What is PAT (Port Address Translation) on Junos OS - Juniper Devices


This article related with the previous article, about NAT. If you aren't familiar with NAT, especially on Juniper devices. You can read the previous article first:
What is NAT: Source, Destination, and Static NAT on Juniper (Junos OS)

PAT or Port Address Translation is one of the features that exist in NAT. As the name suggests, PAT is used to translate the port number to other port number.

Let's just look at an example.

The picture above illustrates when we only have 1 public IPv4. But on the other hand, we have local devices that require public IPv4 to connect to the internet. On the example above, we have 3 local devices (I will called clients).

Sometime, there is more than one client who has the same source-port wants to go to the internet at the same time. If we only have 1 public IP and configure source-NAT without PAT, our NAT device cannot create a session for the client after the first client. So, that client cannot connect to the internet.

But if we configure source NAT with PAT, the device will translate the same source-port to different source-port, as in the following illustration.

lab@vSRX> show security flow session 

Session ID: 101, Policy name: default-permit/4, Timeout: 1726, Valid
In: 10.1.1.21/8000 --> 200.1.1.5/21;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 9, Bytes: 2077, 
Out: 200.1.1.5/21 --> 200.1.1.1/45001;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 7, Bytes: 1977,

In: 10.1.1.22/9199 --> 200.1.1.5/21;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 9, Bytes: 2077, 
Out: 200.1.1.5/21 --> 200.1.1.1/39671;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 7, Bytes: 1977,

Session ID: 101, Policy name: default-permit/4, Timeout: 1726, Valid
In: 10.1.1.23/8000 --> 200.1.1.5/80;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 9, Bytes: 2077, 
Out: 200.1.1.5/80 --> 200.1.1.1/10992;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 7, Bytes: 1977,

In Juniper device, PAT is configured automatically on Source-NAT. It is required in interface-based Source-NAT. But optional in Source-NAT with pool-based, Destination-NAT and Static-NAT.

Oh, are you asked by someone what is the difference between NAT and PAT?
Maybe the answer is NAT only translate the IP Address. While PAT translates port number.
But, PAT is part of NAT (PAT is a feature of NAT). So, it shouldn't be asked the difference, hehe.

This is another example of PAT implementation in Destination-NAT.

We can map a single IPv4 public to three IPv4 private with same port-number. So, all web services on local-servers can be accessed from the internet.

lab@vSRX> show security flow session    

Session ID: 78, Policy name: default-permit/4, Timeout: 1798, Valid
In: 200.1.1.5/10923 --> 200.1.1.1/1111;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 9, Bytes: 2077, 
Out: 10.1.1.21/80 --> 200.1.1.5/10923;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 7, Bytes: 1977, 

Session ID: 79, Policy name: default-permit/4, Timeout: 1798, Valid
In: 200.1.1.5/9331 --> 200.1.1.1/3333;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 9, Bytes: 2077, 
Out: 10.1.1.23/80 --> 200.1.1.5/9331;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 7, Bytes: 1977, 

Session ID: 80, Policy name: default-permit/4, Timeout: 1798, Valid
In: 200.1.1.5/33005 --> 200.1.1.1/2222;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 9, Bytes: 2077, 
Out: 10.1.1.22/80 --> 200.1.1.5/33005;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 7, Bytes: 1977, 

Dan berikut ini adalah video penjelasan tentang PAT atau Port Address Translation dalam Bahasa Indonesia.

That's all, explanation about PAT or Port Address Translation on Juniper SRX series device. See other articles about NAT on Juniper SRX series devices.

Disqus Comments