A deep analysis of NAT type and transformation principle

We all know that. Nat is located in the internal and external network, used for internal and external network address conversion, in the current is still IPv4 as the mainstream Protocol IP network, NAT technology is widely used, because it can save scarce public network IP address. But do not think that NAT technology is very simple, think just the internal (or external) address into the external (or internal) address. In the specific application, the application of NAT, or NAT type is very many, in this paper, the NAT technology in Cisco equipment from the professional perspective of some basic knowledge and application configuration of the introduction, comprehensive NAT configuration and application to everyone see I wrote in the "Gold Network management division--Large and medium-sized enterprise network formation , configuration and management, or a complete manual of CISCO/H3C router configuration and management, to be published next year.

One, NAT type

The NAT router is a registered IP address (registered IP addresses) that is configured to convert the inside internal IP address (inside local addresses) in the Internal Network (network). NAT is used when a device using an unregistered IP address in an internal network communicates with an external public network (network). In Cisco devices, including firewalls, routers, or computers that contain related Cisco software, Nat has many forms and ways of working. This is what you must know before you configure NAT applications on a Cisco device.

N Static NAT

Static NAT is a one-to-one mapping of unregistered IP addresses (such as local area network IP addresses) to registered IP addresses (such as public-IP addresses). This is especially useful when network devices need to access the extranet in a public IP address. However, it is important to note that here only a single positive direction of IP address conversion, in fact, can be in the opposite direction, or the two sides to the IP address conversion, the following dynamic NAT and multiplexing Nat can also have a forward, reverse, or bidirectional conversion mode.

Figure 1 shows an example of a static NAT application (note the arrow direction). 192.168.32.10, 192.168.32.12 and 192.168.32.15 in the internal network these three private network IP address devices, when accessing the public network through the router, correspond to the 213.18.123.110, 213.18.123.11 and 213.18.123.12 These three public network IP address, let the other side see is also these three public network IP address.

Figure 1 Static NAT application examples

N Dynamical Nat (dynamic NAT)

Dynamic NAT maps unregistered IP addresses to a set of registered IP addresses, the mapping between the two sets of IP addresses, and the specific public IP address pool and communication time configured. However, the final unregistered IP address and the registered IP address are mapped one-to-one.

Figure 2 is an example of a dynamic NAT application. Three IP addresses in the intranet are mapped to a public IP address pool with a range of 213.18.123.100 to 213.18.123.150. The final result is that the 192.168.32.10 map is mapped to 213.18.123.116,192.168.32.12 213.18.123.112, and 192.168.32.15 is mapped to 213.18.123.125.

Fig. 2 Example of dynamic NAT application

N-Multiplexing conversion (overloading) NAT

Multiplexing Nat is a form of dynamic Nat. It maps multiple unregistered IP addresses to a registered IP address by combining different port combinations with the IP address. Figure 3 is an example of the application of a multiplexing translation nat. In the example, when all users in the local network access a public network through a router, they are mapped to the same public IP address--213.18.123.100, except that they are using a different port (101, 102, 103th ports, respectively). This is more nervous for the public network IP address, and the intranet has deployed a variety of application server is particularly useful, you can use a public network IP address to configure multiple application servers.

Fig. 3 The example of Multiplexing translation NAT application

N-Overlap Transform nat (Overlapping NAT)

Exchange translation NAT is the way to convert internal and external network IP addresses to each other. This Nat way appears, outside the net all is uses the public net to register the IP address. When your internal network host is using a registered IP address, the router must maintain a mapping table so that the router can overlap the two registered IP addresses within and outside the network. These two aspects of the role: first, you can avoid the internal host real public network IP address exposed users, on the other hand, you can use the intranet network IP address with the same IP address users caused the conflict. This NAT can be achieved both through static NAT and by using DNS and performing dynamic NAT.

Figure 4 shows an example of an application of an overlap translation nat. In a private network, a host allocates a public network registered IP address 237.16.32.16, when connecting the public network through the router conversion to become another public network registered IP address 213.18.123.103. At the same time, the message returned from the IP address server of the extranet will be converted to the fixed public network registered IP address 237.16.32.10 by the router.

Fig. 4 example of an overlapping translation NAT application

Second, Nat terminology

The following are several terms that are closely related to Cisco NAT technology, which is important for understanding the workings of NAT technology.

n Internal network (Internal Network)

Usually refers to a local area network, also known as a stub domain. The residual domain uses an internal network IP address, but it can be a registered IP address, or it can be a non registered IP address. All computers that use unregistered IP addresses must use NAT conversion to communicate with other networks.

n External Network (External network)

All networks outside the local private network can be viewed as external networks. Of course, external networks can also be other private networks, or public networks, such as the Internet. Therefore, users on the external network using the IP address can be either registered or unregistered.

N Local addresses

In the IP address, can be divided into local address and global address according to the scope of the IP address two categories. A local address is one that only local network users can access, and only the IP address of the local network. This is a unregistered type of IP, can not be used in the Internet and other public networks.

N Global Address

The IP address that corresponds to the local address. It is an IP address that can be accessed by global users, and is of course the IP legal address registered in the public network.

n Internal local addresses (Inside)

This is one of the local addresses, which is the IP address assigned to the internal network host. This IP address is assigned by a computer operating system or a service such as DHCP, not a registered IP address that is uniformly allocated by the NIC (Network Information Center, the Network Information Center) or the service provider.

n External Local address (Outside)

This is also the local address of another, is the same as the internal local address the nature of the external network host IP address, nor is the legitimate Internet IP address. It is assigned by an external network computer operating system or a service such as DHCP.

n Internal global addresses (Inside global address)

This is one of the global addresses, which is the registered IP address assigned by the NIC or service provider. For the outside network, they act as one or more internal IP addresses for this address.

n External Global addresses (Outside global address)

This is also the global address of another, is the same as the internal global address the nature of the external network host global address. For external networks, they act as one or more IP addresses for this address.

Three, Nat address conversion principle

Most computers in a residual domain communicate using an internal local address (the Inside native addresses). When some computers in a residual domain need to communicate with the external network frequently, they need to configure their internal global address (Inside global addresses) so that they can communicate directly with the external network without conversion.

In general, the process of address translation by NAT is the process of translating a local address into a global address, whether the packet is sent from the internal network to the external network or from the external network to the internal network. The only difference is that the local address and the global address correspond to a different network. As shown in Figure 5.

Figure 5 NAT basic Address translation principle

In the above conversion process, when the packet is still in the internal network location, there is an internal local address as the source address and an external local address as the destination address; When the packet is exchanged to the external network, the source address of the packet is changed to the internal global address, and the destination address is changed to the external global address.

Instead, when the packet is sent from an external network location, and is still in the external network, its source address is the external global address, the destination address is the internal address of this office, and when the packet is exchanged to the local network, the source address is converted to an external local address, and the destination address is converted to an internal local address.

As shown in Figure 6, the above detailed address translation method.

Figure 6 The detailed address translation principle of NAT

The basic principle of switching packets from the internal network to the external network is as follows:

(1) When a residual domain computer with an internal local address is configured to communicate with the external network, the packet arrives at the NAT router and reaches the gateway after a normal route. The packet takes the internal local address as the source address and the external local address as the destination address for encapsulation.

(2) The NAT router first checks whether there is a routing table entry in the routing table that contains the destination address of the packet. If there is no routing table top that matches the destination address, the packet is discarded. If there is a route table entry that matches the destination address, the router verifies that the packet is being sent from the internal network to the external network and that the packet verifies that it matches the configured NAT. The router then checks the address translation table to see if there are any NAT table entries that contain both the internal and the internal global addresses. If found, replaces the source address of the packet with an internal local global address, and if only static NAT is configured without a static NAT table entry that matches the packet, the packet is not converted and is routed directly.

(3) Routers use the internal global address to send packets to the destination address.

When a packet is sent from a public network to an internal network, the basic principles of NAT conversion are as follows:

(1) When a computer on a public network sends a packet to a private network, the source address is the external global address and the destination address is encapsulated by the internal global address.

(2) When the packet arrives in the internal network, the NAT router looks for the address Translation table and destination address and maps to the computer in the residual domain (private internal network).

(2) If a matching NAT table entry exists, the router translates the internal global address into an internal local address, and then checks the routing table before sending it to the destination computer. If a matching NAT table entry is not found, the packet is not converted to directly check the routing table that matches the destination address. If no routing table entry is found with the destination address, the packet is discarded.