What is Twice NAT (Twice NAT) technology? How to configure Huawei and Cisco equipment? This article will give you some answers!

In network communication, NAT (Network Address Translation) is a common network translation technology used for address translation between internal and external networks. In general, NAT mainly involves the translation of the source IP address, converting the private IP address of the internal network host to the public IP address of the external network. However, when the internal network host address overlaps with the external network host address, pure NAT technology cannot effectively implement address translation. At this time, you need to use Twice NAT (Twice NAT) technology.

Twice NAT technology allows simultaneous conversion of source IP address and destination IP address. It applies when the addresses of hosts on the internal network overlap with addresses of hosts on the external network. In this article, we will discuss the principle and application of twice NAT technology in detail.

The principle of twice NAT

Suppose there is a host A (Host A) in the internal network, which needs to access the host B (Host B) with overlapping addresses in the external network.

The topology diagram is as follows:

          +------------------+
          | External Network |
          +------------------+
                   |
                   |
                   | 1.1.1.1
          +------------------+
          |   DNS Server     |
          +------------------+
                   |
                   |
                   | 3.3.3.1
          +------------------+
          |     Router       |
          +------------------+
                   |
                   |
                   | 1.1.1.1
          +------------------+
          |   Host B         |
          +------------------+
                   |
                   |
                   | Internal Network
          +------------------+
          |   Host A         |
          +------------------+

In this topology, there is an internal network and an external network. Host A (Host A) is on the internal network and Host B (Host B) is on the external network. There is a router (Router) and a DNS server in the middle. Two NAT translations are performed on the router to translate the addresses of the internal network and the external network to realize communication between host A and host B. Host A obtains the IP address of host B through the DNS server and communicates with host B.

Please note that this is only a simplified schematic diagram, and the actual network topology may be more complex. You can draw according to this diagram to better understand the working principle of twice NAT.

The following is the detailed process of the two NAT technology:

1. Host A sends a DNS request to access external host B to the DNS server on the external network.

2. The DNS server responds that the IP address of host B is 1.1.1.1. This IP address overlaps with the internal network address where host A resides.

3. DNS ALG (Application Layer Gateway) processing is performed when the DNS response message passes through the router (Router). The router converts the overlapping address 1.1.1.1 in the DNS response message to the unique temporary address 3.3.3.1, and forwards the message to host A.

4. Host A initiates communication with host B, and the destination IP address is set to the temporary address 3.3.3.1. When the message passes through the router, the router checks that the destination IP address is a temporary address, and performs destination address translation. The router translates the destination IP address of the packet to the real address 1.1.1.1 of host B, and at the same time performs normal NAT egress translation to translate the source IP address of the packet to an address in the source NAT address pool.

5. The router forwards the converted packet to host B.

6. Host B responds to host A's request, the destination IP address is set to an address in the NAT egress address pool of host A, and the source IP address is host B's real address 1.1.1.1. When the packet passes through the router, the router checks that the source IP address is an overlapping address, and performs source address translation. The router translates the source IP address of the message to the corresponding temporary address 3.3.3.1, and performs normal destination address translation at the same time, converting the destination IP address of the message from the source NAT address pool address to the internal network address 1.1 of host A. 1.1.

7. The router forwards the converted packet to host A.

Through the above steps, the two-time NAT technology successfully solves the problem that the internal network address overlaps with the external network address, and realizes the communication between host A and host B.

Application of NAT twice

Twice NAT technology is widely used in the following situations:

1. Internal network address and external network address overlap: When the IP address range used by the host on the internal network overlaps with the host address on the external network, using the NAT technology twice can solve the problem of address conflict and realize communication.

2. Avoiding IP address leakage: Using NAT technology twice can hide the real IP address of the internal network, so that external networks cannot directly access hosts in the internal network, improving network security.

3. IP address mapping and conversion: Through two NAT technologies, the mapping and conversion between different IP addresses can be realized, which is convenient for network address management and routing control.

4. Multiple address translation: Twice NAT technology can perform multiple address translations, and the message will pass through multiple translation nodes, which increases the flexibility and scalability of the network.

5. Communication across network segments: When the internal network and external network are in different network segments, the two-time NAT technology can solve the communication problem between network segments, so that hosts in different network segments can access each other.

Twice NAT configuration

Ruige will introduce Huawei and Cisco respectively. The topology diagram involved is also a simple schematic diagram. You can build your own network based on your understanding.

Huawei

Simple topology diagram

In this topology, there is still an external network and an internal network. A Huawei router acts as a device connecting the two networks. The GigabitEthernet0/0/0 interface of the router is connected to the external network, and the IP address is 1.1.1.2/24. The router's GigabitEthernet0/0/1 interface is connected to the internal network with an IP address of 192.168.1.1/24. Host A (Host A) and Host B (Host B) are connected to the internal network respectively.

configuration process

sysname Router
interface GigabitEthernet0/0/0
 description External Network Interface
 ip address 1.1.1.2 255.255.255.0

interface GigabitEthernet0/0/1
 description Internal Network Interface
 ip address 192.168.1.1 255.255.255.0

nat address-group 1 3.3.3.1 3.3.3.1

acl number 1000
 rule 5 permit ip source 192.168.1.0 0.0.0.255

nat policy 1 source address-group 1
nat policy 1 destination network 192.168.1.1 mask 255.255.255.255 global unicast 1.1.1.1

acl number 2000
 rule 5 permit ip destination 3.3.3.1 0.0.0.0

nat policy 2 destination address-group 1
nat policy 2 source network 1.1.1.1 mask 255.255.255.255 global unicast 192.168.1.1

ip route-static 0.0.0.0 0.0.0.0 1.1.1.1

In the configuration example, the NAT function of Huawei routers is used. An address group is created through nat address-groupthe command, which includes an address 3.3.3.1. Then, the conversion of source NAT and destination NAT is realized through ACL and NAT policy. The source NAT policy translates the internal IP address 192.168.1.1 of host A to the external IP address 1.1.1.1. The destination NAT policy translates the traffic with the external IP address 3.3.3.1 to the internal IP address 192.168.1.1.

Finally, a default static route is configured to forward all traffic through 1.1.1.1.

cisco

Simple topology diagram

In this topology, there is an external network and an internal network. A router acts as a connection point between two networks. The router's GigabitEthernet0/0 interface is connected to the external network with an IP address of 1.1.1.2/24. The router's GigabitEthernet0/1 interface is connected to the internal network with an IP address of 192.168.1.1/24. Host A (Host A) and Host B (Host B) are connected to the internal network respectively.

configuration process

Assume that the external network interface of the router is GigabitEthernet0/0, the IP address is 1.1.1.2, and the subnet mask is 255.255.255.0. The internal network interface is GigabitEthernet0/1, the IP address is 192.168.1.1, and the subnet mask is 255.255.255.0

Configuration command (probably):

interface GigabitEthernet0/0
 description External Network Interface
 ip address 1.1.1.2 255.255.255.0

interface GigabitEthernet0/1
 description Internal Network Interface
 ip address 192.168.1.1 255.255.255.0

ip nat pool SourceNATPool 10.0.0.1 10.0.0.10 prefix-length 24
ip nat inside source list 100 pool SourceNATPool overload
ip nat inside source static 192.168.1.1 1.1.1.1

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside destination list 200 pool DestinationNATPool
ip nat pool DestinationNATPool 3.3.3.1 3.3.3.1 prefix-length 24
ip nat inside destination list 200 pool DestinationNATPool

access-list 200 permit ip host 3.3.3.1 any

ip route 0.0.0.0 0.0.0.0 1.1.1.1

command description

First, a source NAT address pool SourceNATPool is created, which contains 10 addresses ranging from 10.0.0.1 to 10.0.0.10 with a subnet mask of 24 bits. Then, use ACL 100 to map all traffic in the internal network 192.168.1.0/24 to the source NAT address pool SourceNATPool.

Next, use static NAT to map Host A's internal IP address 192.168.1.1 to the external IP address 1.1.1.1.

Then, a destination NAT address pool DestinationNATPool is created, which contains an address 3.3.3.1 and a subnet mask of 24 bits. Use ACL 200 to allow destination NAT for traffic with the external IP address 3.3.3.1.

Finally, a default route is configured to forward all traffic through 1.1.1.1.

Through the above configuration, the router implements two NAT translations. The source IP address of host A on the internal network will be converted to an address in the source NAT address pool, and the destination IP address of host B will be converted to an address in the destination NAT address pool, realizing the communication between internal host A and external host B. communication between.

Note that actual configurations may vary depending on device model, OS version, and network requirements. This configuration is an example only, and specific configuration steps and commands may vary depending on the device you are using.

Summarize

Twice NAT technology is an effective means to solve the overlapping problem of internal network address and external network address. By converting the source IP address and the destination IP address at the same time, the communication between the internal host and the external host is realized. It is widely used in the network environment, especially in the overlapping of internal network addresses and external network addresses, IP address mapping and conversion, and IP address protection.

With the continuous development of the network, the two-time NAT technology is also constantly evolving and improving, providing more choices and flexibility for network communication. For network administrators and engineers, understanding and mastering the principle and application of twice NAT technology is of great significance for building an efficient, safe and reliable network architecture.