[HCIA] 11. ACL and NAT address translation

ACL

• ACLs can be used to accurately identify and control packet flows on the network, so as to control network access behaviors, prevent network attacks, and improve network bandwidth utilization.

• • An ACL is a series of sequential rules composed of permit or deny statements; it classifies packets by matching relevant fields of the packets.
  • ACL is a basic tool that can match elements such as source IP address, destination IP address, protocol type, source and destination port in an IP packet; ACL can also be used to match routing entries.

The composition of ACL

• An ACL consists of several permit or deny statements. Each statement is a rule of the ACL, and the permit or deny in each statement is the processing action corresponding to this rule.

• If none of the ACLs match, a rule deny statement is hidden at the end
• The ACL is combined with the tool. In the end, whether it is allowed or denied depends on the tool's handling of matching and mismatching.

wildcard

• When performing IP address matching, it will be followed by 32 mask bits, and these 32 bits are called wildcards.
• Wildcards are also in dotted decimal format. After converting to binary, "0" means "match" and "1" means "don't care".
• There are also two special wildcards:

• • When the wildcard is all 0 to match an IP address, it means that an IP address is exactly matched;
  • When the wildcard is all 1s to match the 0.0.0.0 address, it means that all IP addresses are matched.

Classification of ACLs

ACL matching mechanism

• After the device configured with ACL receives a packet, it will match the packet with the rules in the ACL one by one. If it cannot be matched, it will continue to try to match the next rule.
• Once matched, the device will execute the processing action defined in this rule for the packet, and will not continue to try to match subsequent rules.
• Matching principle: Once hit, stop matching.

ACL matching order

• Huawei devices support two matching orders: automatic ordering (auto mode) and configuration order (config mode). The default ACL matching order is config mode.

• • Automatic sorting, sort the rules according to the accuracy from high to low, and match the packets according to the order of accuracy from high to low.
  • Configuration order, the system matches packets in ascending order of ACL rule numbers, and the smaller the rule number, the easier it is to be matched.

NAT address translation

Static NAT

• The relationship between the private address and the public network address is a one-to-one fixed mapping.
• Supports two-way access. When accessing the internal network from the outside, the public address in the message will also be translated into the corresponding public address by the NAT device.

[Huawei-GigabitEthernet0/0/0]nat static global 12.1.1.1 inside 192.168.10.1 [Huawei-GigabitEthernet0/0/0]nat static global 12.1.1.1 inside 192.168.10.1 

Dynamic NAT

• It is still a one-to-one mapping, but it is not a fixed mapping. The concept of an address pool is proposed, and all available public network addresses form an address pool.
• When the internal host accesses the external network, temporarily allocate an unused address in the address pool, and mark the changed address as "In Use". When the host no longer accesses the external network, the allocated address is reclaimed and marked as "Not Use".
• If the address is not in the acl list, then no translation will be performed.

[R1]nat address-group 1 100.1.1.2 100.1.1.3 //Define public network address pool 
[R1]acl 2000 
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255 //Define intranet needs Converted address 
[R1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat//Associate the address in the public network address pool with the intranet[R1]nat address-group 1 100.1.1.2 100.1.1.3	//定义公网地址池
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255	//定义内网需要转换的地址
[R1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat//将公网地址池里的地址和内网关联

NAPAT (Network Address Port Translation)

• When selecting an address from the address pool for address translation, not only the IP address but also the port number will be translated, so as to realize the 1:n mapping between the public address and the private address, which can effectively improve the utilization rate of the public address.

[R1]nat address-group 1 100.1.1.2 100.1.1.3 //Define public network address pool 
[R1]acl 2000 
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255 //Define intranet needs Converted address 
[R1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 //Associate the address in the public network address pool with the intranet and perform port conversion[R1]nat address-group 1 100.1.1.2 100.1.1.3	//定义公网地址池
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255	//定义内网需要转换的地址
[R1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 //将公网地址池里的地址和内网关联并进行端口转换

Easy IP

• The implementation principle is the same as that of NAPT. It converts IP addresses and transport layer ports at the same time. The difference is that Easy IP does not have the concept of address pools, and uses interface addresses as public addresses for NAT conversion.

[R1]acl 2000 
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255 //Define the address that needs to be converted on the intranet 
[R1-GigabitEthernet0/0/1]nat outbound 2000[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255	//定义内网需要转换的地址
[R1-GigabitEthernet0/0/1]nat outbound 2000 

NAT Server conversion

[R1-GigabitEthernet0/0/1]nat server protocol tcp global 100.1.1.250 81 inside 192.168.1.250 80[R1-GigabitEthernet0/0/1]nat server protocol tcp global 100.1.1.250 81 inside 192.168.1.250 80