is the actual translated packet. The destination as you can tell was something over HTTPS as the dest port is 443.

    Hope that clears it up, :)
     
    Last edited: Feb 7, 2013
    Certifications: CCNA R&S, CCNA-SEC, CCSA, JNCIA FWV, MCITP, MCTS, MTA, A+
  5. danielno8

    danielno8 Gigabyte Poster

    1,306
    49
    92
    Now THAT shows PAT :) Good share
     
    Certifications: CCENT, CCNA
    WIP: CCNP

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.