NAT Configuration
Principles outlined
In the early 1990s, about RFC document proposed the possibility of IP address exhaustion. Although the proposed IPv6 technology can solve the address shortage problem from the root, but can not replace the existing mature and widely used IPv4 network at once. Since I can not immediately transition to IPv6 network, you must use a number of techniques to extend the life of IPv4, which is widely used technologies - is the network address translation (Network Address Translation, NAT).
NAT translates IP addresses is an IP data packet header into another IP address of the process, mainly used for the internal network (private IP address) to access external networks (public IP addresses). NAT There are three types: static NAT, dynamic address NAT and Network Address Port Translation NAPT.
NAT translation device (NAT-enabled network equipment to achieve) maintains an address translation table, all packets pass through the NAT device and the need for address translation will do the appropriate conversion by the table. The NAT device is connected to the internal network and the external network, a common router, or firewall.
Purpose
● understand NAT application scenarios
● grasp Static NAT configuration
● master NAT Outbound configuration
● master NAT Easy-IP configuration master
● NAT Server Configuration
Content Experiments
The experimental simulation of the corporate network scenario. R1 is a gateway router's outlet, and the employees in the company servers are connected to R1 through a switch S1 or S2, R2 and R1 analog external network device is directly connected. Since the company intranet use private IP addresses, in order to achieve some of the staff in the company can access the Internet, the server can be used for external network users to access, the network administrator needs to configure NAT on router R1: using static NAT and NAT Outbound technology so that part employees can access the Internet using NAT server technology enables the server for external users to access.
Lab topology
Experimental Procedure
Basic configurations
The basic configuration of the corresponding experiments addressing tables, and ping command to check the connectivity of each of the direct link.
Connectivity Test omitted to rest directly connected network.
2. Configure static NAT
Company configure a default route to access the Internet at the gateway router R1.
Since private IP addresses are used within the network, employees can not directly access the public network. Now you need to configure the gateway in the address translation NAT router R1, converts private addresses to public addresses.
PC1 account manager for the terminal used, not only need to be able to visit outside their own network, but also external users can access directly by him, so the network administrator assigns a public IP address 202.169.10.5 do static NAT address to PC1 conversion. Nat static configuration commands using the internal address to one of the external address conversion at the interface of RI GE 0/0/0.
After the configuration, in view NAT R1 static configuration information, and use the ping command with external network connectivity test on PC1.
It can be observed, PC1 has been successfully access the Internet through a static NAT address translation. See capture NAT address translation router on the success of RI GE 0/0/0 interfaces, the results shown in FIG.
R1 has already been observed to convert from a source address 172.16.1.1 PC-1 ICMP packets to a public address 202.169.10.5. R2 using the loopback interface Loopback 0 PC1 analog external network users to access, capture and viewed in the E0 / 0/1 interfaces of PC1, as shown in FIG.
PC1 can be observed due to the private network address is converted into a unique public address, external users can actively access PC1, and when the packet enters the network through R1, R1 and convert the destination IP public network address 202.169.10.5 corresponding private network address 172.16.1.1 sent to PC1.
3. Configure NAT Outbound
within the marketing department employees need to be able to access the Internet. Marketing using private IP address 172.17.1.0/24 network segment, the network administrator uses the public address pool 202.169.10.50 ~ 202.169.10.60 doing NAT translation to marketing staff.
Nat address-group command used to configure the NAT address pool on the R1, respectively, is provided for the start and end address 202.169.10.50 and 202.169.10.60.
Create a basic ACL 2000, matching 20.1.1.0, mask is a 24-bit address field.
在GE 0/0/0接口下使用nat outbound命令将ACL 2001与地址池相关联,使得ACL中规定的地址可以使用地址池进行地址转换。
配置完成后,在R1上查看NAT Outbound信息。
可以观察到R1上的NAT Outbound配置信息。使用PC2测试与外网的连通性,并在R1的接口GE 0/0/0上抓包观察地址转换情况,如图所示。
可以观察到PC2可以成功访问外网,且通过抓包分析,来自PC-2的ICMP数据包在R1的GE 0/0/0接口。上源地址172.17.1.2被替换为地址池中第一个地址202.169.10.50。
4.配置NAT Easy-IP
由于公司发展人员扩招,若继续使用多对多的NAT转换方式,就必须增加公网地址池的地址数。为了节约公网地址,网络管理员使用多对一-的 Easy-IP转换方式实现市场部员工访问外网的需求。
Easy-IP是NAPT的一种方式,直接借用路由器出接口IP地址作为公网地址,将不同的内部地址映射到同一公有地址的不同端口号上,实现多对-一地址转换。网络管理员配置路由器R1的GE 0/0/0接口为Easy-IP接口。
在R1的GE 0/0/0接口上删除NAT Outbound配置,并使用nat outbound命令配置Easy-IP特性,直接使用接口IP地址作为NAT转换后的地址。
配置完成后,PC2和PC3上使用UDP发包工具发送UDP数据包到公网地址202.169.20.1,配置好目的IP和UDP源、目的端口号后,输入字符串数据后单击“发送”按钮,如图所示。
在PC2和PC3发送UDP数据包后,在R1上查看NAT Session 的详细信息。
(???PC3的呢???)
可以观察到,源地址为172.17.1.2的UDP数据包被新源地址202.169.10.1和新源端口号10255替换,源地址为172.17.1.3的UDP数据包被新源地址202.169.10.1和新源端口号10256替换。R1借用自身GE 0/0/0接口的公网IP地址为所有私网地址做NAT转换,使用不同的端口号区分不同私网数据。此方式不需要创建地址池,大大节省了地址空间。
5.配置NAT Server
公司内Server提供FTP服务供外网用户访问,配置NAT Server并使用公网IP地址202.169.10.6对外公布服务器地址,然后开启NAT ALG功能。因为对于封装在IP数据报文中的应用层协议报文,正常的NAT转换会导致错误,在开启某应用协议的NAT ALG功能后,该应用协议报文可以正常进行NAT转换,否则该应用协议不能正常工作。
在R1的GE 0/0/0 接口上,使用nat server命令定义内部服务器的映射表,指定服务器通信协议类型为TCP,配置服务器使用的公网IP地址为202.169.10.6,服务器内网地址为172.16.1.3,指定端口号为21,该常用端口号可以直接使用关键字“ftp"代替。
配置完成后,在R1上查看NAT Server信息.
可以观察到,配置已经生效,并开启服务器的FTP功能,如图所示。
设置完服务器后,在R2上模拟公网用户访问该私网服务器。
可以观察到,公网用户可以成为成功登录公司内的私网FTP服务器。
思考
什么情况下需要使用NAT的双向转换?
