NAT network address translation

Posted by Paul Arnold on Fri, 26 Nov 2021 23:12:15 +0100

NAT: network address translation

IPV4 address: ABCDE5 categories
Among them, ABC three types are unicast addresses - which can be used as either source IP address or target IP address
There is also a distinction between private and public ip addresses in ABC addresses
Public IP address: it is globally unique and can be used for communication on the Internet. It needs to be paid
Private IP address: it is locally unique and cannot communicate on the Internet without paying

Private IP address:

10.0.0.0/8
172.16.0.0/16-172.31.0.0/16
192. 168.0.0/24-192.168.255.0/24

Cisco

Modify the ip address of incoming or outgoing traffic on a router. The common rule is to modify the source ip address when going from the inside to the outside; Modify the target ip address when entering from the outside
Static nat - the mapping relationship between addresses is fixed
Dynamic nat -- temporary address mapping
When the traffic flows from the inside to the outside, modify the internal local address to the internal global address;
When the traffic flows from the outside to the inside, modify the internal global address to the internal local address

1. One to one (static)

On the external router, a fixed permanent mapping record is generated.

r1(config)#ip nat inside source static 192.168.1.2 12.1.1.1
#                                         Internal local internal global

2. One to many (dynamic)

When the internal private ip address becomes the same public address in nat, different source port numbers are required to form a unique temporary mapping relationship;
Temporary mapping: internal traffic needs to go to the outside first, be converted into records, and then return, and the mapping is refreshed;
Because the port of traffic needs to be modified, one to many is also called PAT - port address translation
A public ip has only 65535 ports, so a time node can forward 65535 packets at a time, all of which can not be used in large networks;

r1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
r1(config)#ip nat inside source list 1 interface fastEthernet 0/1 overload
#                              Internal local internal global

overload: the word carried is dynamic nat and not static. However, because one to many can only be dynamic, even if the word is not configured, the device will automatically add the word by default;

3. Many to many (both dynamic and static)

Mainly for large-scale LAN, a large number of data packets need to enter the Internet at the same time; One public ip can only forward 65535, so multiple public IPS are provided at the same time;

r1(config)#ip nat pool a 12.1.1.3 12.1.1.10 netmask 255.255.255.0
#Public address range
r1(config)#access-list 2 permit 192.168.0.0 0.0.255.255 
#Private address range
r1(config)ip nat inside source list 2 pool a ?
overload Overload an address translation

Carrying overload as dynamic means that the private ip is cyclically converted to different ports of different public ip; It is equivalent to multiple one to many at the same time; It does not carry overload and is static, that is, some private IPS that come out first form a one-to-one mapping with each public ip;

4. Port mapping

r1(config)#ip nat inside source static tcp 192.168.1.250 80 12.1.1.1 80
#Only when the external network accesses 12.1.1.1 and the target port is 80 can the conversion be carried out. The target ip is 192.168.1.250 and the target port is 8O
r1(config)#ip nat inside source static tcp 192.168.1.251 80 12.1.1.1 8888
#Only when the external network accesses 12.1.1.1 and the target port is 8888 can the conversion be carried out. The target ip is 192.168.1.251 and the target port is 80

Remember: no matter what nat is configured in Cisco devices, the direction of each interface needs to be defined on the boundary router

r1(config)#interface fastEthernet 0/0
r1(config-if)#ip nat inside
r1(config-if)#exit
r1(config)#interface fastEthernet 0/1
r1(config-if)#ip nat outside

Huawei

There is no need to define the direction of each interface on the boundary router, but nat is still configured on the boundary router

1. Static nat - consistent with one-to-one in cisco

[RTA-Serial1/0/0]nat static global 202.10.10.1 inside 192.168.1.1
[RTA-Serial1/0/0]nat static global 202.10.10.2 inside 192.168.1.2
#                                     Shared private
[RTA]display nat statice

2. Dynamic nat - same as cisco's many to many

[RTA]nat address-group 1 200.10.10.1 200.10.10.200  #Public ip range [RTA]acl 2000
[RTA-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255  #Private ip range
[RTA-acl-basic-2000]quit
[RTA]interface serial1/0/0  #Configure the public ip address interface connected to the Internet
[RTA-Serial1/0/0]nat outbound 2000 address-group 1 no-pate
#                           Public and private
#Remember: carrying no pat is static many to many; not carrying is dynamic many to many;
[RTA]display nat address-group 1

3. easy nat is the same as one to many in Cisco: PAT port address translation

[RTA]acl 2000
[RTA-acl-basic-2000]rule 5 permit source 192.168.1.O 0.0.0.255  #private
[RTA-acl-basic-2000]quit
[RTA]interface serial1/0/0  #This interface is the interface where the public ip address is located
[RTA-Serial1/0/0]nat outbound 2000
[RTA]display nat outbound

4.nat server - same port mapping as Cisco

[RTA-GigabitEthernet0/0/1]interface Serial1/0/0  #This interface is an interface connected to the public network
[RTA-Serial1/0/0]ip address 200.10.10.2 24
[RTA-Serial1/0/0]nat server protocol tcp global 202.10.10.1 www inside 192.168.1.1 8080

Topics: network

Hot Topics

©2024 Programmer Think