PAT with Cisco



  • I've used pfSense for several years in various locations and it's become my go-to recommendation; however, I have a requirement that I'm not so sure of, and I need some insight!

    My client is a doctor's office that needs to join the network of a large hospital; the hospital's IT department suggested a Cisco ASA 5505.  I've had similar recommendations in the past (as used to be said of IBM, "nobody ever got fired for recommending Cisco") and have never run into a requirement that pfSense didn't handle - usually better, and always much cheaper!

    Today, though, I received this from my counterpart in the hospital's IT department:

    To get the doctors on line, I need to verify if your firewall can handle NAT, PAT, and routing.

    We will hand you off an connection to part of the hospital network.   You will have to configure your firewall to with the public interface IP I’ll get you, and Static NAT the printers to IP addresses that I’ll get for you.

    You can PAT the PC traffic thru the public interface.

    NAT and routing I can do; PAT, however, I have no idea about, and my frantic Googling hasn't given me any insights.  On Wikipedia I find this:

    Cisco RAPT implementation is PAT (Port Address Translation) or overloading , and maps multiple private IP addresses to a single public IP address. Multiple addresses can be mapped to a single address because each private address is tracked by a port number. PAT uses unique source port numbers on the inside global IP address to distinguish between translations. The port number is encoded in 16 bits. The total number of internal addresses that can be translated to one external address could theoretically be as high as 65,536 per IP address. Realistically, the number of ports that can be assigned a single IP address is around 4000. PAT will attempt to preserve the original source port. If this source port is already used, PAT will assign the first available port number starting from the beginning of the appropriate port group 0-511, 512-1023, or 1024-65535. When there are no more ports available and there is more than one external IP address configured, PAT moves to the next IP address to try to allocate the original source port again. This process continues until it runs out of available ports and external IP addresses.

    … but that doesn't tell me what (if anything - for all I know this is built-in and automatic, but I doubt it!) I would need to do to get pfSense to "PAT the PC traffic thru the public interface".  Actually, for all I know this might be something I'm already doing with pfSense but calling by a different name....

    Any insight would be greatly appreciated; I need to let the doctor know ASAP whether he needs to get the ASA or whether pfSense will rule as usual.



  • In terms of Cisco, straight or static NAT is a 1:1 translation of a private IP to public IP, meaning you need one public IP for each private IP in your internal network.  PAT, or Overloading is used when you have many internal IP's you are looking to map to fewer public IP's or a single public IP address by changing the source port as it leaves the WAN interface.

    Simply put, what Cisco calls NAT is what pfSense 1:1 NAT mapping is.  PAT, or overloading is what pfSense NAT does by default.

    So to quote you, yes you are right, it is "built-in and automatic".  Cisco uses weird terminology, although once you understand it, you get a better understanding of the underlying technologies as well.

    And for those printers, you will likely use 1:1 NAT mappings, for static NAT.



  • PAT = Port Address Translation
    NAT = Network Address Translation

    Most of the time when you do something that people refer to as "NAT" it's really PAT. Like bdwyer said, if you're using NAT you're doing a complete map of IP A to IP B. If you're doing PAT you're only translating specific ports from IP A to IP B.

    The ASA 5505 is a decent little box. It's not nearly as pricey some other Cisco gear but if you can repurpose a pc without having to purchase one for PFSense that would make it cheaper. There definitely would be a bit of a learning curve to try to get one setup so if you know PFSense it should work well. The way the person worded their reply is a bit weird though… I'm guessing they are going to give you the IP for your firewall, then a few more public IPs for the printers but have it so they can only be accessed certain IP ranges they specify.



  • @bman212121:

    PAT = Port Address Translation
    NAT = Network Address Translation

    I did actually know what the acronyms stand for; sorry I didn't make that clear.

    So it sounds like what Cisco calls "PAT" is what I've always called "port forwarding" (and, in fact, in the pfSense GUI it's the "Port Forward" tab on the "NAT" page.)  Back before I got the OpenVPN religion, I used to do VNC via port forwarding; I set up rules so that if (for example) I wanted to control the PC at 192.168.1.25 I would connect to the public IP at port 5925.  "Consumer-grade" routers always seem to insist on forwarding the port unchanged, so that I'd have to configure VNC on my target computer to listen on port 5925; pfSense has the smarts to change the port, so I could aim at PublicIP:5925 and hit 192.168.1.25:5900 - that made things a lot simpler if I also wanted to be able to VNC inside the network, 'cause I only had to remember machine names, not addresses:ports.

    Of course, VNC session encryption is strictly a joke, so these days I establish an OpenVPN tunnel first and connect straight to the machine on port 5900; it's more secure and a hell of a lot simpler to keep track of.

    The ASA 5505 is a decent little box. It's not nearly as pricey some other Cisco gear but if you can repurpose a pc without having to purchase one for PFSense that would make it cheaper.

    Actually I was pleasantly surprised to find that the 5505 starts in the $350 range for 10 users - I'm used to much more severe sticker shock with Cisco gear!

    The way the person worded their reply is a bit weird though… I'm guessing they are going to give you the IP for your firewall, then a few more public IPs for the printers but have it so they can only be accessed certain IP ranges they specify.

    I'll press him for clarification on a phrase or two (I don't believe he can possibly mean full 1:1 NAT just for a printer, for instance), but it sounds like this is nothing I haven't done a million times under a different name.  Thanks for the clarification.



  • @MTHead:

    So it sounds like what Cisco calls "PAT" is what I've always called "port forwarding" (and, in fact, in the pfSense GUI it's the "Port Forward" tab on the "NAT" page.)

    No, that is static PAT.  When he is talking about internet traffic and PAT, he is referring to dynamic PAT, where the translations are done automatically for your users so that the web host can communicate directly to the correct computer behind the source gateway.  A static PAT mapping would be mapping a certain port to always go to a certain internal host, akin to what your talking about for port forwarding.

    If you want to reference to pfSense, the closest thing to explain what dynamic PAT is would be the Firewall : NAT : Outbound page.



  • @bdwyer:

    @MTHead:

    So it sounds like what Cisco calls "PAT" is what I've always called "port forwarding" (and, in fact, in the pfSense GUI it's the "Port Forward" tab on the "NAT" page.)

    No, that is static PAT.  When he is talking about internet traffic and PAT, he is referring to dynamic PAT, where the translations are done automatically for your users so that the web host can communicate directly to the correct computer behind the source gateway.  A static PAT mapping would be mapping a certain port to always go to a certain internal host, akin to what your talking about for port forwarding.

    If you want to reference to pfSense, the closest thing to explain what dynamic PAT is would be the Firewall : NAT : Outbound page.

    Thank you for that!


Log in to reply