DNAT & SNAT

Source: Internet
Author: User

SNAT is source address conversion

It is used to convert the source IP address of an IP packet to another address. It may be strange to see why IP address conversion is required, let's take a look at the working principle of the LAN user's public network. Assume that the Intranet host a (192.168.2.8) needs to communicate with the Internet host B (61.132.62.131), and a sends an IP packet to B, if SNAT is not used to convert the source address of host a, the communication between host a and host B will be interrupted because after the vro sends the intranet data packet to the public IP address, the public IP address will return data packets to your private IP address. At this time, the public IP address cannot know how your private IP Address should go. Therefore, if you ask him to access a level-1 router, this is certainly true, because the private IP address cannot be seen from the public network, so you cannot communicate with him. To correctly send and return data packets, the gateway must convert the address of a to a valid public IP address. In addition, in order for host B to send data packets to host, the valid public network address must be the Internet address of the Gateway. If it is another public network address, B will send the data packets to Other gateways, instead of the gateway where host a is located, A will not receive data packets sent from B, so the Intranet host must have a valid public IP address to access the Internet, the method to obtain this address is to enable the gateway to perform SNAT (source address conversion) and convert the Intranet address to the public URL (usually the external address of the gateway ), therefore, we often see that in order to allow Intranet users to access the public network, we must set SNAT in the firewall of routeros, commonly known as IP Address Spoofing or disguise (masquerade ).


DNAT: the purpose of destination address translation is to map a group of local addresses to a group of global addresses.

Generally, the number of valid addresses is much smaller than the number of local addresses. Address reservation in rfc1918 can be achieved through overlapping addresses. When an internal host releases data packets for the first time through the firewall, dynamic Nat is implemented in the same way as static Nat, and then the NAT is kept in the firewall in the form of a table. The Nat will be retained in the firewall until it ends due to some reason. The most common cause of NAT termination is that the host that sends the connection does not respond within the specified time. In this case, the idle timer will delete the NAT of the host from the table.

2. How to distinguish SNAT from DNAT

In common: All private addresses are converted to public addresses.

How to differentiate:

To distinguish between these two functions, we can simply tell who is the connection initiator:

When the internal address needs to access services on the public network (such as Web access), the internal address will initiate a connection, and the gateway on the router or firewall will convert the internal address, the private IP address of the internal address is converted to the public IP address of the public network. The address translation of the gateway is called SNAT, which is mainly used for internal shared IP Access to the outside.

When an internal service (such as a web site) needs to be provided, the external address initiates an active connection, and the gateway on the router or firewall receives the connection, and then switches the connection to the internal network, in this process, the gateway with a public IP replaces the internal service to receive external connections, and then implements address translation internally. This conversion is called DNAT and is mainly used for external release of internal services.

When configuring the firewall or routing ACL Policy, note that the two Nat addresses must not be confused.



DNAT & SNAT

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.