Address translation technology NAT of hcna Routing & Switching

Time:2022-5-4

Previously, we learned about the topics related to the packet filtering tool ACL. For review, please refer tohttps://www.cnblogs.com/qiuhom-1874/p/15156308.html; Today, let’s talk about address translation technology NAT related topics;

  NAT technology background

We know that all the addresses that can be routed on the Internet are public addresses, but with the development and application of the Internet, IPv4 addresses have dried up; Although IPv6 can fundamentally solve the problem of insufficient IPv4 address space, many network devices and network applications are still based on IPv4. Therefore, before IPv6 is widely used, the use of some excessive technologies is the main technical means to solve this problem; NAT (network address translation) network address translation is mainly used to realize the function that the host located in the internal network accesses the external network. When the host in the LAN needs to access the external network, its private network address can be converted into a public network address through NAT technology, and multiple private network address users can share a public network address, which can not only ensure network interoperability, but also save the public network address; In short, NAT is mainly used to convert the intranet address into the public address, so that the intranet host can communicate with the external host normally; In terms of address translation direction, we call the translation source address SNAT (source network address translation) and the translation target address DNAT (destination network address translation);

  Nat application scenario

Tip: the scene where NAT is used most now is to convert the source IP address so that the intranet host can access the Internet normally; Like this SNAT, we also call it forward agent; It is generally deployed on gateway equipment connecting intranet and extranet, as shown in RTA above; When host a wants to access the external network, it first sends the data packet to the gateway RTA. When RTA receives the request to access the external network sent by host a, it will first convert the source address of the corresponding host a into the corresponding public network address (which can be the public network address on an interface or the public network address in an address pool), and then RTA will record the corresponding converted information in a NAT table; Then, the data packet of host a is encapsulated again and sent out; When the packet replied by the corresponding public network host arrives at the RTA, the RTA will first query the NAT table and look at the corresponding record, then convert the corresponding target address to the public network address according to the record, and then re encapsulate the corresponding data packet and send it to the corresponding private network address host (host a);

Tip: the figure above shows another application scenario of NAT, which is mainly used for external hosts to access an internal server (or some services, etc.); DNAT needs to be done at this time; Converting the corresponding target address to the public address to the corresponding private address; Usually we call this DNAT technology port mapping, or reverse proxy; Here is an explanation. In SNAT, the intranet host actively accesses the external host, and the corresponding target address is converted into the private network address in the reply message of the external host. This is converted according to the records in the corresponding NAT table and is automatically maintained by the corresponding router; The DNAT we are talking about here is that the external host actively accesses the internal host. At this time, there is no corresponding conversion information on the corresponding router, so we need to manage and configure it manually;

Nat type

1. Static nat

Tip: static NAT realizes one-to-one conversion between private network address and public network address; A public IP will only be assigned to a unique and fixed intranet host; Generally, this kind of static NAT is generally used when a computer preferentially uses an associated address, or wants the external network to use a specified public address to access the internal server; In large-scale networks, this one-to-one IP address translation can not alleviate the shortage of public network addresses, so it is not suitable for large-scale network environments;

Experiment: as shown in the following topology, manually configure static NAT on R1 to realize that internal PC1 can normally access PC3

 

Analysis: in order to realize the normal communication between PC1 and PC3, the route on the corresponding link must be available; From the above topology, we can see that PC1 and PC3 are not in the same network segment first, so the gateway must be found for the communication between PC1 and PC3 first; Secondly, when PC1 contracts, PC3 can receive normally, and when PC3 returns, PC1 can receive; When no NAT is configured, the PC will forward the packet when it passes through R1, because R1 has a default route; R2 has a direct connection route corresponding to the network segment where PC3 is located, but PC3 returns the packet. The source address is PC3 and the destination address is PC1. When the packet arrives at R2, because R2 does not have a route corresponding to PC1, PC3 returns the packet and PC1 cannot receive it; However, R2 has a direct route to R1, and R1 has a direct route corresponding to the network where PC1 is located. Therefore, we only need to modify the corresponding source address of the packet sent by the corresponding PC1 on R1, and the packet returned by the corresponding PC3 can reach PC1 normally;

Verification: first configure R1, R2 and each PC address according to the above figure, capture the packet and see the corresponding communication process

Configure R1

Address translation technology NAT of hcna Routing & SwitchingAddress translation technology NAT of hcna Routing & Switching

sys
sys R1
int g0/0/0
ip add 192.168.10.254 24
int g0/0/1
ip add 2.0.0.1 24
q
ip route-s 0.0.0.0 0 2.0.0.2

View Code

Tip: for R1, we must write a default route (or static route), which can match all traffic of the corresponding Intranet; Otherwise, when the traffic of PC1 reaches R1, it will be discarded by R1 (because there is no route);

Configure R2

Address translation technology NAT of hcna Routing & SwitchingAddress translation technology NAT of hcna Routing & Switching

sys
sys R2
int g0/0/1
ip add 12.0.0.254 24
int g0/0/0
ip add 2.0.0.2 24

View Code

Tip: we simulate the operator’s network here, so on R2, we only need to configure the corresponding IP address on the corresponding interface;

Now use PC1 to Ping PC3 and capture packets on PC3 to see if the packets corresponding to PC1 can reach PC3 normally?

Tip: it can be seen that when capturing packets on PC3, PC1 requests PC3, and PC3 responds to PC1, but the corresponding PC1 does not receive the reply packet from PC3, so PC1 displays the request timeout;

Verification: grab the packet on G0 / 0 / 0 of R2 to see if the packet returned from PC3 is discarded?

Tip: when capturing packets on the G0 / 0 / 0 interface of R2, we only see the packets corresponding to PC1 requesting PC3, and PC3 does not reply to the packets of PC1; Description R2 discards the packet that PC3 replies to PC1; The reason is that there is no corresponding route to PC1 on R2;

Configure static NAT on G0 / 0 / 1 port of R2 to see if the corresponding PC1 can communicate with PC3 normally?

Address translation technology NAT of hcna Routing & SwitchingAddress translation technology NAT of hcna Routing & Switching

int g0/0/1
nat static en
nat static global 2.0.0.5 inside 192.168.10.1

View Code

Tip: when configuring static NAT, you must enable the static NAT function under the corresponding interface; The above command indicates that the source address of Intranet 192.168.10.1 is modified to extranet address 2.0.0.5;

Verification: now pc1pingpc3 captures packets on G0 / 0 / 0 on R2 to see the corresponding communication process

Tip: you can see that PC1 can ping PC3 normally; It can also be seen from the G0 / 0 / 0 interface of R2 that the data packet of PC1 is sent from R1, and the corresponding source address is modified to 2.0.0.5. At this time, PC3 replies to the packet of PC1, and the corresponding target address becomes 2.0.0.5; The corresponding R2 has a route to the 2.0.0.0/24 network, so the final reply message of PC3 can be routed from R2 to R1 normally; When the corresponding R1 receives a packet reaching 2.0.0.5, it will first check its NAT table to see if there is corresponding conversion information. If so, it will modify the target IP address of the corresponding packet to the corresponding private network address; Then it is sent out from G0 / 0 / 0 port of R1; The corresponding PC1 can receive the reply message from PC3, so PC1 can ping PC3 normally; It should be noted here that PC1 can ping PC3 normally, which does not mean that PC3 can ping PC1 normally. To realize interworking, you need to configure the corresponding route on R2;

Can PC2 Ping PC3 at this time?

Tip: the reason why PC2 cannot Ping PC3 is that the reply packet of PC3 is not routed on R2 and is discarded; There is no static NAT information corresponding to PC2 on R1, so when PC2 passes through R1, the source IP will not be modified; Therefore, the destination address of the reply packet of PC3 is still PC2, and the corresponding reply packet has no route on R2, so it will be discarded by R2;

View static NAT table

  2、Dynamic NAT, no conversion of port address (no PAT)

Tip: the working principle of dynamic NAT is to use the address pool to convert the intranet address into the public address of the address pool, so as to realize the intranet access to the external network; One disadvantage of this type of NAT is that after the addresses in the address pool are exhausted, other hosts can only use it to access the public network after the occupied public network address is released.

Experiment: in the above topology, we delete the static NAT on R1, and then create an address pool with 2.0.0.5-2.0.0.6 addresses to see if the corresponding PC1 and PC2 can access PC3 normally?

Delete the static NAT configured above and create an address pool

Create ACL to match the traffic of PC1 and PC2

Prompt: the ACL above indicates that any flow is allowed; The traffic of both PC1 and PC2 will be captured by this ACL;

Under the G0 / 0 / 1 interface of R1, associate ACL with address pool

Tip: the above command indicates that the traffic captured by ACL 2000 is SNAT, and the converted address is in the address pool corresponding to No. 1 number, and no port address conversion is performed;

Verification: check whether pc1ping and PC3 can ping normally?

Tip: you can see that PC1 can ping PC3, but packet loss is very serious; The reason here is that there are too few addresses in the address pool; As a result, the address is not enough, so some packets can be converted normally, and some packets cannot be converted;

Verification: can you Ping with pc2pingpc3?

Tip: you can see that PC2 can ping PC3 normally now, but there can only be two packets at most. The reason is that every time PC2 sends an ICMP request, it takes an address from the address pool for conversion; There are only two addresses in the address pool, and subsequent packets have no addresses to convert, so packets are lost;

Verify: view the dynamic NAT session table

Tip: this table needs to be read while pinging; It can be seen from the above information that each ICMP request will be converted by taking an address from the address pool; It can be seen from the above experiment that this dynamic NAT can also convert the source IP address, so that the intranet address can access the external network; For this type of dynamic SNAT without port conversion, first of all, there needs to be an address pool. Secondly, if there are fewer addresses in the address pool, the communication quality will be affected; So this way is not the way we often use the Internet;

  3. Dynamic NAT, translation port address (PAT)

Tip: NAPT (network address port translation), also known as NAT-PT or pat, allows multiple private network addresses to be mapped to different ports of the same public network address. The difference between pat and no pat is that one converts the source port and the other does not convert the source port; Its working principle is the same, which takes the address from the address pool for conversion;

Experiment: modify the above no pat mode to pat mode

Tip: pat is the default mode. We don’t need to follow pat;

Verification: now pc1pingpc3 see if there will be packet loss on the above?

Tip: now you can see that pc1pingpc3 has no packet loss, and all use the address 2.0.0.5; The reason is that it is the port conversion mode now. Each PC1 contract will use one source port, which will be converted into another source port by R1; We know that there are many ports. One IP address has 65535 ports; Therefore, for an IP address, it can convert 65535 packets from the source port;

View dynamic NAT session table

Tip: you can see that the current NAT session table has the corresponding converted back-end source port; Through the above experiments, we can see that the way of port conversion can save the public network IP address to a great extent; But this way is not our most commonly used way to surf the Internet; The reason is that this method depends on the address pool, and the corresponding public network IP is fixed. However, most of our Internet access is through dial-up, and the corresponding public network IP address is not fixed; The public network address is not fixed. How should we configure dynamic NAT?

  4、Easy IP

Tip: easy IP is applicable to the scenario where hosts in small-scale LAN access the Internet. Small scale LANs are usually deployed in small Internet cafes or offices. There are few internal hosts in these places. The outgoing interface can obtain a temporary public network IP address by dialing. Easy IP enables the internal host to use this temporary public network IP address to access the Internet. The working principle of easy IP is essentially the same as that of NAPT. The only difference is that easy IP is converted to the IP address on the corresponding interface, while NAPT is converted to the address in the address pool; The advantage of using the interface address is that if the IP address on the corresponding interface is changed, the configuration of the corresponding NAT does not need to be changed, and it will change with the change of the interface address;

Experiment: change the NAPT mode to easy IP mode

Tip: the configuration of easy IP is similar to that of dynamic NAT. The main difference is that easy IP does not need to configure address pool;

Verification: use pc1pingpc3 to see if the corresponding source address is converted to the interface address of G0 / 0 / 1 corresponding to R1?

Tip: you can see that now pc1pingpc3, the address corresponding to PC1 is converted to the G0 / 0 / 1 IP address of R1;

Verify: view dynamic NAT configuration information.

Tip: you can see that the address pool number is not used in the current NAT configuration information. It corresponds to the IP address of the interface and the type is easyip;

Verify: View NAT session table

Tip: Nat session table is no different from NAPT type. Both of them convert the source address and source port;

In the above four methods, the internal network host accesses the external network by converting the source IP address and source port, which are SNAT; Let’s talk about another NAT. Port mapping is also called DNAT or NAT server;

  5. Nat server (DNAT or port mapping)

Tip: Nat not only enables private network users to access the public network, but also shields the needs of public network users to access private network hosts. Therefore, when a private network needs to provide various network services to public network users, the server in the private network must be accessible to public network users at any time. Nat server can meet this requirement, but you need to configure the server to convert private network address and port number into public network address and port number and publish them. In short, it is to correspond the IP address and port of the corresponding private network to the IP address and port of the public network one by one, so that the public network user can access the service on the corresponding private network host when accessing the port of the corresponding public network;

Experiment: with the following topology, public network users can access the server inside the LAN

Configure server 1

Configure R1

Address translation technology NAT of hcna Routing & SwitchingAddress translation technology NAT of hcna Routing & Switching

sys
sys R1
int g0/0/0
ip add 192.168.10.254 24
int g0/0/1
ip add 2.0.0.1 24
nat server protocol tcp global 2.0.0.5 8080 inside 192.168.10.80 80
q
ip route-s 0.0.0.0 0 2.0.0.2

View Code

Prompt: the above command means mapping port 80 of intranet host 192.168.10.80 to port 8080 of public IP 2.0.0.5;

Configure R2

Address translation technology NAT of hcna Routing & SwitchingAddress translation technology NAT of hcna Routing & Switching

sys
sys R2
int g0/0/1
ip add 12.0.0.254 24
int g0/0/0
ip add 2.0.0.2 24

View Code

Configure client

Verification: use the client to access port 8080 of 2.0.0.5 to see if the corresponding HTTP service can be accessed?

Tip: you can see that the 8080 port of 2.0.0.5 accessing the public network address can normally access the 80 service of 192.168.10.80;

Change the public network address to the corresponding interface address

Verify: view port mapping table

Tip: you can see the intranet IP address and port corresponding to the global public IP address and port in the corresponding mapping table;

Recommended Today

Modify user information changeinfo

When judging the persistence layer: Problem: there is such a problem when modifying user information. For example: the user’s email is not required. It was not empty originally. At this time, the user deletes the mailbox information and submits it. At this time, if it is not empty to judge whether it needs to be […]