Table of contents
NAT OverviewNAT (Network Address Translation), Network Address Translation
NAPT[Network Address Port Translation[Port-->Transport Layer-Port Number]]
NAT generation background
- In order to save IP addresses and costs, private IP addresses are generally used within enterprises.
- The components of the Internet network all use public IP addresses.
- To communicate with the Internet, the corporate intranet must have a public IP address.
- Devices on the corporate intranet cannot communicate with the Internet using private addresses.
analyze:
- Configure a default route on the edge device (router) of the enterprise network, and the enterprise intranet can send data to the Internet.
- Since there is no routing entry for the private IP address on the Internet device, the data cannot be returned to the corporate intranet.
- On the edge device (router) of the enterprise network, NAT technology is used to convert private addresses and public addresses to each other.
NAT OverviewNAT
(Network Address Translation), Network Address Translation
- Mainly used on edge devices of enterprise networks
- Convert the private IP address and public IP address of the data packet to achieve access from the internal network to the external network
- Realize the protection of enterprise intranet and enhance the security of enterprise intranet. Because the external network cannot directly access the private IP address of the internal device
NAT working rules
① When sending data, modify the source address of the data, change the private network address to a certain public network address, and then form a local mapping information
table to send the data;
② When receiving data, according to the destination address of the data, in the local Check whether there is a record of this address in the NAT mapping information table. If so,
modify the destination address to the address in the NAT mapping table.
Standard NAT technology
Static NAT : The 1:1 relationship between the internal private network address and the public network address cannot solve the need for multiple internal private network hosts to use one public network address to access the Internet.
Dynamic NAT : The internal private network address and the public network address have an n:1 relationship. Multiple internal private network addresses can use one public network address,
but it is not possible for multiple addresses to use one public network address for communication at the same time. Network-facing When there is concurrent traffic , the experience is poor.
Features: Only the IP address parameters are involved in the conversion , which means that when leaving the private network, the source IP is changed to the public IP, and when entering the private network, the destination IP is changed to the private IP. If you don't understand, you can understand after reading the following experiments. Better understanding.
NAPT[Network Address Port Translation[Port-->Transport Layer-Port Number]]
Communication principle : During communication, the source address and source port information in the data are modified to form a NAT mapping table. When the data is reported back, it is smoothly converted back according to the information in the mapping table.
- The main contradiction highlighted in dynamic NAT technology is that there are too few public network addresses used for address translation, and multiple addresses cannot use one public network address for communication at the same time.
- When performing address translation in the future, not only the address will be translated, but the port will also be translated.
- Because a public network address can correspond to up to 65536 port numbers.
192.168.10.1 - 100.1.1.10:1001
192.168.10.2 - 100.1.1.10:1002
192.168.10.3 - 100.1.1.10:1003
192.168.10.4 - 100.1.1.10:1004
192.168.10.5 - 100.1.1.10:1005
192.168.10.6 - 100.1.1.10:1006
192.168.10.7 - 100.1.1.10:1007
192.168.10.8 - 100.1.1.10:1008
Easy IP - the simplest PAT
If the business is small and has limited funds. There is a high probability that an enterprise may only purchase one public IP address. In this case, if we want to enable multiple hosts on the intranet to access the Internet at the same time, we can only use the IP address "configured on the public network interface" for NAT translation. Because this method does not require any public network address, the address of the outbound interface is used for translation. Even if the address of the outbound interface changes, the address translation will not be affected. [Port multiplexing]
We can see that the private network IP+port is directly converted to the public network IP+port on the public network interface, so it saves the public network IP.
NAT Server
If you want to achieve access from the external network to the internal network, you must set a "nat translation entry" on the company's boundary device (R1) in advance, and this entry only allows traffic for a specific business.
As shown above:
- There is a web server within the enterprise with a private IP address of 192.168.1.100/24
- We hope that Internet users can access the website of our company’s internal web server by accessing the public address 200.10.10.1:80 through their browser.
Static NAT experiment
The network topology diagram is as follows:
Experimental requirements:
1. Configure static NAT on the router. Yes, pc1 and pc2 can access the external network.
2. The IP address information of the host and server is as shown above
Configuration of pc1:
The configuration of pc2 is similar and will not be shown. Next, the server configuration is shown:
Note: Do not fill in the router’s IP in the red circle, otherwise this server will be able to ping our private network.
The router configuration is as follows:
Assign an IP to the internal network interface
Enter the public network interface.
1. Configure the public IP.
2. Configure static nat on the public network interface—nat static global 100.1.1.3 inside 192.168.1.20.
3. Display the configuration information of this interface - dis th.
After configuring, we capture packets at these two locations to see what characteristics the packets have.
The packets under the pc1 interface are as follows:
As shown in the figure above: you can see that the packets in the private network are private IP and can communicate directly with the public IP, and can receive packets with the public IP as the source IP and the private IP as the destination IP.
Then let’s take a look at the packets captured under the router:
As shown in the picture above: you can see that the original source IP of 192.168.1.10 has been replaced by 100.1.1.2 - this is also the address translation we did for 192.168.1.10, so the server cannot know our private IP, only the public IP There is a guy named 100.1.1.2 on the Internet who is sending me a request.
Dynamic NAT experiment
The network topology diagram is as follows:
Experimental requirements:
1. Configure dynamic NAT on the router. Yes, pc1 and pc2 can access the external network.
2. The IP address information of the host and server is as shown above
Other configurations are similar to the above, so this time only the configuration on the g0/0/1 interface on the router is shown.
1. Define the public network address range to be converted.
2. Create acl - used to capture the traffic allowed to pass.
3. Define acl rules.
4. Enter the public network interface.
5. Configure the public IP.
6. Configure dynamic nat.
Then we test it; use pc3 to ping the server.
NAPT experiment
The network topology diagram is as follows:
Experimental requirements:
1. Use NAPT technology to enable the host to communicate externally.
2. The client needs to establish an http connection, and the server is of http type.
First configure the server:
The basic configuration will not be displayed. Now the server information configuration will be displayed (just select a folder in the file root directory).
The router configuration is as follows:
1. Define the public network IP that can be converted to (note that this is not converted to 30 and 40, but can be converted to between 30 and 40).
2. Define acl.
3. Define the private network address that allows communication.
4. Enter the public network interface.
5. Configure the IP of the public network interface. Note: Be sure to remember to assign an IP. I forgot about it at the time.
6. Configure NAPT
7. The address of the private network interface is not shown here. Just assign an IP.
Note: If "no-pat" is added, dynamic NAT is performed.
If "no-pat" is not added, NAPT technology is performed.
Note: I changed the convertible address range later. Now the private network address can only be converted to 100.1.1.30.
Then the client1 configuration:
First fill in the client's IP, then click Get.
Client2 also performs the above operation. Of course, before the client establishes an http connection, I first capture packets on the public network interface of the router and get the following information:
From the above we can see that both client1 and client2 are using 100.1.1.30 to communicate, but the router ports for communication are different.
NAT server experiment
The network topology diagram is as follows:
Experimental requirements:
1. Use R4 as a NAT server so that client3 can access the private network server by accessing a specific public network IP+port.
2. The IP address information is as shown in the figure above.
First we configure router R4:
Here we only show the configuration of the NAT server service interface. You can configure other IP addresses yourself:
1. Enter the public network interface.
2. Configure the IP address.
3. Accessing port 80 of 100.1.1.8 from the external network is equivalent to accessing port 80 of 192.168.1.1 - nat server protocol tcp global 100.1.1.8 80 inside 192.168.1.254 80.
4. Show the interface configuration to see if there are any errors.
5. Configure the route back to the 200.1.1.0/24 network segment, otherwise, R4 cannot return the packet.
Server configuration:
Client configuration: (Other configurations will not be shown in detail, they are just ordinary IP configurations.)
Then, we initiate an http connection request from the client to the server: pay attention to the IP we fill in here. After accessing this IP, the nat server will automatically access port 80 of 192.168.1.254 on the private network.
Let’s capture packets in these two places and take a look:
Messages under router R4 interface g0/0/0:
Messages under router R5 interface g0/0/1:
As you can see, we did access 192.168.1.254:80 of the private network by accessing 100.1.1.8:80. The experiment was successful.
Easy IP experiment
The network topology diagram is as follows:
Experimental requirements:
Using Easy IP technology allows the host and client to communicate with the server.
Here I only show the configuration of router R6, and other interface IP configurations and main IP configurations will not be shown.
1. Create acl.
2. Define ACL rules to capture the traffic that is allowed to pass.
3&4, enter the interface and configure IP for the interface.
5. Configure Easy IP for this interface.
After configuring, capture the packet at the following location and take a look.
The client initiates a request first to the server, and the message is as follows:
As you can see, our public network interface IP is directly used for communication. So many hosts use the same IP. How do we distinguish them? This is similar to NATP. We distinguish it through ports. Use different ports to map to the host using this IP. At this point, the experiment was successful.
at last
This is the end of this introduction to NAT. If there is anything wrong or lacking, you are welcome to correct and add to it. Creation is not easy, so please give it a like and leave! I will also update other computer related blogs later, see you in the next blog!