NAT address translation and Port multiplexing Pat

What is port multiplexing dynamic address Translation (PAT) Introduction Configuration instance
Port multiplexing (ports address translation,pat) refers to changing the source port of the outgoing packet and transferring the port

Swap, that is, port address translation (Pat,port addressing translation). Use the port multiplexing mode. Internal network

All hosts can share a legitimate external IP address to access the Internet to maximize savings

IP Address resource. At the same time, you can hide all the hosts within the network, effectively avoiding attacks from the Internet. So

At present, the most application in the network is the way of Port multiplexing.

One, port multiplexing dynamic address translation (PAT)

The IP address segment used by the internal network is 10.100.100.1~10.100.100.254, the IP address of the router LAN port (that is, the default gateway) is 10.100.100.1, and the subnet mask is 255.255.255.0. The legal IP address range for the network assignment is 202.99.160.0~202.99.160.3, the IP address in the router Wan is 202.99.160.1, and the subnet mask is 255.255.255.0, and the IP address available for conversion is 202.99.160.2. Requires that the internal URL 10.100.100.1~10.100.100.254 be converted to a legal IP address 202.99.160.2.

The first step is to set the external port.

Interface F0/1

IP address 202.99.160.1 255.255.255.0

In Nat outside

The second step is to set the internal port.

Interface f0/0

IP address 10.100.100.1 255.255.255.0

IP nat Inside

The third step is to define a legal IP address pool.

In Nat pool Onlyone 202.99.160.2 202.99.160.2 netmask 255.255.255.252

Indicates that the address buffer pool name is the ONLYONE,IP address range of 202.99.160.2, and the subnet mask is

255.255.255.252. Since this example has only one IP address available, both the starting IP address and the terminating IP address are

202.99.160.2. If you have more than one IP address, you should type the IP direct address for the start and end respectively.

Step fourth, define an internal access column.

Access-list 1 Permit 10.100.100.0 0.0.0.255

Allow access to INTERNETR network segment is 10.100.100.0~10.100.100.255, subnet mask is

255.255.255.0. Note that the order of the subnet masks here is the opposite of what is normally written, i.e.

0.255.255.255.

The fifth step is to set up the multiplex dynamic address conversion.

In global setting mode, set up a multiplex dynamic address conversion between the internal local address and the internal legal IP address

。 The command syntax is as follows:

IP NAT inside source list access list number pool internal legal address pooling name overload

Example:

IP nat inside source List1 Pool Onlyone overload//port multiplexing, access to column

The private IP address in table 1 translates to a legitimate IP address defined in the Onlyone IP address pool.

Note: Overload is the key word for multiplex dynamic address translation

At this point, the port multiplexing dynamic address conversion is complete.

Second, network address translation (NAT)-instance

Example 1, full use of port multiplexing address translation

When an ISP has a small number of IP addresses and no other special requirements for the network, there is no need to provide a network for the internet

Service, the port can be used to use the address translation mode, so that computers within the network to use the same IP address to access the Internet,

While saving the IP address resources, it can effectively protect the computer inside the network.

The network environment is:

The local area network uses 10MB/S fiber and is connected to the Internet in a metropolitan area, as shown in the figure.

The router chooses Cisco 2611 with 2 10/100 MB/s adaptive ports. The IP address used by the internal network is 192.168.100.1~192.168.100.254, the IP address of the LAN port FastEthernet 0/0 is 192.168.100.1, and the subnet mask is 255.255.255.0. The range of legitimate IP addresses for network assignments is

202.99.160.128~202.99.160.131, the IP address of the port FastEthernet 0/1 connected to the ISP is 202.99.160.129, and the subnet mask is 255.255.255.0. The IP address available for conversion is 202.99.160.130. Requires that all computers within the network have access to the Internet.

Case study:

Since there is only one legitimate IP address available, the server on the LAN also serves the LAN only, and

Hosts on the internet are not allowed to access them, so it is entirely possible to implement NAT using port multiplexing address translation, enabling

All computers within the network have access to the Internet independently.

Configuration Checklist:

Interface fastethernet0/0

IP address 192.168.100.1 255.255.255.0//define local port IP addresses

Duplex Auto

Speed auto

IP NAT inside//defined as local port

!

Interface FASTETHERNET0/1

IP address 202.99.160.129 255.255.255.0

Duplex Auto

Speed auto

IP Nat Outside

!

IP nat Pool Onlyone 202.99.160.130 202.99.160.130 NETMADK 255.255.255.0//Set

A valid IP address pool with the name Onlyone

Access-list 1 Permit 192.168.100.0 0.0.0.255//define Local access list

Access-list 1 Permit 192.168.100.0 0.0.0.255

IP nat inside source List1 Pool Onlyone overload//using port multiplexing dynamic address translation

Example 2, dynamic address + port multiplexing address translation

Many FTP Web sites take account of server performance and Internet connection bandwidth consumption issues, both limit the same IP address

Multiple process access. If the port complex address conversion method, then the network in the computer all use the same IP address to visit

If you ask the Internet, you will be prevented from accessing the Web site. So, when the number of legitimate IP addresses provided is slightly

, both port multiplexing and dynamic address translation can be used simultaneously to ensure access for all users

The power of the Internet, without the ability of some computers to be restricted by the use of the same IP address. Need to pay attention to

Yes, because all computers use dynamic address translation, all computers on the Internet will not be able to implement the

Network internal server access.

Network environment:

LAN to 2mb/s DNA line access to the Internet, routers have installed a WAN module Cisco 2611, as shown in the figure.

The IP address segment used by the internal network is 172.16.100.1~172.16.102.254, the IP address of the LAN port FastEthernet 0/0 is 172.16.100.1, and the subnet mask is 255.255.0.0. Network allocated legal IP address range is 202.99.160.128~202.99.160.129, subnet mask is 255.255.255.0, can be used for conversion of IP address

Range is 202.99.160.130~202.99.160.190. Requires some computers in the network portion to access the Internet without any restrictions, and the server does not need to provide Internet access services.

Case study:

Since some computers in your network are required to access the Internet without any restrictions, the server does not need to mention

For Internet access services, it can only be achieved by using dynamic address conversion + Port multiplexing address translation. Department

The computer with special requirements uses the NAT method of dynamic address translation, while other computers adopt the Port multiplex address conversion

Nat Way. Therefore, some computers with special needs can use the internal Web site 172.16.100.1~172.16.100.254

, and dynamically converted to the legal address 202.99.160.130~202.99.160.189, other computers using the internal Web site

172.16.101.1~172.16.102.254, all converted to 202.99.160.190.

Configuration Checklist:

Interface FASTETHERNET0/1

IP address 172.16.100.1 255.255.0.0//define LAN Port IP addresses

Duplex Auto

Speed auto

IP NAT inside//defined as a local area port

!

Interface Serial 0/0

IP address 202.99.160.129 255.255.255.0//define WAN port IP addresses

!

Duplex Auto

Speed auto

IP NAT outside//defined as wide area port

!

IP NAT Pool public 202.99.160.130 202.130.160.190 netmask 255.255.255.0//Set

A valid IP address pool with the name public

IP NAT Pool Super 202.99.160.130 202.130.160.189 netmask 255.255.255.0//Set

A valid IP address pool with a name of super

IP nat inside source List1 Pool super//definition list up to 1 using dynamic address translation

IP nat inside source List2 pool public overload? Definition List 2 Using a port multiplexing address

Transformation

Access-list1 Permit 172.16.100.0 0.0.255.255//define local access list 1

ACCESS-LIST2 Permit 172.16.101.0 0.0.255.255//define local access list 2
Access-list2 Permit 172.16.102.0 0.0.255.255

Example 3, static address translation + Port multiplexing address translation

In fact, in many cases, the server in the network not only provides network services for customers within the network, but also

Users on the Internet provide access services. Therefore, if the port Multiplexing address translation or dynamic address translation is used, the

Cannot determine the IP address of the server, which causes Internet users to not be able to access the network's internal servers. Now

, we should adopt a static address translation + Port multiplexing address translation NAT mode. In other words, the server is used statically

Address conversion to ensure that the server has a fixed legal IP address. For ordinary client computers, a port multiplexing address is used.

Transformations, giving all users the right to access the Internet.

The network environment is:

The local area network uses 10MB/S fiber and is connected to the Internet in a metropolitan area, as shown in the figure.

The router chooses Cisco 2611 with 2 10/100 MB/s adaptive ports. The IP address segment used by the internal network is 10.18.100.1~10.18.104.254, the IP address of the LAN port FastEthernet 0/0 is 10.18.100.1, and the subnet mask is 255.255.0.0. The legal IP address range for the network assignment is 211.82.220.80~211.82.220.87, and the IP address of the ISP port FastEthernet 0/1 is 211.82.220.81, and the subnet mask is 255.255.255.0. Requires all computers within the network to have access to the Internet, and provides 4 of services such as Web, E-mail, FTP, and media on the Internet.

Case study:

Since servers within the network require access to the Internet, this part of the host must have a legitimate IP

Address, that is, the server must use static address translation. Because there are no restrictions on other computers, you can

A NAT method that uses port multiplexing address translation. Therefore, the server can use the internal URL 10.18.100.1~10.18.100.254

, and mapped to a valid IP address, respectively. Other computers use the internal Web site

10.18.101.1~172.16.104.254, and convert all to a valid IP address.

Configuration Checklist:

Interface fastethernet0/0

IP address 10.18.100.1 255.255.0.0//define LAN Port IP addresses

Duplex Auto

Speed auto

IP nat inside//Definition LAN port

!

Interface FASTETHERNET0/1

IP address 211.82.220.81 255.255.255.0//define WAN port IP addresses

Duplex Auto

Speed auto

IP NAT outside//definition of WAN port

!

IP nat Pool every 211.82.220.86 211.82.220.86 netmask 255.255.255.248//definition

Legal IP Address Pool

Access-list 1 Permit 10.18.101.0 0.0.0.255//define local access list 1

Access-list 1 Premit 10.18.102.0 0.0.0.255

Access-list 1 Premit 10.18.103.0 0.0.0.255

Access-list 1 Premit 10.18.104.0 0.0.0.255

IP nat inside source List1 pool every overload//definition list up to 1 use port multiplexing address

Transformation

IP nat inside source static 10.18.100.10 211.82.220.82//define static address translation

IP nat inside source static 10.18.100.11 211.82.220.83

IP nat inside source static 10.18.100.12 211.82.220.84

IP nat inside source static 10.18.100.13 211.82.220.85

Example 4, tcp/udp Port NAT Mapping

If the ISP provides a large number of legitimate IP addresses, we can naturally use static address translation + Port multiplexing dynamic

Address translation is a perfect way to achieve it. However, if the ISP only provides 4 IP addresses, 2 of which are network numbers and broadcast

Address, and 1 IP addresses are used for the router definition as the default gateway, then only 1 IP addresses will be available.

Of course, we can also use the only one IP address to use the port Multiplexing address translation technology, so as to achieve the entire local

Internet access for the network. However, because the server also uses dynamic ports, computers on the Internet will not be able to visit

Ask the server inside the network. Is there a good solution to the problem? This is the TCP/UDP port NAT mapping.

We know that the TCP/UDP ports used by different applications are different, for example, Web services use 50,FTP

The service uses the 21,SMTP service to use the 25,POP3 service to use 110, and so on. Therefore, you can bind different TCP ports

to a different internal IP address, so that only a legitimate IP address can be used to allow all servers within the

Internet access while implementing all internal hosts to the Internet.

Network environment:

The local area network uses 10MB/S fiber and is connected to the Internet in a metropolitan area, as shown in the figure.

The router chooses Cisco 2611 with 2 10/100 MB/s adaptive ports. The IP address segment used by the internal network is 192.168.1.1~192.168.1.254, the IP address of the LAN port FastEthernet 0/0 is 192.168.1.1, and the subnet mask is 255.255.255.0. The range of legitimate IP addresses for network assignments is, 211.82.220.128~211.82.220.131, the IP address of the ISP port FastEthernet 1 is 211.82.220.129, The subnet mask is 255.225.255.0, and the IP address available for conversion is 211.82.220.130. Requires that all computers within the network have access to the Internet.

Case study:

Since there is only one legitimate IP address available, NAT can only be implemented using port multiplexing, however, because of the same

Requires that the server within the network be accessible to the Internet, so you must use Pat to create a TCP/UDP port

Nat mapping. Note that you can also use a wide area port to create NAT mappings for TCP/UDP ports, which means

, even if there is only one IP address, you can also achieve the perfect port reuse. Because the legal IP address is located on the router port, the

In order to no longer need to define a NAT pool, simply use the inside source list statement.

It should be noted that since each application service has its own default port, in this NAT mode, the network

Only one server in each of the internal application services becomes a host on the Internet, for example, only one web

Server, an e-mail service, an FTP server. Although you can create multiple sets by changing the default port

With servers, but this server is difficult to access, requiring users to first understand the new TCP end of a service

Mouth.

Configuration Checklist:

Interface fastethernet0/0

IP address 192.168.1.1 255.255.255.0//a specified LAN port

Duplex Auto

Speed auto

IP NAT inside//Specify LAN interface

!

Interface FASTETHERNET0/1

IP address 211.82.220.129 255.255.255.0//IP addresses of designated WAN ports

Access-list 1 Permit 192.168.1.0 0.0.0.255

!

IP nat inside source List1 interface FASTETHERNET0/1 overload//enable Port multiplexing

Address translation, and directly using the FASTETHERNET0/1 IP address.

IP nat inside source static TCP 192.168.1.11 80 202.99.160.129.80

IP nat inside source static TCP 192.168.1.12 21 202.99.160.129.21

IP nat inside source static TCP 192.168.1.13 25 202.99.160.129.25

IP nat inside source static TCP 192.168.1.13 110 202.99.160.129 110

Example 5, using address translation to achieve load balancing

With the increase of traffic, when a server is not competent, it is necessary to use load balancing technology, will be a large number of visits

Ask a reasonable allocation to more than one server. Of course, there are many ways to achieve load balancing, such as the use of server

Cluster load Balancing, switch load Balancing, DNS resolution load balancing, and so on.

In fact, in addition, can also be implemented through address translation server load Balancing. In fact, these loads are

The implementation of the scale is mostly implemented by polling, so that each server has equal access to the opportunity.

Network environment:

The LAN is pulled into the internet with the 2mb/s DDN line, and the router chooses Cisco 2611 with the WAN module installed, such as

shown in the figure.

The IP address segment used by the internal network is 10.1.1.1~10.1.3.254, the IP address of the LAN port FastEthernet 0/0 is 10.1.1.1, and the subnet mask is 255.0.0.0. The legal IP address range for the network assignment is 202.110.198.80~202.110.198.87, and the IP address of the ISP port FastEthernet 0/1 is 202.110.198.81, and the subnet mask is 255.255.255.0. Requires all computers within the network to have access to the Internet and load balancing on 3 Web servers and 2 FTP servers.

Case study:

Since all computers within the network are required to be connected to the Internet, and only 5 legal IP addresses are available, they can, of course,

Uses the port multiplex address conversion method. To the server through the use of static address translation, to give its legitimate IP address can

。 However, because the server is too much traffic (or the performance of the server is too poor), have to use multiple servers for

Load balancing, therefore, a legitimate IP address must be converted to a multiphase internal IP address, which reduces each service in a polling manner

The access pressure of the device.

Configuration file:

Interface FASTETHERNET0/1

IP adderss 10.1.1.1 255.0.0.0//define LAN Port IP address

Duplex Auto

Speed auto

IP NAT inside//defined as a local area port

!

Interface Serial 0/0

IP address 202.110.198.81 255.255.255.0//define WAN port IP addresses

Duplex Auto

Speed auto

IP NAT outside//defined as wide area port

!

Access-list 1 Permit 202.110.198.82//define polling address List 1

Access-list 2 Permit 202.110.198.83//define polling address List 2

Access-list 3 Permit 10.1.1.0 0.0.0.255//define local access list 3

!

IP nat Pool Websev 10.1.1.2 10.1.1.4 255.255.255.0 type rotary//definition Web Service

The IP address pool of the service, Rotary keyword indicates ready to use the polling policy to remove the corresponding IP address from the NAT pool for forwarding

In exchange for incoming IP packets, requests to access 202.110.198.82 are sent to the Web server in turn: 10.1.1.2,

10.1.1.3 and 10.1.1.4

IP nat Pool Ftpsev 10.1.1.8 10.1.1.9 255.255.255.0 type rotary//Definition FTP Service

IP address pool for the service.

IP nat Pool normal 202.110.198.84 202.110.198.84 netmask 255.255.255.248//

Defines a legal IP address pool with the name normal

IP nat inside Destination List 1 pool Websev//inside Destination List statement

Messages that define an IP address that matches the list 1 will use the polling policy

IP nat inside Destination List 2 pool Ftpsev