Deep understanding of NetScaler Inat

Deep understanding of NetScaler Inat

http://blog.51cto.com/caojin/1898173

NetScaler's inat is mainly used as a conversion based on the destination address, the client access to the public IP through NetScaler into the server's private network IP, similar to the Dnat role. Since the NetScaler default mechanism is to do the source IP at the same time: "Source port" + Destination IP: "Destination port" conversion, that is, it performed by default NAPT (port mapping) but there is not exactly equivalent to NAPT. NAPT only replaces the destination IP and port, and NetScaler is replaced by default.

Test environment:

snip:10.110.110.121

10.110.140.151

10.110.140.152

mip:10.110.140.153

vip:111.1.1.1

client:10.110.110.146

Server vip:10.110.140.150

server:10.110.110.130

Configuration method:

> Add inat <name> <public ip> <private ip> (private IP cannot be netscaler belongs to IP including VIP)

-ftp (ENABLED | DISABLED)

-mode Stateless

-proxyip <ip_addr|ipv6_addr>

-tcpproxy (ENABLED | DISABLED)

-TD <positive_integer>

-tftp (ENABLED | DISABLED)

-usip (On | OFF)

-usnip (On | OFF)

When the appliance forwards a packet to a server, the source IP address assigned to the

Packet is determined as follows:

• The If use subnet IP (USNIP) mode is enabled and the use source IP (USIP) mode is disabled,

The NetScaler uses a subnet IP address (SNIP) as the source IP address.

• If Usnip mode is disabled and USIP mode is disabled, the NetScaler uses a mapped IP

Address (MIP) as the source IP address.

• If USIP mode is enabled, and Usnip mode is disabled the NetScaler uses the client IP

(CIP) address as the source IP address.

• If both USIP and Usnip modes is enabled, USIP mode takes precedence.

• You can also configure the NetScaler-use a unique IP address as the source IP

Address, by setting the Proxyip parameter.

• If None of the above modes is enabled and a unique IP address have not been

Specified, the NetScaler attempts to use a MIP as the source IP address.

• If both USIP and Usnip modes is enabled and a unique IP address has been

specified, the order of precedence is as Follows:usip-unique ip-usnip-mip-error.

To protect the NetScaler from DoS attacks, you can enable TCP proxy. However, if other

Protection mechanisms is used in the your network, you could want to disable them.

If proxy IP is enabled, then connecting to the server uses only one snip, similar to the static Dnat

If you close the proxy ip,netscaler will use the rotation way, with the private network destination IP one segment of the snip to connect to the server, similar to dynamic Dnat

When only Usip is turned on, the NetScaler uses the client's source IP to connect to the back-end private network (because the test environment does not have a route to the client and therefore does not complete the TCP connection)

When both Usip and Usnip are turned on, the priority of the USIP is higher than Usnip,netscaler will connect to the backend private network with the client's source IP (because the test environment does not have a route to the client and therefore does not complete the TCP connection)

After you close Usip and Usnip, NetScaler uses MIP to connect to the background

Close Usip and Usnip, but after the proxy IP is selected, the selected snip takes precedence over the MIP and uses it to connect to the background server

Whether using USIP or USNIP, after enabling TCP proxy NetScaler will use the client source IP to connect with the background, TCP proxy can protect NetScaler against Dos attacks

The stateless in mode can only be applied to the conversion of Ipv4-ipv6

Deep understanding of NetScaler Inat