NAT--Network Address Translation--Theory and Basic Command--Huawei Experiment

---

Preface

• The company’s office network needs to access the Internet, but because the private network address is not allowed to be used on the Internet, all public IP addresses need to pay a high fee, so many companies use AT technology to access the Internet
• Through this article, we will learn the principle and working process of NAT, and master how to configure NAT on Huawei routers to realize the various needs of the company’s internal network to access the Internet.

---

1. Overview of NAT

• With the development of the network, the demand for public IP addresses is increasing day by day
• In order to alleviate the shortage of public IP addresses and protect the private network addresses of the company’s internal servers, Network Address Translation (NAT) technology can be used to convert private network addresses to public addresses to alleviate the shortage of public network IP. And can hide the private network address of the internal server

1. The concept of NAT

• NAT translates the private IP address of the internal network into the only public IP address in the world, so that the internal network can be connected to external networks such as the Internet, and is widely used in various types of Internet access methods and various types of networks
• NAT not only solves the problem of insufficient public IP addresses, but also hides the details of the internal network, avoids attacks from outside the network, and can play a certain security role
• With the help of NAT, when the internal network with private reserved addresses sends data packets through the router, the private address is converted into a legal IP address, so that a local area network only needs a small number of addresses (or even one) to realize all computers in the private address network and the Internet Communication needs

2. Public network address and private network address

• Public network address (hereinafter referred to as public network address) refers to the globally unique IP address on the Internet
• November 26, 2019 is a memorable day in the era of the Internet of mankind. Nearly 4.3 billion IPV4 addresses around the world are exhausted
• The private network address (hereinafter referred to as the private network address) refers to the IP address of the internal network or host. IANA (Internet Number Allocation Agency) stipulates that the following IP addresses are reserved as private network addresses. They are not allocated on the Internet and can be used in a company. Or internal use
• The private addresses specified in RFC1918 are as follows:
  Class A private address: 10.0.0.0~10.255.255.255
  Class B private address: 172.16.0.0~172.31.255.255
  Class C private address: 192.168.0.0~192.168.255.255

3. How NAT works

1. NAT is used to convert the internal network address and port number into a legal public network address and port number, establish a session, and communicate with the public network host
2. The host outside the NAT cannot actively communicate with the host inside the NAT. If the host inside the NAT wants to communicate, it must actively communicate with an IP on the public network. The router is responsible for establishing a mapping relationship to realize data forwarding

4.NAT function

1. Broadband sharing: This is the biggest function of the NAT host
2. Security protection: When the PC in the NAT is connected to the Internet, the displayed IP is the public IP of the NAT host. All client PCs have a certain degree of security. When the outside world performs portscan (port scan), The PC on the source client side cannot be detected

5. Advantages and disadvantages of NAT

• Advantages: saving public legal IP addresses, handling address overlap, enhancing flexibility, and security
• Disadvantages: increased latency, complexity of configuration and maintenance, and does not support certain applications (such as VPN)

6.Static NAT

• Static NAT realizes one-to-one conversion between private network addresses and public network addresses. You need to configure as many public network addresses as there are private network addresses. Static NAT can not save public network addresses, but it can hide the internal network.
• When the internal network sends a message to the external network, static NAT replaces the source IP address of the message with the corresponding public network address; when the external network sends a response message to the internal network, NAT replaces the destination address of the message with the corresponding private address addresses
  
  the role of the router table 3

1. Routing table: Data packets are forwarded through the destination IP to check the routing table
2. ACL: access control list, filter data packet, deny, let go
3. NAT conversion table: Convert the source IP address from the internal network to the external network, and convert the destination IP address from the external network to the internal network

---

2. NAT configuration

1. Static NAT

• Static NAT realizes one-to-one conversion between private network addresses and public network addresses. You need to configure as many public network addresses as there are private network addresses. Static NAT cannot save public network addresses, but it can hide the internal network.
• When the internal network sends a message to the external network, static NAT replaces the source IP address of the message with the corresponding public network address; when the external network sends a response message to the internal network, static NAT replaces the destination address of the message with the corresponding Private network address

There are 2 configuration methods:

• The first type:
  set static NAT in global mode

[R1]nat static global 8.8.8.8 inside 192.168.10.10
[R1]int g0/0/1 ##外网口
[R1-GigabitEthernet0/0/1] nat static enable ###在网口上启动nat static enable功能

• The second type:
  declare nat static directly on the interface

[R1]int g0/0/1 ###外网口
[R1-GigabitEtherneto/0/1] nat static global 8.8.8.8 inside 192.168.10.10
[R1]dis nat static ###查看NAT静态配置信息

2. Dynamic NAT

Multiple private IP addresses correspond to multiple public IP addresses, based on one-to-one mapping of address pools

1. Configure the IP address of the external network port and internal network port
2. Define a legal IP address pool

[R1] nat address-group 1 212.0.0.100 212.0.0.200 #新建一个名为1的nat地址池

3. Define access control list

[R1] acl 2000

###创建ACL,允许源地址为192.168.20.0/24网段和11.0.0.0/24的数据通过
[R1-acl-basic-2000]rule permit source 192.168.20.0 0.0.0.255
[R1-acl-basic-2000] rule permit source 11.0.0.0 0.0.0.255

4. Set up dynamic IP address conversion on the external network port

[R1-acl-basic-2000]int g0/0/1 ###外网口
[R1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat ###将ACL
2000匹配的数据转换为改接口的IP地址作为源地址(no pat不做端口转换,只做IP地址转换,默认为pat)

[R1] dis nat outbound ###查看NAT Outbound的信息

3. PAT port multiplexing

• PAT is also known as NAPT (Network Address Port Translation), which realizes the mapping between a public network address and multiple private network addresses, so it can save public network addresses
• The basic principle of PAT is to convert the source IP addresses of packets with different private network addresses to the same public network address, but they are converted to different port numbers of the address, so they can still share the same address.

PAT has the following functions:

• Change the ip address and port number of the data packet
• Can save a lot of public IP addresses

The types of PAT are as follows:

• Dynamic PAT, including NAPT and Easy IP
• Static PAT, including NAT Server

4.NAPT

Multiple private network IP addresses correspond to fixed external network IP addresses (such as 200.1.1.10), the configuration method is similar to dynamic NAT

1. Configure the IP address of the external network port and internal network port
2. Define a legal IP address pool

[R1]nat address-group 1 200.1.1.10 200.1.1.10 ##使用一个固定IP

3. Define access control list

|[R1]acl 2000
###允许源地址为192.168.30.0/24网段的数据通过
[R1-acl-adv-2000] rule permit source 192.168.30.0 0.0.0.255

4. Set 1P address translation on the external network port

[R1-acl-basic-2000]int g0/0/1 ###外网口
[R1-GigabitEthernet0/0/1] nat outbound 2000 address-group 1

5.Easy IP

Multiple private network IP addresses correspond to the public network IP address of the external network port (for example, 12.0.0.1)

1. Configure the IP address of the external network port and internal network port
2. Define a legal IP address pool.
   Because you directly experiment with the IP address of the external network port, there is no need to define the 1P address pool
3. Define access control list

[R1] acl 3000 ##允许源地址为192.168.30.0/24网段的数据通过
[R1-acl-adv-3000]rule permit ip source 192.168.30.0 0.0.0.255

4. Set IP address translation on the external network port

[R1]int g0/0/1 ###外网口
[R1-GigabitEthernet0/0/1] nat outbound 3000
##当acl 3000匹配的源IP数据到达此接口时,转换为该接口的IP地址做为源地址
[R1] display nat session all ####查看NAT的流表信息

6.NAT server

Port mapping, map the private network address port to the public network address, and realize the internal network server for external network users to access

[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 9.9.9.9 www inside 192.168.10.100 www ###在连接公网的接口上将私网服务器地址和公网地址做一对NAT映射绑定

[R1-GigabitEthernet0/0/1] nat server protocol tcp global current-interface 8080 inside 10.1.1.1 www
##在连接公网的接口上将私网服务器地址和外网接口做一对NAT映射绑定

[R1-GigabitEthernet0/0/1]nat server protocol tcp global current-interface 2121 inside 10.1.1.2 ftp
###端口为21可以直接使用关键字"ftp"代替

---

3. Huawei experiment

1. Topological diagram

2. Configure NAT in global mode

• R1

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys R1
[R1]un in en
Info: Information center is disabled.
##配置各端口IP
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.1.254 24
[R1-GigabitEthernet0/0/0]un sh
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 12.0.0.254 24
[R1-GigabitEthernet0/0/1]un sh
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[R1-GigabitEthernet0/0/1]int g0/0/2
[R1-GigabitEthernet0/0/2]ip add 192.168.2.254 24
[R1-GigabitEthernet0/0/2]un sh
Info: Interface GigabitEthernet0/0/2 is not shutdown.
[R1-GigabitEthernet0/0/2]q
##全局模式下将私网地址配置8.8.8.8公网地址
[R1]nat static global 8.8.8.8 inside 192.168.1.1
[R1]di th

[R1]int g0/0/1
##在此端口上启用nat功能
[R1-GigabitEthernet0/0/1]nat static enable 

3. Dynamic NAT

Multiple private IP addresses correspond to multiple public IP addresses, based on one-to-one mapping of address pools

##因为我们这里基于上一个实验继续往下面做，所以需要先删除旧配置
[R1-GigabitEthernet0/0/1]undo nat static enable 
[R1-GigabitEthernet0/0/1]q
[R1]un nat static global 8.8.8.8 inside 192.168.1.1

##配置nat公网地址池
[R1]nat address-group 1 12.0.0.100 12.0.0.200
#创建acl
[R1]acl 2000
##筛选部分私网地址，避免全部私网地址进入导致路由崩溃
[R1-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255

[R1-acl-basic-2000]q
[R1]int g0/0/1
##将nat功能配置至此端口中
[R1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat 
[R1-GigabitEthernet0/0/1]di th

4.Easy IP

Multiple private network IP addresses correspond to the public network IP address of the external network port

##首先删除旧配置
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]un nat ou 2000 address-group 1 no-pat 

##创建acl3000
[R1-GigabitEthernet0/0/1]acl 3000
##允许私网网段
[R1-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255
[R1-acl-adv-3000]di th

[R1-acl-adv-3000]q
##进入配置端口
[R1]int g0/0/1
##将acl3000配置上端口
[R1-GigabitEthernet0/0/1]nat outbound 3000

[R1-GigabitEthernet0/0/1]q
##查看信息
[R1]dis nat session all	

5.NAT server

Port mapping, mapping the private network address port to the public network address to realize the internal network server for external users to access

[R1]int g0/0/0
[R1-GigabitEthernet0/0/1]un nat outbound 3000
[R1-GigabitEthernet0/0/1]di th

[R1-GigabitEthernet0/0/1]q
[R1]int g0/0/0
##在连接公网的接口上将私网服务器地址和外网接口做一对NAT映射绑定
[R1-GigabitEthernet0/0/0]nat server protocol tcp global current-interface 8080 i
nside 12.0.0.1 www
[R1-GigabitEthernet0/0/0]di th