Given the following simplistic network

Network http://www.vbforums.com/picture.php?albumid=18&pictureid=47


Would it be possible to construct NAT / PAT pools such that the PC's attached to the network could be identified by their port number. I understand that if I assign a public IP to each user I can identify them. What I am trying to do is to conserve Public IP's, but maintain the ability to identify the user from the public network. If your answer is vendor specific that is OK with me. Thanks in advance.

  • 683
  • 5
  • 11
  • Looks like the image you attempted to attach is not visible, please edit your post to include that. Also, please specify whether this is for a specific service - say HTTP - or if this is for general access to the net... – Ali Chehab Apr 29 '10 at 23:27
  • I just re-read the post, is this in relation to incoming connections to your network? – Ali Chehab Apr 29 '10 at 23:40
  • I edited the image, let me know if that is better. General access, outbound. – dbasnett Apr 29 '10 at 23:56
  • Image link in case the above does not work - http://www.vbforums.com/picture.php?albumid=18&pictureid=47 – dbasnett Apr 29 '10 at 23:56
  • That link is for a 1x1 pixel image.. I think I know what you're trying to do though, and answered you below. Let me know if this isn't what you're looking for and I'll see if I can help some more. – Ali Chehab Apr 30 '10 at 00:05
  • Sorry about the picture. Of course it works for me... – dbasnett Apr 30 '10 at 00:16

3 Answers3


All you would have to do is look at the current nat translation table on the nat device to see what port the IP maps to. For instance on a Cisco router connecting to google via pat to the public ip of

router1#show ip nat trans 

I think I understand now. I don't know of any implementation of this, but I don't see why it wouldn't work. You could in theory map each internal ip to a different port range. Since overload translates the internal ip/tcp src port combo to an external ip/tcp source port, you could assign certain external source port ranges for each internal IP (previous could also be udp ports). For example:

32000-33999 public ip's tcp/udp src ports on ip will be used for
34000-35999 public tcp/udp ports on ip will be used for

The problem with overloading is that you start to limit the possible connections, because instead of a normal 4 item combination to identify a session (source ip, source port, destination ip, destination port), you are limited it to 3. So when you restrict one of these even more by limit the port range you limit the number of sessions. So in my above example, you ip could only have up to 2000 connections to any specific public ip. I also don't know if a overload code works like this, as it might use just the source port to translate instead of the source port / source ip (talking about return packets here) to be faster.

Maybe you could get around that with sequence number trickery, but I think that would take a lot of tcp reworking and open up security holes. If this has been implemented I will be a little surprised. NAT is kind of a hack I think to help with ip shortage. PAT/Overload is kind of a further hack of this, making it a hack of a hack. To start identifying sessions by sequence numbers would then be a hack of a hack of hack. At that point, it is really time IPv6 already :-)

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
  • I am looking for long term tracking. Can you see the picture? – dbasnett Apr 30 '10 at 00:00
  • Can't see the picture. Seems like you have strange goal, normally you would do monitoring before the nat as you can see the private IP and the public ip they are accessing. – Kyle Brandt Apr 30 '10 at 00:07
  • Think big and long term. What if, say a policeman, shows up at your door and tells you that on some date in the past a user with Public IP / Port was doing something illegal, and who was it? Other than assigning a public IP to everyone, how could the question be answered? – dbasnett Apr 30 '10 at 00:14
  • The other thing to keep in mind is that someone can just use a proxy to get around that. And using a proxy wouldn't be enough proof of any wrong doing, I use other IPs as a proxy all the time test websites from other locations. – Kyle Brandt Apr 30 '10 at 01:42
  • If I had assigned you a public IP, then the proxy would still get past this wouldn't it. Damn! – dbasnett Apr 30 '10 at 11:19

On a Cisco router you can do the following:

ip nat log translations syslog

logging <syslog server ip>

This will cause each translation to get sent to the syslog server. The entries will look something like:

Apr 29 21:25:06 rgw-01 233: 000238: Apr 29 21:25:05.858 EDT: %IPNAT-6-CREATED: tcp

which mirrors the output of "show ip nat translation" on the router. You should get log messages when a translation is created and deleted.

  • 171
  • 1
  • This might just work so long as I am careful to assing the same IP to the end user. – dbasnett Apr 30 '10 at 01:33
  • If you are using a DHCP server then it is a two step lookup. One to find the IP of the lease the customer had during the time in question, and a second to figure out what public IP was in use. We do this in an ISP environment when we get abuse complaints. – Jamie Apr 30 '10 at 01:37
  • We had intended on forcing the users to always get a specific IP, but I see as long as we track who had what / when and captured the translations as you have shown, then we are home. Thanks! – dbasnett Apr 30 '10 at 11:16

Ok, so if this is just for General access outbound from your network, then all you're really gonna need is a standard NAT-T + DHCP box. With the DHCP, you can either do Static DHCP, or have high lease times, so that the machines on the inside keep the same address. Then you can always know who's who.

The problem with using ports on the public side to identify internal machines, when you're just doing general outbound access, is that the return ports are going to be randomly generated on the server the user is connecting to. So there is no way to really track or guess what that's going to be.

If you were doing inbound connections, then you just setup PAT/Port forwarding to the internal address of choice, but that's not the case here.

As for solutions, pretty much anything on the market will do this, you can also setup IPtables + dhcpd, on Linux, or a PF + dhcpd solution on BSD machines.

Ali Chehab
  • 451
  • 2
  • 5
  • I already knew that I had to give the users the same private IP address. If I can get them to NAT to certain ranges based on that IP address then I can map the return, because it will be to the NAT port they were assigned. – dbasnett Apr 30 '10 at 00:09