According to the definitions outlined in the NAT Terminology article, a Static PAT implies a translation of the IP address and Port, where the post-translation attributes are explicitly defined.
There are multiple use cases for a Static PAT, but they all have one thing in common – a need to manually change the TCP or UDP port as a packet moves through a router or firewall.
Multiple Servers using one Public IP Address
One specific use case for Static PAT is to use a single Public IP address to host multiple services on different internal servers. This is in contrast with a Static NAT which would only allow you to use a single Public IP address to host multiple services on the same server.
This illustration will show how Static PAT can enable the single IP address
126.96.36.199 to host two different services (HTTP and HTTPS) using two separate internal servers (
The Router is acting as our translation device and is configured with two Static PAT entries. Since these are static translations, the mapping is explicitly defined:
188.8.131.52:80 will always be translated to
184.108.40.206:443 will always be translated to
Two hosts somewhere on the Internet both make a request to the same IP address (
220.127.116.11) – one request using
80), one request using
443). When their packets arrive on the Router, they get translated and sent to two different servers for processing.
The single Public IP address (
18.104.22.168) is hosting two services (HTTP and HTTPS) served by two different internal servers (
If you use a Static PAT in this way (where one public IPv4 address is used to host multiple services on multiple servers), then you are conserving IPv4 address space. You could theoretically have 10 (or 50, or 200, or 1000+) different servers, each hosting a different service, all using a single Public IPv4 address.
The same illustration above also provides yet another use case for Static PAT – the
10.4.4.41 server is hosting HTTP traffic on a non-standard port (
Without the port translation, hosts on the Internet would have to specify the non-standard port in their web browser by visiting “
www.site.com:8080”. Instead, with the Static PAT, the users can just type “
www.site.com” (which implicitly assumes the standard web port of
80) and the router automatically translates the packet to port
This could work in reverse as well. Where a non-standard port is used on the outside, but a standard port is used on the inside server.
For example, the standard port associated with SSH traffic is
TCP/22. Malicious users routinely scan the entire IPv4 address space for servers listening on port
TCP/22 to look for all SSH servers in hopes of finding some with weak passwords. A common strategy is to host SSH on a non-standard port in an effort to hide your SSH server from this mass scanning that occurs on port
The response traffic from these hosts would be untranslated by the router. Since this is the outbound traffic, the source of the packet will be translated. Whereas on the inbound packet above, the destination of the packet was translated.
Once again, since the pre-translation
IP:Port and post-translation
IP:Port in a Static PAT are explicitly defined, the initial packet could have come from either the Internet hosts or the inside hosts. Therefore, a Static PAT translation is bidirectional.
Selectively Punching Holes
There is one final use-case for Static PAT, which is possibly the least common of the three. A Static PAT allows you to selectively “punch holes” through a particular Public IP address.
When we looked at a Static NAT, only the IP address is translated – the port numbers are left untouched. Which means, every port is explicitly mapped to every port. It’s possible that you may want only ports
443 to get through, but not port
23 (or any other). A Static NAT does not allow you to choose.
Whereas instead, with a Static PAT, if you only create a translation for port
443, only those paths through the router will exist. Protecting your internal servers from unwanted access attempts.
In this context, Static PAT is sometimes referred to as Port Forwarding: a specific port on an external address is forwarded to a specific port on an internal address.
Admittedly, the same effect can be attained by creating a Static NAT and applying an access-list or security policy to only allow the desired traffic through. As such, this is a use-case for Static PAT, but by no means is it the only way to attain the same effect.
The most common usage of selectively punching holes is to create a bidirectional path through unidirectional NAT translation. This will make more sense when we discuss Dynamic PAT in the next article.