Huawei Easy IP and NAT Server implementation principle, Huawei nat

Huawei Easy IP and NAT Server implementation principle, Huawei nat
Next, I will introduce the working principles of the two NAT implementation methods of Huawei routers. 6.1.3 implementation principle of Easy IP

The implementation principle of the Easy IP method is similar to the NAPT conversion principle of the address pool introduced in the previous section. It can be a special case of NAPT, the difference is that the Easy IP method can realize automatic ing between the private IP address and the Public IP address of the WAN interface on the router (no need to create a public IP address pool ).

Easy IP is mainly used when the IP address of the WAN interface of the router is used as the public IP address to be mapped. It is especially suitable for accessing the Internet through a small LAN. The small LAN mainly refers to small and medium-sized Internet cafes, small offices, and other environments. It generally has the following features: fewer internal hosts, and temporary (or fixed) access through the dial-up interface) A public IP address is used to allow internal hosts to access the Internet. Figure 6-3 describes the implementation principle of the Easy IP method. The procedure is as follows:

Figure 6-3 implementation principle of Easy IP

(1) Assume that Host A in the private network needs to access the Server on the public network. First, send A request packet (in the Outbound direction) to the Router. The source address in the packet is 10.1.1.100 and the port number is 1540.

(2) After receiving the request message, the Router automatically uses the temporary or fixed "Public IP Address: port number" (162.10.2.8: 5480) on the WAN interface of the public network side to establish the "Source IP Address: the Easy IP address translation table items between source port numbers (both positive and inverse directions), and convert the packets to the public network based on the search results of the forward Easy IP Address Table items. In this case, the converted packet source address and source port number are converted from the original (10.1.1.100: 1540) to (162.10.2.8: 5480 ).

(3) After receiving the request message, the Server must send a response message (Inbound) to the Router ), in this case, you only need to check the source IP address, source port number, destination IP address, and destination port number in the received request message. In this case, the destination IP address and destination port number in the Response Message are (162.10.2.8: 5480 ).

(4) After receiving the Response Message from the internet Server, the Router searches for the reverse Easy IP table item based on its "Destination IP Address: Destination Port Number, convert the message to the Intranet side based on the search result. That is, the destination IP address in the converted packet is 10.1.1.100, And the destination port is 1540, which is exactly the same as the source IP address in the request message sent by Host A and the source port.

If Host B in the private network also needs to access the public network, it uses the same public IP address as Host A, which is the public IP address of the WAN port of the router, however, the port used for conversion must be different from the port used for Host A conversion.

6.1.4 NAT Server implementation principle

NAT Server is used when an Internet user needs to use a fixed public IP address to access an internal Server. It is achieved through the static ing between the "Public IP address + port number" of the server and the "private IP address + port number" of the server. Figure 6-4 describes the implementation principle of the NAT Server. The specific process is as follows (you must configure the static NAT Server translation ing table on the Router first ):

Figure 6-4 NAT Server implementation principle

(1) After receiving an access request message from an Internet user (in the Inbound direction), the Router searches for the NAT Server translation ing table based on the "Destination IP Address: Port Number" of the request, find the corresponding "private IP Address: Port Number", replace the "Destination IP Address: Port Number" of the message with the search result, and finally send it to the Intranet side. In this example, the destination IP address in the request message sent by the Internet host is 209.102.1.68, the port number is 80, and the destination IP address and port number after the Router conversion is (192.168.1.68: 80 ).

(2) The intranet server sends a response packet (in the Outbound direction) to the Router after receiving the request packet forwarded by the Router ), in this case, the source IP address, port number, destination IP address, and port number in the message are completely reversed with the source IP address and port number in the received request message (192.168.1.68: 80 ).

(3) After receiving a response message from the Intranet Server, the Router finds the NAT Server translation table item based on "Source IP Address: Source Port Number" in the Response Message, find the corresponding "Public IP Address: Port Number", and then replace the "Source IP Address: Source Port Number" of the message with the search result ". In this example, the source IP address and port number of the message from the Intranet server responding to the Internet host are (192.168.1.68: 80), and the source IP address and port number after the Router conversion is (209.102.1.68: 80 ).

[Experience] from the above implementation principle of the NAT Server, we can see that the request message sent from the Internet to the Intranet Server is only the destination IP address and destination port number (the source IP address and source port number remain unchanged ), that is, you only need to care about the destination IP address and destination port number. The source IP address and source port number (the destination IP address and destination port number remain unchanged) are converted from the response message sent from the Intranet to the Internet ), that is, you only need to care about the source IP address and source port number. The IP addresses and port numbers in the two directions are the opposite.

Based on sections 6.1.1 and 6.1.2 described above, we can conclude that all packets in NAT are sent from the Intranet to the Internet (whether request packets or response packets ), the source IP address (or the source port number at the same time) is converted on the NAT router. All packets sent from the Internet to the Intranet (whether request packets or response packets ), the destination IP address (or the source destination slogan) is converted on the NAT router ).

The above content is excerpted from the fact that the author has just published the product and is selling well in all major bookstores. Huawei router Learning GuideBook: http://item.jd.com/11513567.html. Of this book Supporting Video Courses: Http://edu.51cto.com/course/course_id-1173.html. The books matching this book are Huawei switch Learning Guide: http://item.jd.com/11355972.html, Its supporting video courses: http://edu.51cto.com/course/course_id-1166.html ( Full lab and practical demonstration)
High Resolution Huawei router NAT

Example of address translation Configuration
[Quidway] firewall enable
[Quidway] firewall default permit
[Quidway] acl 2001; the specified internal host can enter e0
[Quidway-acl-basic-2001] rule deny ip source any destination any
[Quidway-acl-basic-2001] rule permit ip source 129.38.1.1 0 destination any
[Quidway-acl-basic-2001] rule permit ip source 129.38.1.2 0 destination any
[Quidway-acl-basic-2001] rule permit ip source 129.38.1.3 0 destination any
[Quidway-acl-basic-2001] rule permit ip source 129.38.1.4 0 destination any
[Quidway-acl-basic-2001] quit
[Quidway] int e0/0
[Quidway-Ethernet0] firewall packet-filter 2001 inbound [Quidway] acl 3002; external-specific host and packets over port 1024 are allowed to enter S0
[Quidway-acl-adv-3002] rule deny ip source any destination any
[Quidway-acl-adv-3002] rule permit tcp source 202.39.2.3 0 destination 202.38.160.1 0
[Quidway-acl-adv-3002] rule permit tcp source any destination 202.38.160.1 0 destination-port
Great-
1024
[Quidway-acl-adv-3002] quit
[Quidway] int s0/0
[Quidway-Serial0/0] firewall packet-filter 102 inbound [Quidway-Serial0/0] nat outbound 3002 interface; is an Easy ip address that changes the source address when the IP address allowed by the acl is obtained from this interface. Internal Server address translation configuration command (static nat ):
Nat server global <ip> [port] inside <ip> port [protocol]
[Quidway-Serial0/0] nat server global 202.38.160.1 inside 129.38.1.1 ftp tcp
[Quidway-Serial0/0] nat server global 202.38.160.1 inside 129.38.1.2 telnet tcp
[Quidway-Serial0/0] nat server global 202.38.160.1 inside 129.38.1.3 www tcp
Public IP: 202.38.160.101 ~ 202.38.160.103 ...... remaining full text>

What is the NAT configuration of a Huawei router?

NAT configuration of Huawei Router

The router of Huawei has different ports in the specified outside and inside,

Quidway # show run

Now create configuration...

Current configuration

!

Version 1.66:

Enable password, Y @ JM, UXNZL0XaLTV. U4 *!!!

Access-list normal 100 permit ip 10.0.0.0 0.20.255.255 any

!

Interface Aux0

Async mode interactive

Encapsulation ppp

!

Interface Ethernet0 # inside port #

Speed auto

Duplex auto

No loopback

Ip address 10.0.0.2 255.255.255.0

!

Interface Ethernet1 # outside port #

Speed auto

Duplex auto

No loopback

Ip address 192.168.0.198 255.255.255.0

Nat inside 100 interface # Use this command to help set the access list and address pool on the external port #

!

Interface Serial0

Encapsulation ppp

!

Exit

Ip route 0.0.0.0 0.0.0.0 192.168.0.254 preference 60

!

End

Quidway #

The NAT configuration task list is as follows:

1. Configure the address pool

2. Configure the association between the access control list and address pool

3. Configure the association between the access control list and interfaces (easy ip feature)

4. Configure the Internal Server

Add an internal server

Nat serverglobal global-addr [global-port] inside-addr inside-port protocol

Example: 202.38.160.101-103 is a public IP address.

Set up an internal FTP Server

Quidway (config-if-Serial0) # nat server global 202.38.160.101 inside 10.110.10.1 ftp tcp

! Set internal WWW Server 1

Quidway (config-if-Serial0) # nat server global 202.38.160.102 inside 10.110.10.2 www tcp

! Set up internal WWW Server 2

Quidway (config-if-Serial0) # nat server global 202.38.160.102 8080 inside 10.110.10.3 www tcp

! Set up an internal SNMP Server

Quidway (config-if-Serial0) # nat server global 202.38.160.103 inside 10.110.10.4 snmp udp

5. Configure the effective time of address translation... the remaining full text>