NAT vs PAT

 

Cisco sees it this way;

 

Q. What is PAT, or NAT overloading?

A. PAT, or NAT overloading, is a feature of Cisco IOS NAT and can be used to translate internal (inside local) private addresses to one or more outside (inside global—usually registered) IP addresses. Unique source port numbers on each translation are used to distinguish between the conversations.

 

Q. What is NAT?

A. NAT is designed for IP address simplification and conservation, as it enables private IP inter-networks that use non-registered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses before packets are forwarded onto another network. As part of this functionality, NAT can be configured to advertise only one address for the entire network to the outside world. This provides additional security, effectively hiding the entire internal network from the world behind that address. NAT has the dual functionality of security and address conservation, and is typically implemented in remote access environments.

 

Q. How does PAT work?

A1. PAT with one IP address:

1.      NAT/PAT inspects traffic and matches to a translation rule.

2.      The rule matches to a PAT configuration.

3.      Does PAT know about the traffic type and does that traffic type have a specific set of ports, or ports it negotiates that it will use? If so, set them aside and do not allocate them as unique identifiers.

4.      Sessions with no special port requirements attempt to connect out. PAT translates the IP source address and checks the availability of the originated source port (for example, 433).

Groups are 1-511, 512-1023, and 1024-65535.

Note: For TCP and UDP, groups are 1-511, 512-1023, 1024-65535. For ICMP the first group starts at 0.

5.      If the requested source port is available, it assigns the source port and the session continues.

6.      If the requested source port is not available, NAT starts searching from the beginning of the relevant group. In this example starting at 1 for TCP or UDP applications and 0 for ICMP.

7.      If a port is available, it is assigned and the session continues.

8.      If no ports are available, the packet is dropped.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#Q12