4.1.0 Routing NAT (Introduction, Static NAT, Dynamic NAT, NATServer, NAPT, Easy-ip, NAT address mapping table)
Table of contents
Introduction
In order to effectively save public network IPv4 addresses and provide certain network security capabilities, NAT network address translation technology was born.
NAT (Network Address Translation) mainly converts private addresses into public addresses .
Advantages of NAT :
- It can alleviate the shortage of public network addresses.
- Solve the problem of IP address space conflict or overlap.
- Network scalability is higher and local control is easier.
- Intranet structures become invisible, increasing security.
NAT disadvantages :
- Because of the address mapping, there will be a problem of forwarding delay when there are too many network translations.
- End-to-end addressing becomes difficult, because after NAT address translation is equivalent to changing the face, it is difficult to find someone.
- For some applications, NAT cannot be supported.
- The entries generated by NAT will occupy the memory space of the device.
- The performance requirements of devices performing NAT address translation are high.
NAT address mapping table
There are mainly four address information, and the address translation core of NAT is in these four addresses.
内部本地地址(Inside Local)——本地私网地址
内部全局地址(Inside Global)——私网转换成的公网地址
外部本地地址(Outside Local)——公网转换成的私网地址
外部全局地址(Outside Global)——外部公网地址
In order to facilitate understanding, the corresponding addresses are corresponded through the following two experiments:
# 内网1中的PC1访问外网202.1.2.2的时候,转换成外网接口地址。
由于ENSP中使用dis nat mapping table all 查看地址映射表会卡顿甚至无法使用,所以用文字进行表示:
【AR1映射表】
内部本地地址:192.168.1.10:随机端口
内部全局地址:202.1.2.1:随机端口
外部本地地址:202.1.2.2:随机端口 or 空 【因为对于AR1来说,AR2内网地址是不知道的,所以可为空】
外部全局地址:202.1.2.2:随机端口
【AR2映射表】
内部本地地址:192.168.2.10:随机端口
内部全局地址:202.1.2.2:随机端口
外部本地地址:202.1.2.1:随机端口 or 空
外部全局地址:202.1.2.1:随机端口
# AR2上将Server1中的80端口 映射成公网地址202.1.2.1:80,实现内网1的PC访问202.1.2.2:80时能够访问到Server1的网页。
【AR1映射表】
内部本地地址:192.168.1.10:随机端口
内部全局地址:202.1.2.1:随机端口
外部本地地址:202.1.2.2:80 or 空
外部全局地址:202.1.2.2:80
【AR2映射表】
内部本地地址:192.168.2.10:80
内部全局地址:202.1.2.2:80
外部本地地址:202.1.2.1:随机端口 or 空
外部全局地址:202.1.2.1:随机端口
Static NAT
Introduction
One-to-one mapping between private address and public network address, regardless of whether the host is online or not, the address mapping still exists.
The two-way access between internal and external networks can be realized, because the mapping table in static NAT is fixed.
Static NAT can 私网地址映射成公网地址
and can be achieved 公网地址映射成私网地址
.
This NAT mode is a waste of public network addresses, and can only realize the mapping between a private network and a public network address.
Operation case
Configuring static NAT will perform one-to-one mapping between public network address and private network address, that is, public network address=private network address , private network address=public network address .
AR1:
interface GigabitEthernet0/0/0
ip address 202.1.2.1 255.255.255.0
nat static global 202.1.2.10 inside 192.168.1.10 netmask 255.255.255.255
nat static enable
AR2:
interface GigabitEthernet0/0/0
ip address 202.1.2.2 255.255.255.0
nat static global 202.1.2.20 inside 192.168.2.10 netmask 255.255.255.255
nat static enable
现象:
Client1可以通过202.1.2.20访问Server1的服务
Server1可以通过访问202.1.2.10访问到Client1
Dynamic NAT
Introduction
To avoid address waste, create an address pool. When the private network address needs to access the external network, an address is taken from the address pool and is temporarily mapped one-to-one with the private address.
When the internal host accesses the external network, the address is marked as In Use, and the reclaimed address is marked as Not Use when not in use.
This NAT mode cannot realize two-way access between internal and external networks, because the mapping table in dynamic NAT changes dynamically.
And when the demand for access is high, some users may not be able to obtain a public network address to access the external network due to insufficient address pool supply.
Operation case
There is a bug when configuring dynamic NAT in ENSP.
Private network client access will directly consume all external network addresses (even if there are many public network addresses in the address pool, a private network device will be used up by itself)
AR1:
# 创建地址池0
[AR1]nat address-group 0 202.1.2.5 202.1.2.7
# 创建匹配列表,当识别为内网1主机时才进行NAT地址转换
[AR1]acl 2000
[AR1-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
# 配置动态NAT,设置匹配列表,设置地址池0,no-pat表示不进行端口转换(否则就是NAPT模式了)
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]nat outbound 2000 address-group 0 no-pat
NAT Server
Introduction
Realize that the internal network server is accessed by external network users, and perform a port mapping operation between the private network address and the external network address .
For example: Make a mapping between the internal network 192.168.2.10:80 and the external network address 202.1.2.2:80, when other hosts on the external network access 202.1.2.2:80, they will access the internal network 192.168.2.10:80 server
Operation case
AR1:
interface GigabitEthernet0/0/0
ip address 202.1.2.1 255.255.255.0
nat static global 202.1.2.5 inside 192.168.1.10 netmask 255.255.255.255
nat static enable
AR2:
interface GigabitEthernet0/0/0
ip address 202.1.2.2 255.255.255.0
# 将192.168.2.10:80与当前接口的8888端口映射
nat server protocol tcp global current-interface 8888 inside 192.168.2.10 www
NPT
Introduction
Similar to dynamic NAT , the difference is that when a private network address accesses the external network, it is converted into a public network address for 随机端口
access.
For example: 192.168.1.1 uses 202.1.2.5:12345 in the address pool to exchange visits with other addresses on the external network when accessing the external network.
Operation case
AR1:
# 创建地址池0
[AR1]nat address-group 0 202.1.2.5 202.1.2.7
# 创建匹配列表,当识别为内网1主机时才进行NAT地址转换
[AR1]acl 2000
[AR1-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
# 配置NAPT,设置匹配列表,设置地址池0,不添加no-pat则为NAPT模式
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]nat outbound 2000 address-group 0
Easy-ip
Introduction
Converting the private network address to a random port of the public network interface is a common way for small networks to access the external network from the internal network.
Operation case
AR1:
[AR1]acl 2000
[AR1-acl-basic-2000]rule permit source 192.168.1.10 0
[AR1-acl-basic-2000]q
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]nat outbound 2000
AR2:
interface GigabitEthernet0/0/0
ip address 202.1.2.2 255.255.255.0
nat server protocol tcp global current-interface 8888 inside 192.168.2.10 www
#