Static PAT

According to the definitions outlined in the NAT Terminology article, a Static PAT implies a translation of the IP address and Port, where the post-translation attributes are explicitly defined.

There are multiple use cases for a Static PAT, but they all have one thing in common – a need to manually change the TCP or UDP port as a packet moves through a router or firewall.

Multiple Servers using one Public IP Address

One specific use case for Static PAT is to use a single Public IP address to host multiple services on different internal servers. This is in contrast with a Static NAT which would only allow you to use a single Public IP address to host multiple services on the same server.

This illustration will show how Static PAT can enable the single IP address to host two different services (HTTP and HTTPS) using two separate internal servers ( and

Static PAT - Inbound Traffic

The Router is acting as our translation device and is configured with two Static PAT entries. Since these are static translations, the mapping is explicitly defined: will always be translated to and will always be translated to

Two hosts somewhere on the Internet both make a request to the same IP address ( – one request using HTTP (port 80), one request using HTTPS (port 443). When their packets arrive on the Router, they get translated and sent to two different servers for processing.

The single Public IP address ( is hosting two services (HTTP and HTTPS) served by two different internal servers ( and

If you use a Static PAT in this way (where one public IPv4 address is used to host multiple services on multiple servers), then you are conserving IPv4 address space. You could theoretically have 10 (or 50, or 200, or 1000+) different servers, each hosting a different service, all using a single Public IPv4 address.

Non-Standard Ports

The same illustration above also provides yet another use case for Static PAT – the server is hosting HTTP traffic on a non-standard port (8080).

Without the port translation, hosts on the Internet would have to specify the non-standard port in their web browser by visiting “”. Instead, with the Static PAT, the users can just type “” (which implicitly assumes the standard web port of 80) and the router automatically translates the packet to port 8080 instead.

This could work in reverse as well. Where a non-standard port is used on the outside, but a standard port is used on the inside server.

For example, the standard port associated with SSH traffic is TCP/22. Malicious users routinely scan the entire IPv4 address space for servers listening on port TCP/22 to look for all SSH servers in hopes of finding some with weak passwords. A common strategy is to host SSH on a non-standard port in an effort to hide your SSH server from this mass scanning that occurs on port 22.

Response Traffic

The response traffic from these hosts would be untranslated by the router. Since this is the outbound traffic, the source of the packet will be translated. Whereas on the inbound packet above, the destination of the packet was translated.

Static PAT - Outbound Response Traffic

Once again, since the pre-translation IP:Port and post-translation IP:Port in a Static PAT are explicitly defined, the initial packet could have come from either the Internet hosts or the inside hosts. Therefore, a Static PAT translation is bidirectional.

Selectively Punching Holes

There is one final use-case for Static PAT, which is possibly the least common of the three. A Static PAT allows you to selectively “punch holes” through a particular Public IP address.

When we looked at a Static NAT, only the IP address is translated – the port numbers are left untouched. Which means, every port is explicitly mapped to every port. It’s possible that you may want only ports 80 and 443 to get through, but not port 21 or 23 (or any other). A Static NAT does not allow you to choose.

Whereas instead, with a Static PAT, if you only create a translation for port 80 and 443, only those paths through the router will exist. Protecting your internal servers from unwanted access attempts.

In this context, Static PAT is sometimes referred to as Port Forwarding: a specific port on an external address is forwarded to a specific port on an internal address.

Admittedly, the same effect can be attained by creating a Static NAT and applying an access-list or security policy to only allow the desired traffic through. As such, this is a use-case for Static PAT, but by no means is it the only way to attain the same effect.

The most common usage of selectively punching holes is to create a bidirectional path through unidirectional NAT translation. This will make more sense when we discuss Dynamic PAT in the next article.

Prefer video content to text? The majority of this article has been recorded and can be viewed on Youtube:

Series NavigationStatic NAT >>Dynamic PAT >>
5 3 votes
Article Rating
Notify of

Newest Most Voted
Inline Feedbacks
View all comments

This is really good……

This is very helpful and important….
As per my understanding in ip nating one to many you can give Data but you can’t get back from many because at a time only one connection is possible to give back Data to the internal server…..

I really appreciate and wants to understand more on this topic with Configuration details….

Nice explanation. Thanks

could you post or send me what the static pat configuration would look like on the router above?

Great job … many appreciations ,, my I know what is the program you are using to create these great gif images?

Good job

Very good!