What is port address translation (PAT)?
Port address translation (PAT) is a type of network address translation (NAT) that maps a network's private internal IPv4 addresses to a single public IP address. NAT is a process that routers use to translate internal, nonregistered IP addresses to external, registered IP addresses. PAT differs from other forms of NAT because it uses port numbers when mapping private IP addresses to a public IP address, which is the address seen by external systems.
PAT was introduced as a way to conserve IPv4 addresses until a more permanent solution could be implemented. This solution eventually came in the form of IPv6. However, IPv4 is still used extensively in network communications, so PAT continues to be relevant. PAT also helps to provide better security on the local network by hiding the internal IP addresses from public view.
The use of port numbers is integral to a router's ability to implement PAT because they provide a mechanism for translating the internal IP addresses to the external address and vice versa. The port number is appended to the external IP address to distinguish different connections to the same address. For example, if a router's external IP address 192.168.35.4, outside connections might use addresses such as 192.168.35.4:37, 192.168.35.4:148 or 192.168.35.4:1637 to communicate with specific devices on the internal network.
A router can use either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port numbers to implement PAT. Because the port numbers are based on a 16-bit encoding, a router can theoretically support up to 65,536 port numbers per external IP address, although the practical limit is much less. Even so, a single registered IP address can connect to thousands of internal devices. To facilitate this process, the router maintains an address translation table that maps the internal IP addresses to the external IP address, incorporating the port numbers into the mapping.
How does port address translation work?
Like other types of NAT deployments, PAT is implemented by positioning a PAT-enabled router between the inside and outside network, as shown in the following figure. The inside network is the internal network, such as an organization's local area network or an individual's home network. Everything else is considered the outside network. For example, when you view a webpage on your computer, you are connecting from your inside network to the outside network where the web server resides.
Each device connected to the inside network receives a private IPv4 address, which is referred to as the inside local address. In the figure above, three computers have been assigned inside local addresses: 10.0.1.2, 10.0.1.3 and 10.0.1.4. The addresses are used for communications on the inside network, whether between the computers themselves or between the computers and the router.
The router is configured with an inside local IP address, 10.0.1.1, and an inside global address, 192.168.35.4. The global address is what the outside network sees when communicating with devices on the inside network. The figure also shows an outside global address, 220.127.116.11, which is the public-facing address used to connect to a server on the outer network.
To support the PAT process, the router maintains an address translation table that maps the inside local addresses to the inside global address. Anyone connecting to a device on the private network uses the inside global address, along with the appropriate TCP or UDP port number. The port numbers are unique to each connection between the inside network and outside network. In this way, the router can map the inside global address to each connection, even when the same computer initiates multiple connections.
For example, the first inside computer in the figure above is assigned an inside local address of 10.0.1.2. The computer has two opened connections, which are assigned ports 1487 and 1488. As a result, communications to that computer are through the inside global address 192.168.35.4:1487 or 192.168.35.4:1487. In some cases, the router will assign different port numbers to an inside local address and its associated inside global address, as in the table's final entry, but this too can be easily accommodated.
Most home networks use PAT to connect internal devices to the internet. In such a scenario, the internet service provider assigns a public IP address to the network's router. The router, in turn, assigns a private, internal IP address to each device on the inside network. When one of those devices connects to a resource on the internet -- i.e., the outside network -- the router assigns a port number to the connection. The port number is appended to the public IP address so that the connection has a unique address.
This process is repeated for each device on the inside network, whether a laptop, tablet, smartphone or other type of smart device. In this way, all devices on the inside network can share the same public IP address even if they access the internet at the same time. The router knows exactly which device to send specific packets to because of the unique port number that has been assigned to each connection.
Port address translation is also called porting, port overloading, port-level multiplexed NAT and single address NAT.
When configuring a network, network administrators must choose between a static or dynamic IP address; learn what these IP addresses offer and also explore their pros and cons. Learn about 12 common network protocols and their functions.