Explanation of NAT network backflow: The intranet uses the server's Internet IP address to log on

Hi everyone, today we are going to discuss a question that many people cannot find: Why can't the Intranet access the Intranet server with a public address. Not all devices have this problem. For cisco devices, for ios of different versions, some have no such problem, while some have problems with netscreen firewalls, the key is whether the developer is aware of this problem and can completely avoid it by modifying ios. There are solutions to this problem, such as Intranet dns Spoofing and alias on the pix, but why are some devices not supported? Today, I am afraid to post a post because some conclusions depend solely on ideas and no devices are used for testing. I hope you will discuss it with me to help me. Thank you!
 
 
All of the following content is applicable to Ethernet egress. This problem does not occur for serial port access.
 
 
This figure is the initial figure in this post. The local router is the big circle, the isp router is connected to it, and the isp is connected to any vro on the internet.
 
 
The local egress address is 5. 5. 5. 1. isp peer is 5. 5. 5. 2 (the mask is not written. We will discuss it later ). 1. 1. 1. 1 and 1. 1. 1. 2 is the Intranet address of the two servers in the Intranet, which is statically mapped to 5 on the Internet. 5. 5. 4 and 5. 5. 5. 5. All Intranet PCs are directed to the egress. The local router uses a default route to the isp peer.
 
I think this topology should be very common. I think it is because of this very general topology, this has caused many people to respond to the problem of "intranet cannot access Intranet servers through public addresses. I think the key reason for this problem lies in the mask, which is to post on Layer 3.
 
 
 
 
Section 1
 
Let's take a look at the general planning of the mask for this environment. Assume that the isp assigns an eight-address subnet to the local device. In this way, the isp router interface and the local router interface occupy two, the network address and the broadcast address occupy two, and the available four are available, the mask is 248. For the topology shown in the figure, assume that the egress mask of the local router is 248 (the pat address of the Intranet pc corresponds to the mask of 248), and the two address masks mapped are also 248, the most common mask planning result is that the pat address and local egress address of the server, Intranet pc are all in the same network segment. Let's analyze the ins and outs of a package to see if the Intranet pc can access the Intranet server through a public address.
 
Assume that the Intranet is a pc1. 1. 1. 111 ping 5. 5. 5. 4 (Public Address of the server) request, package source address 1. 1. 1. 111, destination address 5. 5. 5. 4. After receiving the package, the router checks the route table and finds 5. 5. 5. 4 is located in the egress network segment (assuming that the egress port is an Ethernet port), so the request is broadcast directly through arp. 5. 5. 4 mac address. The problem arises. Who will respond to this request? No one, so in this case (all public addresses are in the same CIDR Block) Of course. Not only does the server access through the Intranet fail, but does not access the server through the public network address.
 
Conclusion 1: as long as the egress address and the Public IP address mapped to the server are in the same network segment, there is a problem.
 
 
 
 
 
Section 2
 
 
Based on the above discussion, we know that as long as the egress address and the public network address mapped to the server are in the same network segment, there will be an inevitable result of "no response", so this time we change the mask planning, change the exit mask to 252 (the isp mask must also be changed ). Here, I first declare a key point: the address of the nat pool can be in the same network segment as the egress address. I have discussed it in previous posts. I was confused at the beginning and later I figured it out, as long as there are routes with these addresses on the isp router, the next one is the local router, so that the local router can accept these packets.
 
We analyze the process of a package again. Intranet pc1. 1. 1. 111 ping 5. 5. 5. 4 request, package source address 1. 1. 1. 111, destination address 5. 5. 5. 4. After receiving the packet, the router checks the route table. This time, it finds 5. 5. 5. 4. If it is not on any local interface, the default route is used. The packet is sent to the isp's peer port, and a project is generated in the local nat table to record the Intranet address 1. 1. 1. 111 is converted to public IP address 5. 5. 5. 1. Add the port number (assuming the port number is 8888) to the package received by the isp. the destination address is 5. 5. 5. 4. The source address is changed to 5. 5. 5. 1. It checks its route table and finds 5. 5. 5. 4. The next route is 5. 5. 5. 1, that is, the local router, so the package is sent to the local router, after a round-trip, local received this package, first accept the nat engine worry, found 5. 5. 5. 4. It is being statically mapped to 1 of the Intranet. 1. 1. So the destination address is changed to 1. 1. 1. 1. The source address is 5. 5. 5. 1. In this way, the routing engine is handed over to view the route table, 1. 1. 1. Of course there is a route of 1, which is directly sent to 1 through Layer 2. 1. 1. 1. Now, the package analysis of the process is complete.
 
We will analyze the return packet. Server 1. 1. 1. 1. After receiving the package, prepare to respond to 5. 5. 5. 1 (add Port Number), send a reply package, source address 1. 1. 1. 1. Destination Address 5. 5. 5. 1: 8888. After the local router receives the message, first give it to the routing engine and find 5. 5. 5. 1 is the exit address, and the problem arises again. The packet's purpose is to exit rather than go through the exit. What should the router do at this time? Assume that the packet is accessed from the external to the internal. 5. 5. 1: 8888. At this time, a nat engine will be submitted for nat translation. However, this is a packet sent out from the inside and out, which must be submitted to the routing engine first. In my opinion, because the packet received is from the inside out, the purpose is to direct the packet to the exit, the egress does not have any ports enabled, unless port 80 or port 23 is enabled for web management or telnet management, the router will discard the port because no response is received.
 
Conclusion 2: as long as the egress address and the pat address of the Intranet pc are in the same network segment, the same problem may occur.
 
 
 
 
 
Section 3
 
 
We will change the mask scheme so that the pat address and server ing address of the Intranet pc are the same network segment, but different from the egress network segment. Assume that the pat address of the Intranet pc is 5. 5. 5. 6 (same as the server address segment)
 
We analyze a package again, namely, Intranet pc1. 1. 1. 111 ping 5. 5. 5. 4 request, package source address 1. 1. 1. 111, destination address 5. 5. 5. 4. After receiving the package, the router checks the route table and finds 5. 5. 5. 4. If it is not on any local interface, the default route is used. The packet is sent to the isp's peer port, and a project is generated in the local nat table to record the Intranet address 1. 1. 1. 111 is converted to public IP address 5. 5. 5. 6. Add the port number to the package received by the isp. the destination address is 5. 5. 5. 4. The source address is changed to 5. 5. 5. 6. It checks its route table and finds 5. 5. 5. 4. The next route is 5. 5. 5. 1, that is, the local router, so the package is sent to the local router, after a round-trip, local received this package, first accept the nat engine worry, found 5. 5. 5. 4. It is being statically mapped to 1 of the Intranet. 1. 1. So the destination address is changed to 1. 1. 1. 1. The source address is 5. 5. 5. 6. In this way, the routing engine is handed over to view the route table, 1. 1. 1. Of course there is a route of 1, which is directly sent to 1 through Layer 2. 1. 1. 1. Now, the package analysis of the process is complete.
 
We will analyze the return packet. Server 1. 1. 1. 1. After receiving the package, prepare to respond to 5. 5. 5. 6 (add Port Number), send a reply package, source address 1. 1. 1. 1. Destination Address 5. 5. 5. 6. After the local router receives the packet, first give the routing engine and find 5. 5. 5. 6. Because it is not on any local port, the default route is used and sent to the isp. A record is generated in the nat table and 1 is set. 1. 1. 1 to 5. 5. 5. 4. the isp receives the packet source address as 5. 5. 5. 4. the destination address is 5. 5. 5. 6. Check the route table and find 5. 5. 5. 6. The next route entry of this address is 5. 5. 5. 1, that is, the local router, so the package was sent back. After a round trip, the local received the package, first submitted to the nat engine and found the destination address 5. 5. 5. 6. the nat table corresponds to the Intranet pc1. 1. 1. 111, so it will be 5. 5. 5. Replace 6 with 1. 1. 1. 111, the source address remains unchanged, or 5. 5. 5. 4. Then, submit the package to the routing engine. The router sends the package to 1 at Layer 2. 1. 1. 111, then, 1. 1. 1. 111 this host received a message from 5. 5. 5. 4. The packet is sent to 5 at the first ping request packet. 5. 5. 4. Public Network Address
So ping is successful !!!!
 
 
Conclusion 3: The pat address of the Intranet pc and the Public IP address of the server are in the same CIDR Block and the egress IP address are in different CIDR blocks.
 
 
 
 
 
Section 4
 
 
The climax of this post has been reached, so far, there is only one case, that is, the Intranet pat address, the server public network address, and the egress address are all not in the same network segment. Assume that the egress mask is 252, the server public IP Address Mask is 248, And the pat address of the Intranet pc is changed to 5. 5. 5. 254. These three addresses are not in the same CIDR block. In addition, the isp must have a public IP address of the server and a pat IP address of the Intranet pc. The next is 5. 5. 5. 1. Analyze a package again, namely, pc1. 1. 1. 111 ping 5. 5. 5. 4 request, package source address 1. 1. 1. 111, destination address 5. 5. 5. 4. After receiving the package, the router checks the route table and finds 5. 5. 5. 4. If it is not on any local interface, the default route is used. The packet is sent to the isp's peer port, and a project is generated in the local nat table to record the Intranet address 1. 1. 1. 111 is converted to public IP address 5. 5. 5. 254 Add the port number and isp receives the packet. the destination address is 5. 5. 5. 4. The source address is changed to 5. 5. 5. 254, it checks its route table and finds 5. 5. 5. 4. The next route is 5. 5. 5. 1, that is, the local router, so the package is sent to the local router, after a round-trip, local received this package, first accept the nat engine worry, found 5. 5. 5. 4. It is being statically mapped to 1 of the Intranet. 1. 1. So the destination address is changed to 1. 1. 1. 1. The source address is 5. 5. 5. In this way, the routing engine is handed over to view the route table, 1. 1. 1. Of course there is a route of 1, which is directly sent to 1 through Layer 2. 1. 1. 1. Now, the package analysis of the process is complete.
 
We will analyze the return packet. Server 1. 1. 1. 1. After receiving the package, prepare to respond to 5. 5. 5. 254 (add Port Number), send a reply package, source address 1. 1. 1. 1. Destination Address 5. 5. 5. 254. After receiving the message, the local router first gave the routing engine 5. 5. 5. 254 is not on any local port, so the default route is used and sent to the isp. A record is generated in the nat table and 1 is set. 1. 1. 1 to 5. 5. 5. 4. the isp receives the packet source address as 5. 5. 5. 4. the destination address is 5. 5. 5. 254. Check the route table and find 5. 5. 5. 254 path of this address
The next one should be 5. 5. 5. 1, that is, the local router, so the package was sent back. After a round trip, the local received the package, first submitted to the nat engine and found the destination address 5. 5. 5. 254: A port corresponds to the Intranet pc1 In the nat table. 1. 1. 111, so it will be 5. 5. 5. 254 is replaced with 1. 1. 1. 111, the source address remains unchanged, or 5. 5. 5. 4. Then, submit the package to the routing engine. The router sends the package to 1 at Layer 2. 1. 1. 111, then, 1. 1. 1. 111 this host received a message from 5. 5. 5. 4. The packet is sent to 5 at the first ping request packet. 5. 5. 4. ping the public IP address !!!!
 
 
 
Conclusion 4: all three addresses are not in the same network segment.
 
 
 
 
 
 
 
 
Conclusion:
 
Conclusion 1: as long as the egress address and the Public IP address mapped to the server are in the same network segment, there is a problem.
Conclusion 2: as long as the egress address and the pat address of the Intranet pc are in the same network segment, there will also be problems.
Conclusion 3: The pat address of the Intranet pc and the Public IP address of the server are in the same CIDR Block and the egress IP address are in different CIDR blocks.
Conclusion 4: all three addresses are not in the same network segment.
 
We can simply find that the first two conditions are sufficient. If one of the conditions is met, problems may occur. Most of the access conditions currently comply with the first two conditions, almost no one has changed the mask planning. As a result, the Intranet cannot access the Intranet server with a public address !!!!!
 
As long as the egress address is not in the same CIDR block as the other two addresses, the problem persists.
 
So far, we have discussed the cause of the problem. In this process, I got an inference and a question to be verified.
 
Inference: if the public IP address and the egress IP address in the nat pool are different from the public IP address, no matter whether the private or public IP addresses are being pinged to the public IP address in the nat pool, a loop will appear, package round-trip between local and isp.
 
 
Questions to be verified:
For sections 3 and 4, what if the mask is variable at the local exit and no change is made on the isp end? In the environment described in section 3, we analyze a package, namely, Intranet pc1. 1. 1. 111 ping 5. 5. 5. 4 request, package source address 1. 1. 1. 111, destination address 5. 5. 5. 4. After receiving the package, the router checks the route table and finds 5. 5. 5. 4. If it is not on any local interface, the default route is used. The packet is sent to the isp's peer port, and a project is generated in the local nat table to record the Intranet address 1. 1. 1. 111 is converted to public IP address 5. 5. 5. 6. Add the port number to the package received by the isp. the destination address is 5. 5. 5. 4. The source address is changed to 5. 5. 5. 6. It checks its route table. Because the isp interface mask does not get longer or 248 at this time, it finds 5. 5. 5. 4 The route is on its own interface, so send arp request 5 directly on the interface. 5. 5. 4 mac address, at this time, it is reasonable to say that no one will respond (unless a proxy arp is enabled locally), but once in a while the show arp on the vro will find some strange entries, the ip addresses are all addresses in the nat pool. the mac address is the mac address of the local egress regardless of the ip address. In this way, even if the ip address of the arp request is not in the same segment as the egress address, it will receive a response, I don't know if this is true.
 
 
The solution to this problem is generally implemented by modifying the payload in the dns return package at the ios level. The Internet address returned by the dns is changed to the Intranet address so that communication can be directly performed through the Intranet, there will be no problem. For packets directly accessed by using a public ip address, nat is performed inside the vro, and then the packet is redirected to the Intranet without leaving the egress.
 
I have written so much that I don't know if you have the patience to read it. Whatever the case, please comment more. Thank you!