Application of NATPAT in Campus Network

Abstract: using NAT/PAT to manage IP addresses on campus networks can simplify network management, save registered IP addresses, increase IP address usage, and conceal IP addresses of sensitive services. It is very important to apply different NAT/PAT management IP addresses to different users in the campus network.

Keywords:NAT; PAT; campus network; IP Address Management

0 Introduction

With the rapid development of the campus network, the scale is expanding, and the number of application departments is increasing. The abundant resources on the Internet have a huge attraction, which allows the access of users to increase rapidly. Network management is becoming increasingly complex: the number of registered legal IP addresses is becoming increasingly short, multiple users can only share IP addresses at the same time, and some departments do not want external network users to know their internal network structure. Many solutions have emerged to solve these problems. In the current campus network environment, the commonly used effective methods are address translation (NAT) and Port translation (PAT ).

1 NAT/PAT

NAT (address translation) refers to converting IP addresses used in internal networks to IP addresses used in external networks, converting IP addresses that cannot be routed into IP addresses that can be routed, and saving NIC registered IP addresses, hides the internal network structure from an external network. PAT (Port translation) is a special type of NAT, also known as NAT multiplexing. It maps many internal network IP addresses to one or a few external network IP addresses, the internal network user shares an external IP address, saving the IP address registered by the NIC.

NAT functions are usually integrated into routers, firewalls, ISDN routers, or individual NAT devices. The NAT device maintains a status table to map the IP addresses of the internal network to the IP addresses of the external network. Each packet is converted to the next level on the NAT device. NAT itself does not provide security similar to firewall, packet filtering, tunneling, and other technologies, but only changes the IP address at the outermost layer of the packet, make the external network user unaware of the address structure of the internal network to prevent unauthorized access to the internal network by the external network user.

There are three NAT Methods: static NAT, dynamic NAT, and PAT ). Static NAT uses a fixed allocation method to map IP addresses of internal networks and external networks. Dynamic NAT maps the IP addresses of the internal network and the external network by means of dynamic allocation. PAT maps multiple internal network IP addresses to different ports of the same IP address in the external network.

2 NAT/PAT applications

Static NAT

Static Network Address Translation (Static Network Address Translation) is the easiest way to use NAT. internal Network IP addresses and external Network IP addresses can only be one-to-one fixed ing modes, and the address to which the conversion is required. If there are E-mail servers, FTP servers, and WEB servers in the internal network to provide services for external network users, the IP addresses of these servers must be converted to static addresses, this allows external network users to use these services.

Dynamic NAT pool

A dynamic NAT pool (Pooled NAT) uses a Dynamic Allocation Method to map IP addresses of internal networks and external networks. The external network can access the services provided by the internal network, or access the external network from the internal network, without the need to reconfigure the IP address in the internal network. For example, the internal subnet 192.168.0.0 assigned to the school office system belongs to Class B reserved addresses. As a subnet of the campus network, the IP address is only allocated to office system user devices. To allow other users on the campus network to access this Intranet, connect the Office intranet and the campus network with a vro to enable mutual access. However, because 192.168.0.0 is an internal address, you cannot directly access the external network. Therefore, a dynamic NAT pool is set in the vro to convert the IP address of the IP packet translated from the internal network, and map the IP address of the packet to the external IP address in the IP address pool. Therefore, the Intranet can access servers in the external network, and any host in the external network can also access services provided by the internal network.

Dynamic NAT can be used to define many internal users in the Intranet. Through dynamic allocation, a few external IP addresses are shared. Static NAT can only form a one-to-one fixed ing mode. When all the dynamically allocated external IP addresses in the NAT pool are occupied, subsequent NAT translation requests will fail. Generally, vrouters with the NAT Function have the timeout configuration function. For example, in Cisco7600, you can configure to delete the current NAT process 15 minutes later and reserve an external network IP address for subsequent NAT requests. Generally, the external connection time is not long, so the connection time threshold can be set to a short value. Different internal network users can use different time thresholds to meet their respective needs.

The dynamic NAT pool (Pooled Network Address Translation) provides great flexibility for campus Network management, but it also affects some Network management functions. For example, an IP address is used to track the running status of a device. However, after NAT is used, because the internal network address corresponding to the translated address changes dynamically, the operation of the specified internal network device cannot be accurately understood, remote Management of campus network devices is troublesome.

PAT

PAT (Port Address Translation), also known as NAPT, is a dynamic Address Translation that allows multiple internal local addresses to share one internal legal Address, map different internal network addresses with different protocol port numbers. In theory, PAT can support 64500 TCP/IP and UDP/IP connections, but the number of workstation actually supported is about 4000. Because many Internet applications, such as HTTP, are actually composed of many small connections.

A large number of PAT applications are used for remote access, especially for devices used by remote dialing users. When PAT is used, all different TCP and UDP information flows come from the same IP address. Although this will lead to channel congestion, it saves Internet access fees, registers IP addresses, and is easy to manage, this type of conversion is extremely useful when only a small number of IP addresses are applied but multiple users are on the external network at the same time.

3 NAT/PAT configuration example

The Application of NAT/PAT is illustrated by taking PAT configured in CISCO 7600 of Jimei University as an example. The school data center teaching network has an internal network 192.168.20.0 because internal users require access to the external network, the public address 210.34.143.2 assigned to the internal network is used to access the external network.

Set an external network address for PAT

Ip nat pool mypool 210.34.143.2 210.34.143.2 prefix 30

Set the address to be converted in the internal network of the Office Network

Access-list 1 permit 192.168.20.0 0.0.255

Set internal and external address translation

Ip nat inside source list 1 pool mypool overload

Set internal network interfaces

Interface ethernet0

Ip nat inside

Set external network interfaces

Interface ethernet1

Ip nat outside

With the above configuration, all devices in the IDC can access the Internet, meeting the requirements of students in the IDC.

4. Summary

Using NAT/PAT in campus networks has many advantages, such as removing the need to readdress the original internal network, reducing the use of registered IP addresses, and simplifying network management; however, NAT also affects some network management functions and security facilities. NAT changes the IP address of a packet. The firewall determines whether to intervene in the network connection because it uses the IP address, TCP port, target address, and information in other IP packets, after NAT is used, the firewall rules are changed. Therefore, in specific applications, NAT should be integrated into the firewall system to provide access control and address translation functions. Do not set NAT outside the firewall, because hackers may cheat NAT into the network.

If VPN (Virtual Private Network) is used in the network and IPSec is used for encryption security, incorrectly setting NAT will destroy the VPN function. Because NAT changes the IP address of an IP packet, IPSec considers the packet to be forged and rejects the use. Therefore, you need to put NAT inside the protected VPN, rather than in the middle.

References:

[1] ye jixiang, using CISCO router NAT to solve the IP address shortage problem. Computer Applications, 2002, (4): 43-45

[2] household Xianfeng, NAT technology and its application in firewall. minicomputers and applications, 2000, (6): 32-33

Article entry: csh responsible editor: csh