NAT technology Overview

NAT (Network Address Translation) is a process of converting an IP address in the IP datagram header to another IP address. In practical applications, Nat is mainly used to enable private networks to access public networks. By using a small number of public IP addresses to represent a large number of private IP addresses, this will help reduce the depletion of available IP address space.

 

Private IP addresses are the IP addresses of internal networks or hosts, and public IP addresses are the only IP addresses in the world over the Internet.

RFC 1918 reserves three IP address blocks for the private network, as shown below:

Class A: 10.0.0.0 ~ 10.20.255.255

Class B: 172.16.0.0 ~ 172.31.255.255

Class C: 192.168.0.0 ~ 192.168.255.255

(The addresses in the preceding three ranges are not allocated on the Internet. Therefore, you do not have to apply to the ISP or registration center for free use within the company or enterprise .)

Nat was originally designed to implement the function of accessing the public network from a private network, and then extended to implement the address translation application for access between any two networks, in this article, the two networks are called internal networks (Intranet) and external networks (Internet). Generally, private networks are internal networks and public networks are external networks.

 

Figure 1Describes a basic NAT application.

Figure 1 Basic Process of address translation

 

(1) IP packets sent from an intranet user host (192.168.1.3) to an internet server (1.1.1.2) are sent through the NAT device.

(2) When the NAT device looks at the header and finds that the message is sent to the Internet, it converts the private IP address 192.168.1.3 in its source IP address field into a public IP address that can be selected on the Internet, such as 255.1.1.1, send the message to the internet server and record the ing in the network address translation table of the NAT device.

(3) After the response packet sent by the Internet server to the Intranet user (whose initial destination IP address is ipv1.1.1) arrives at the NAT device, the NAT device checks the header content again, find the record of the current network address translation table and replace the initial destination IP address with the private IP address 192.168.1.3.

The above Nat process is transparent to the host and server in the terminal. For an internet server, it considers the IP address of the Intranet user host to be 255.1.1.1 and does not know that there is 192.168.1.3. Therefore, Nat "hides" the enterprise's private network.

The advantage of address translation is that hosts on the internal network can access resources on the external network through this function while providing "privacy" protection for internal network hosts. But it also has some disadvantages:

L because IP address conversion is required for data packets, the headers of datagram packets involving IP addresses cannot be encrypted. In the application protocol, if there is an address or port in the packet that needs to be converted, the packet cannot be encrypted. For example, you cannot use an encrypted FTP connection. Otherwise, the PORT command of the FTP protocol cannot be correctly converted.

L network debugging becomes more difficult. For example, if a host on an internal network tries to attack other networks, it is difficult to identify which host is malicious because the IP address of the host is blocked.

Address Translation Control

In practical applications, we may want some hosts on the internal network to access the external network, but some hosts are not allowed to access it, that is, when the NAT device views the header content of IP data packets, if you find that the source IP address is an internal host that does not allow access to the external network, it will not perform address conversion. In addition, you also want to use only the specified public IP address for address translation.

Devices can use ACL (access control limit) and address pool to control address translation.

L the access control list can effectively control the range of use of address translation. address translation can be performed only in the datagram files that meet the access control list rules.

L address pool is a set of consecutive public IP addresses used for address translation. It can effectively control the use of public IP addresses. You can define an appropriate address pool based on the number of valid IP addresses, number of internal network hosts, and actual application conditions. During address translation, the NAT device selects an IP address from the address pool as the source IP address after data packet conversion.

Nat for basic address translation

The address translation process shows that when the internal network accesses the external network, the address translation selects an appropriate external address to replace the source address of the internal network data packet. InFigure 1Select the IP address (Public IP address) of the NAT device's outbound interface ). In this way, all internal network hosts can only have one external network IP address when accessing the external network. Therefore, only one internal network host can access the external network at most.

When multiple hosts in the internal network require concurrent access to the external network, Nat can also respond to concurrent requests, allowing the NAT device to have multiple public IP addresses. When the first Intranet host accesses the Internet, Nat selects a public IP address IP1, adds a record in the address translation table, and sends a datagram. When the other Intranet host accesses the Internet, nat selects another public address, ip2, and so on, to meet the Internet access requests of multiple Intranet hosts.

The number of public IP addresses owned by the NAT device is much smaller than the number of hosts on the internal network, because all Intranet hosts do not access the Internet at the same time. Determine the number of public IP addresses based on the number of Intranet hosts that may access the Internet during peak network hours.

 

Napt

Network Address port translation (napt) is a form of basic address translation. It allows multiple internal addresses to be mapped to the same public address, it can also be called "Multi-to-one address conversion ".

Napt ing IP addresses and port numbers simultaneously: the source addresses of data packets from different internal addresses can be mapped to the same external address, but their port numbers are converted to different ports of the address, therefore, you can still share the same address, that is, the conversion between "private IP address + port number" and "public IP address + port number.

Figure 2 Basic Principles of napt

 

For exampleFigure 2As shown in, three data packets with internal addresses are sent to the NAT device. Packet 1 and packet 2 come from the same internal address but have different source port numbers, packets 1 and 3 come from different internal addresses but have the same source port number. Through napt ing, the source IP addresses of the four datagram files are converted to the same external IP address, but each datagram is assigned a different source port number, thus retaining the differences between packets. When the response packets of each packet arrive, the NAT device can still distinguish the internal host to which the packet should be forwarded based on the destination IP address and destination port number of the response packet.

Using napt can make full use of IP Address resources to achieve simultaneous access of more internal network hosts to external networks.

Currently, napt supports two different address translation modes:

L endpoint-independent mapping (do not care about the peer address and port Conversion Mode)

In this mode, the NAT device allocates addresses and filters packets by creating a table item (Source Address, source port number, and protocol type. That is, as long as it is a message from the same source address and source port number, regardless of whether the destination address is the same, after the napt ing, its source address and source port number are converted to the same external address and port number, in addition, the NAT device allows hosts on the external network to access hosts on these internal networks through the converted address and port. This mode supports mutual access between hosts located behind different NAT devices.

L address and port-dependent mapping (concerning the peer address and port Conversion Mode)

In this mode, the NAT device allocates addresses and filters packets based on the table items of the source address, source port number, protocol type, destination address, and destination port number. That is, if the destination address and destination port number of a packet from the same source address and source port number are different, after napt ing, the same source address and source port number will be converted to different external addresses and port numbers, in addition, the NAT device only allows hosts in the external network corresponding to these destination addresses to access hosts in these internal networks through the converted addresses and ports. This mode is safe but not convenient for mutual access between hosts located after different NAT devices.

Internal Server

Nat hides the structure of the internal network and blocks internal hosts. However, in practice, you may need to provide an external network with an opportunity to access the Intranet host, for example, a Web server or an FTP server is provided for an external network.

The internal server function provided by the NAT device is to statically configure the ing between "Public IP address + port number" and "private IP address + port number, implements "reverse" conversion from a public IP address to a private IP address. For example, you can configure route 1.1.1: 8080 as the external network address and port number of a Web server on the Intranet for external network access.

For exampleFigure 3As shown in, when a data packet sent by an external network user to access an internal network server passes through a NAT device, the NAT device searches for an address translation table item based on the destination address of the packet, convert the destination IP address and port number of the request packet sent to the internal server to the private IP address and port number of the internal server. When the internal server responds to the message, the NAT device then converts the source IP address and port number of the response packet to the public IP address and port number based on the existing address ing relationship.

Figure 3 basic principles of internal servers

 

DNS Mapping

The support for this feature is related to the device model. Please refer to the actual situation of the device.

 

Generally, both the DNS server and the user accessing the private network server are on the public network, and the internal server is configured on the public interface of the NAT device, you can map information such as public IP addresses and ports to servers in the private network so that Internet users can access internal servers through the domain name or public IP address of internal servers. However, for exampleFigure 4As shown in, if the DNS server is in the public network, the Intranet user wants to access the Intranet web server through the domain name, the response message sent by the DNS server to the Intranet user contains the Internet address of the Intranet server, as a result, the private network users who receive the response message cannot use the domain name to access the private network server. You can solve this problem by configuring DNS mapping on the device.

Figure 4 Nat DNS Mapping

 

The DNS mapping function is used to configure the ing table "Domain Name + public IP address + public port number + protocol type" to establish the correspondence between the internal server domain name and the internal server public network information. On the NAT interface configured, the device checks the received DNS response packets and searches for the user-configured DNS mapping table based on the domain name in the packets, find the private IP address corresponding to this information in the internal server address ing table based on the "Public IP address + public port + protocol type" information in the table item, and replace the public IP address in the DNS query result. In this way, the DNS Response Message received by the private network includes the private address of the internal server to be accessed, and the internal server domain name can be used to access the internal server within the same private network.

Easy IP

Easy IP refers to using the Internet IP address of the interface as the converted source address during address translation, which can save IP Address resources to the maximum extent. It can also use the access control list to control which internal addresses can be converted.

Special protocols supported by Nat

Nat not only implements general address translation functions, but also provides a comprehensive address translation (ALG) (Application Layer Gateway) mechanism to support some special application protocols, without any modification to the NAT platform, it has good scalability. The packets of these special protocols carry the address or port information, which may also need to be converted.

Supported special protocols include: FTP (file transfer protocol, file transfer protocol), PPTP (Point-to-Point Tunneling Protocol, point-to-point tunnel protocol), ICMP (Internet Control Message Protocol, internet Control Message Protocol), DNS (Domain Name System), ils (Internet Locator Service, Internet location service), RTSP (Real Time Streaming Protocol, real time stream Protocol), H.323, SIP (Session
Initiation Protocol, Session Initiation Protocol), NetMeeting 3.01, NBT (NetBIOS over TCP/IP, basic network Input/Output System Based on TCP/IP), etc.

The availability of NAT special protocols is related to the device model. Please refer to the actual situation of the device.

 

Nat multi-instance support

Nat multi-instance allows users of different MPLS VPNs to access the external network through the same egress, and allows users of different MPLS VPNs to access the external network
VPN users use the same private IP address. When an mpls vpn user accesses an external network, address translation replaces the IP address and port of the internal network host with the external network address and port of the device, the user's mpls vpn information (such as the protocol type and route identifier rd) is also recorded ). When the response message arrives, the address translation restores the external network address and port to the IP address and port of the internal network host, and you can know which mpls vpn user is accessing the IP address and port.

In addition, address translation supports multiple instances of internal servers and provides external access to hosts in mpls vpn. For example, if the host address of the web service provided in MPLS vpn1 is 10.110.1.1, you can use 202.110.10.20 as the external address of the web server, internet users can access the Web services provided by MPLS vpn1 using the address 202.110.10.20.

In addition, Nat can also use the mpls vpn Information Carried by external network addresses to support mutual access between multiple MPLS VPNs. This feature is supported based on the device model.

Nat logs

Nat logs are system information generated by NAT devices during Nat translation. This information includes the source IP address, source port, destination IP address, destination port, converted source IP address, converted source port, and operations performed by the user. It is only used to record access by Intranet users to external networks, and does not record access by external users to Intranet servers.

When an intranet user accesses an external network through a NAT device, multiple users share an Internet address, thus the user accessing the network cannot be located. The log feature can be used to track and record Intranet users' access to external networks in real time, enhancing network security.