Dynamic NAT and static NAT service
1. Introduction of NAT Service
1. Definition of NAT
Network Address Translation (NAT) is a process of translating the IP address in the IP data message header into another IP address.
2. Development of NAT
With the development of the Internet and the increase of network applications, the exhaustion of IPv4 addresses has become a bottleneck restricting network development. Although IPv6 can fundamentally solve the problem of insufficient IPv4 address space, most of the current network equipment and network applications are based on IPv4. Therefore, before IPv6 is widely used, the use of some transitional technologies (such as CIDR, private network addresses, etc.) The main technical means for this problem. NAT is mainly used to realize the function of internal network (referred to as internal network, using private IP address) to access external network (referred to as external network, using public IP address). When a host on the internal network wants to access the external network, its private network address can be converted to a public network address through NAT technology, which can realize that multiple private network users share a public network address to access the external network, which can ensure network interoperability. And save the public network address.
3. The benefits of NAT
As a transitional solution to slow down the exhaustion of IP addresses, NAT meets the needs of IP addresses through address reuse, which can relieve the pressure of IP address space exhaustion to a certain extent. In addition to solving the problem of IP address shortage, NAT also brings two benefits: it can effectively avoid attacks from external networks and can greatly improve network security. Control the internal network host to access the external network, and also control the external network host to access the internal network, which solves the problem that the internal network and the external network cannot communicate.
2. Types of dynamic NAT and static NAT
Static NAT
Static NAT means that the IP of the internal network host and the public network IP are statically bound one-to-one during the NAT conversion. The public network IP in the static NAT will only be converted and used by a unique and fixed internal network host. (Can not save the use of IP address)
Dynamic NAT
Realize the conversion between private address and public address based on the address pool (a certain network segment of the public network corresponds to a certain network segment of the private network, which cannot save the use of IP addresses)
NAPT
Network address port translation, NAPT allows multiple internal addresses to be mapped to different ports of the same public address. (If you need to configure the backhaul route separately if you use a supplier, it is troublesome and can save the use of IP addresses)
Easy IP
Allows multiple internal addresses to be mapped to different ports of the gateway's outbound interface address (no separate configuration of backhaul routing is required, which can save IP addresses)
NAT Lover
NAT has the function of "shielding" internal hosts, but sometimes the internal network needs to provide services to the external network. In this case, the internal server needs not to be "shielded", and users on the external network can access the internal server at any time.
NAT Server can solve this problem well. When users on the external network access the internal network server, it uses the pre-configured mapping relationship between "public network IP address + port number" and "private network IP address + port number". Replace the server's "public IP address + port number" with the corresponding "private network IP address + port number" according to the mapping relationship.
Three, dynamic NAT and static NAT experimental configuration
1. Experimental purpose and experimental environment
Realize IP address conversion through NAT service, Huawei ensp simulator
2. Experimental topology diagram
3. Experimental configuration and detailed text analysis configuration process
sysname LSW2 ------------------------------------------------ - Rename
vlan batch 10 20 30 40 ---------------------------------------- Batch create vlan
interface Vlanif10 --------------------------------------------- - Enter this interface
ip address 192.168.10.1 255.255.255.0 ----------------- add IP address
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
interface Vlanif30
ip address 192.168.30.1 255.255.255.0
interface Vlanif40
ip address 10.0.0.1 255.255.255.252
interface GigabitEthernet0/0/1
port link-type access -------------------------- -------------- Set the interface type
port default vlan 10 ----------------------------- ----------- The interface belongs to vlan 10
interface GigabitEthernet0/0/2 by default
port link-type access
port default vlan 20
interface GigabitEthernet0/0/3
port link-type access
port default vlan 20
interface GigabitEthernet0/0/4
port link-type access
port default vlan 30
interface GigabitEthernet0/0/5
port link-type access
port default vlan 10
interface GigabitEthernet0/0/6
port link-type access
port default vlan 40
ip route-static 0.0.0.0 0.0.0.0 10.0.0.2 ----------------- 配置默认的路由
sysname R1
static NAT configuration
nat static global 55.55.55.55 inside 192.168.10.10
Configure one-to-one static NAT mapping
interface GigabitEthernet0/0/1 -------------------- -------- Enter this interface
nat static enable ------------------------------------ --------- Turn on the static NAT service, the mapping starts to convert the IP on this interface
interface GigabitEthernet0/0/0
ip address 10.0.0.2 255.255.255.252
Dynamic NAT configuration
nat address-group 1 15.15.15.15 15.15.15.250 -------Create group 1 public network address pool
acl 2000 ----- ------------------------------------------ Create an ACL with the number and enter ACL view
The role of ACL in Huawei NAT service
The ACL used to configure address translation can only be a basic ACL of 2000 to 2999 or an advanced ACL of 3000 to 3999.
Only when the ACL rule is configured as permit, the device allows the source IP address specified in the rule to be matched with the address pool for address translation.
When the ACL rule is not configured as permit, the NAT function that applies the ACL does not take effect, that is, the address pool is not allowed for address translation, and the device searches the routing table according to the destination address to forward packets.
After the ACL rule quoted in the command is modified, the modification will not take effect immediately. If you want to make it take effect immediately, manually execute the reset nat session command to clear the mapping table entry information. It is not recommended to modify the ACL rules in use.
rule permit source 192.168.20.0 0.0.0.255----Allow the 20 network segment private network IP to use this rule address translation
interface GigabitEthernet0/0/1
ip address 11.0.0.1 255.255.255.252
nat outbound 2000 address-group 1 no-pat
this The addresses in the pool of 2000 are converted to the addresses of group 1 on each port without port conversion
The role of NAT Outbound
The address pool used by NAT Outbound is used to store a collection of IP addresses used by dynamic NAT. When doing dynamic NAT, an address in the address pool is selected for address translation.
If users want to access the external network through dynamic NAT, they can choose one of the following methods according to their own public network IP planning: After the
user configures the IP of the NAT device's outbound interface and other applications, there is an idle public network IP address. You can choose NAT Outbound with address pool.
After the user has configured the IP address of the outgoing interface of the NAT device and other applications, there is no other public IP address available. You can choose the Easy IP mode. Easy IP can borrow the IP address of the outgoing interface of the NAT device to complete dynamic NAT.
Easy IP configuration
acl 3000 -------------------------Create an ACL with a number, and enter the ACL view
rule permit ip source 192.168.30.0 0.0.0.255 --Allow The private network IP of the 30 network segment uses this rule for address conversion
interface GigabitEthernet0/0/1
nat outbound 3000 ------------- The addresses in the 3000 pool are converted to port addresses on each port.
NAT server configuration
nat static protocol tcp global 5.5.5.5 www inside 192.168.10.55 www
www access service tcp protocol static nat service IP address mapping
sysname R1
interface GigabitEthernet0/0/0
ip address 11.0.0.2 255.255.255.252
interface GigabitEthernet0/0/1
ip address 12.0.0.1 255.255.255.0
interface LoopBack0 ------------------ ------------Enter the loopback port configuration of the router, the built-in test port
ip address 1.1.1.1 255.255.255.255
ip route-static 0.0.0.0 0.0.0.0 11.0.0.1
NAT server test results
