NAT address translation and Port multiplexing Pat

What is port multiplexing dynamic address Translation (PAT) Introduction to Configuration instances
Ports multiplexing (port address Translation,pat) refers to changing the source port of an out-of-Office packet and

Pat,port address translation). Port multiplexing is used in this way. Internal network

All hosts can share a legitimate external IP address to enable access to the Internet to maximize savings

IP Address resource. At the same time, can hide all the hosts inside the network, effectively avoid attacks from the Internet. So

At present, the most application in the network is the port multiplexing method.

One, port multiplexing dynamic address translation (PAT)

The IP address segment used by the internal network is 10.100.100.1~10.100.100.254, and the IP address of the router LAN port (that is, the default gateway) is 10.100.100.1, the subnet mask is 255.255.255.0. The legal IP address range for the network assignment is 202.99.160.0~202.99.160.3, the IP address in the router Wan is 202.99.160.1, the subnet mask is 255.255.255.0, the IP address that can be used for the conversion is 202.99.160.2. Requires that the internal URL 10.100.100.1~10.100.100.254 be converted to a legitimate IP address of 202.99.160.2.

The first step is to set the external port.

Interface F0/1

IP address 202.99.160.1 255.255.255.0

In Nat outside

The second step is to set the internal port.

Interface f0/0

IP address 10.100.100.1 255.255.255.0

IP nat Inside

The third step is to define a legitimate IP address pool.

In Nat pool Onlyone 202.99.160.2 202.99.160.2 netmask 255.255.255.252

Indicates that the name of the address buffer pool is a ONLYONE,IP address range of 202.99.160.2, the subnet mask is

255.255.255.252. Since only one IP address is available in this example, both the starting IP address and the terminating IP address are

202.99.160.2. If you have more than one IP address, you should type the IP direct address to start and end separately.

Fourth step, define the internal access column.

Access-list 1 Permit 10.100.100.0 0.0.0.255

The network segment that allows access to the INTERNETR is 10.100.100.0~10.100.100.255, and the subnet mask is

255.255.255.0. It is important to note that in this case the subnet mask is in the reverse order of the usual

0.255.255.255.

Fifth step, set the multiplexed dynamic address translation.

In global settings mode, set up a multiplexed dynamic address translation between the internal local address and the internal legitimate IP address

。 The command syntax is as follows:

IP NAT inside source list access listing number pool internal legal address pools name overload

Example:

IP nat inside source List1 Pool Onlyone overload//port multiplexing, access to columns

The private IP address in table 1 translates to a legitimate IP address defined in the Onlyone IP address pool.

Note: Overload is the key word for multiplexed dynamic address translation

At this point, the port multiplexing dynamic address translation is complete.

Second, network address translation (NAT)-instance

Example 1, all using port multiplexing address translation

When ISPs assign a small number of IP addresses, there is no other special need for the network to provide the Internet

Service, you can use the port to take advantage of address translation, so that computers within the network with the same IP address to access the Internet,

While saving the IP Address resource, it can effectively protect the computer inside the network.

The network environment is:

LAN uses 10MB/S fiber to connect to the Internet as a metropolitan area network, as shown in the figure.

The router chooses a Cisco 2611 with 2 10/100 MB/s adaptive ports. The IP address used by the internal network is 192.168.100.1~192.168.100.254, the IP address for LAN port fastethernet 0/0 is 192.168.100.1, and the subnet mask is 255.255.255.0. The network assignment's legal IP address range is

202.99.160.128~202.99.160.131, the IP address of the port FastEthernet 0/1 that connects the ISP is 202.99.160.129, the subnet mask is 255.255.255.0. The IP address that can be used for the conversion is 202.99.160.130. Requires that all computers inside the network have access to the Internet.

Case Analysis:

Since there is only one legitimate IP address available, and the server on the LAN is only serving the LAN, and

Hosts in the Internet are not allowed access to them, so it is entirely possible to implement NAT using port-multiplexed address translation so that

Access to the Internet is available to all computers within the network.

Configuration Checklist:

Interface fastethernet0/0

IP address 192.168.100.1 255.255.255.0//define local port IP addresses

Duplex Auto

Speed auto

IP NAT inside//defined as local port

!

Interface FASTETHERNET0/1

IP address 202.99.160.129 255.255.255.0

Duplex Auto

Speed auto

IP Nat Outside

!

IP nat Pool Onlyone 202.99.160.130 202.99.160.130 NETMADK 255.255.255.0/fixed

Legitimate IP address pool, named Onlyone

Access-list 1 Permit 192.168.100.0 0.0.0.255//define Local access list

Access-list 1 Permit 192.168.100.0 0.0.0.255

IP nat inside source List1 Pool Onlyone overload//using port multiplexing dynamic address translation

Example 2, dynamic address + port multiplexing address translation

Many FTP sites restrict the use of the same IP address for server performance and Internet connection bandwidth

Multiple process access. In the case of port-to-address translation, the computers in the network are interviewed with the same IP address

Ask the Internet, you will therefore be prevented from accessing the site. So, when the number of legitimate IP addresses provided is slightly more

, both port multiplexing and dynamic address translation can be used to ensure that all users have access

The power of the Internet, while not, some computers are restricted by the use of the same IP address. Need to be aware of

Is that because all computers use dynamic address translation, all computers in the Internet will not be able to implement the

Access to the server inside the network.

Network environment:

The LAN uses the 2MB/S DNA line to connect to the Internet, and the router chooses the Cisco 2611 with the WAN module installed, as shown in the figure.

The IP address segment used by the internal network is 172.16.100.1~172.16.102.254, the IP address for the LAN port FastEthernet 0/0 is 172.16.100.1, and the subnet mask is 255.255.0.0. The network assignment's legal IP address range is 202.99.160.128~202.99.160.129, the subnet mask is 255.255.255.0, the IP address that can be used for the conversion

The range is 202.99.160.130~202.99.160.190. Some computers in the network section are required to access the Internet without any restrictions, and the server does not need to provide Internet access services.

Case Analysis:

Since some computers in the network are required to have unrestricted access to the Internet, the server does not need to mention

For Internet access, you can do this by using dynamic address Translation + Port multiplexing address translation. Department

Computers with special needs are NAT mode with dynamic address translation, and other computers use port multiplexing address translation

Nat mode. Therefore, some computers with special needs may use the internal URL 172.16.100.1~172.16.100.254

, and is dynamically converted to legal address 202.99.160.130~202.99.160.189, and other computers use internal URLs

172.16.101.1~172.16.102.254, convert all to 202.99.160.190.

Configuration Checklist:

Interface FASTETHERNET0/1

IP address 172.16.100.1 255.255.0.0//define LAN Port IP addresses

Duplex Auto

Speed auto

IP NAT inside//defined as local port

!

Interface Serial 0/0

IP address 202.99.160.129 255.255.255.0//define WAN port IP addresses

!

Duplex Auto

Speed auto

IP NAT outside//defined as wide-area port

!

IP NAT Pool public 202.99.160.130 202.130.160.190 netmask 255.255.255.0//fixed

Legitimate IP address pool with public name

IP NAT Pool Super 202.99.160.130 202.130.160.189 netmask 255.255.255.0//fixed

Legitimate IP address pool, named Super

IP nat inside source List1 Pool super//definition list up to 1 with dynamic address translation

IP nat inside source List2 pool public overload? Definition List 2 with Port multiplexing address

Transformation

Access-list1 Permit 172.16.100.0 0.0.255.255//define local access list 1

ACCESS-LIST2 Permit 172.16.101.0 0.0.255.255//define local access list 2
Access-list2 Permit 172.16.102.0 0.0.255.255

Example 3, static address translation + Port multiplexing address translation

In fact, in many cases, the server in the network provides the network service for the network internal customers, but also

Users in the Internet provide access to services. Therefore, if a port multiplexing address translation or dynamic address translation is used, the

Cannot determine the IP address of the server, causing Internet users to be unable to access internal servers on the network. At this time

, we should adopt the NAT mode of static address translation + port multiplexing address translation. In other words, the server uses static

To ensure that the server has a fixed legal IP address. For normal client computers, port multiplexing addresses are used.

Conversion, giving all users the power to access the Internet.

The network environment is:

LAN uses 10MB/S fiber to connect to the Internet as a metropolitan area network, as shown in the figure.

The router chooses a Cisco 2611 with 2 10/100 MB/s adaptive ports. The IP address segment used by the internal network is 10.18.100.1~10.18.104.254, the IP address for the LAN port FastEthernet 0/0 is 10.18.100.1, and the subnet mask is 255.255.0.0. The network assignment's legal IP address range is 211.82.220.80~211.82.220.87, and the IP address of the port FastEthernet 0/1 that connects the ISP is 211.82.220.81, the subnet mask is 255.255.255.0. Requires all computers within the network to have access to the Internet, and provides 4 services such as Web, e-mail, FTP, and media in the Internet.

Case Analysis:

Since servers within the network are required to be accessible by the Internet, this part of the host must have a legitimate IP

Address, in other words, the server must use static address translation. There are no restrictions on other computers, so you can

The NAT method using port multiplexing address translation. Therefore, the server can use the internal URL 10.18.100.1~10.18.100.254

and mapped to a legitimate IP address, respectively. Other computers use internal URLs

10.18.101.1~172.16.104.254, and convert all to a legitimate IP address.

Configuration Checklist:

Interface fastethernet0/0

IP address 10.18.100.1 255.255.0.0//define LAN Port IP addresses

Duplex Auto

Speed auto

IP NAT inside//define LAN Port

!

Interface FASTETHERNET0/1

IP address 211.82.220.81 255.255.255.0//define WAN port IP addresses

Duplex Auto

Speed auto

IP NAT outside//define WAN ports

!

IP nat Pool every 211.82.220.86 211.82.220.86 netmask 255.255.255.248//definition

Legitimate IP address pool

Access-list 1 Permit 10.18.101.0 0.0.0.255//define local access list 1

Access-list 1 Premit 10.18.102.0 0.0.0.255

Access-list 1 Premit 10.18.103.0 0.0.0.255

Access-list 1 Premit 10.18.104.0 0.0.0.255

IP nat inside source List1 pool every overload//definition list up to 1 with Port multiplexing address

Transformation

IP nat inside source static 10.18.100.10 211.82.220.82//define static address translation

IP nat inside source static 10.18.100.11 211.82.220.83

IP nat inside source static 10.18.100.12 211.82.220.84

IP nat inside source static 10.18.100.13 211.82.220.85

Example 4, tcp/udp Port NAT Mapping

If the ISP provides a large number of legitimate IP addresses, we can naturally use static address translation + Port multiplexing dynamic

Address translation is implemented in a perfect way. However, if the ISP only provides 4 IP addresses, 2 of which are used as network numbers and broadcast locations

1 IP addresses to be used for routers defined as default gateways, only 1 IP addresses will be available.

Of course, we can also use this only one IP address to use the port Multiplexing address translation technology, so as to achieve the entire local area

Internet access to the network. However, because the server also uses dynamic ports, computers in the Internet will not be able to visit

Ask the server inside the network. Is there a good solution to the problem? This is the TCP/UDP port NAT mapping.

We know that the TCP/UDP ports used by different applications are different, for example, Web services use 50,FTP

The service uses the 21,SMTP service to use the 25,POP3 service using 110, and so on. Therefore, you can bind different TCP ports

to a different internal IP address, so that only a valid IP address can be used to allow all internal servers to be

Internet access while enabling all hosts on the intranet to access the Internet.

Network environment:

LAN uses 10MB/S fiber to connect to the Internet as a metropolitan area network, as shown in the figure.

The router chooses a Cisco 2611 with 2 10/100 MB/s adaptive ports. The IP address segment used by the internal network is 192.168.1.1~192.168.1.254, the IP address for the LAN port FastEthernet 0/0 is 192.168.1.1, and the subnet mask is 255.255.255.0. The legal IP address range for network allocation is 211.82.220.128~211.82.220.131, the IP address of the port FastEthernet 1 that connects to the ISP is 211.82.220.129, The subnet mask is 255.225.255.0, and the IP address that can be used for the conversion is 211.82.220.130. Requires that all computers inside the network have access to the Internet.

Case Analysis:

Since there is only one legitimate IP address available, it is only possible to implement NAT using port multiplexing, however, due to the same

Requires that the server inside the network be accessible to the Internet, you must use Pat to create the TCP/UDP port

Nat mapping. It is important to note that you can also create NAT mappings for TCP/UDP ports directly using the wide-area port, which means

, even if there is only one IP address, the port can be reused perfectly. Because the legal IP address is located on the router port, the

, you no longer need to define a NAT pool, simply use the inside source list statement.

It is important to note that because each application service has its own default port, this NAT mode, the network

Within each application service, only one server can be a host in the Internet, for example, only one web

Server, an e-mail service, an FTP server. Although you can change the default port to create more than one

Server, but this server is difficult to access, requiring the user to understand the new TCP side of a service

Mouth.

Configuration Checklist:

Interface fastethernet0/0

IP address 192.168.1.1 255.255.255.0//specify IP addresses for LAN ports

Duplex Auto

Speed auto

IP NAT inside//Specify LAN interface

!

Interface FASTETHERNET0/1

IP address 211.82.220.129 255.255.255.0//IP addresses for the specified WAN port

Access-list 1 Permit 192.168.1.0 0.0.0.255

!

IP nat inside source List1 interface FASTETHERNET0/1 overload//enable Port multiplexing

Address translation, and directly uses the IP address of the FASTETHERNET0/1.

IP nat inside source static TCP 192.168.1.11 80 202.99.160.129.80

IP nat inside source static TCP 192.168.1.12 21 202.99.160.129.21

IP nat inside source static TCP 192.168.1.13 25 202.99.160.129.25

IP nat inside source static TCP 192.168.1.13 110 202.99.160.129 110

Example 5, using address translation for load balancing

With the increase in traffic, when a server is not competent, it is necessary to use load balancing technology, will be a large number of visits

be reasonably allocated on up to multiple servers. Of course, there are many ways to implement load balancing, such as the ability to use servers

Cluster load Balancing, switch load Balancing, DNS resolution load balancing, and more.

In addition, the server can be load balanced by the address conversion mode. In fact, these loads are

The implementation of the scale is mostly implemented by polling, so that each server has equal access opportunities.

Network environment:

The LAN is pulled into the internet with the 2mb/s DDN line, and the router chooses the Cisco 2611 with the WAN module installed, as

shown in the figure.

The IP address segment used by the internal network is 10.1.1.1~10.1.3.254, the IP address for the LAN port FastEthernet 0/0 is 10.1.1.1, and the subnet mask is 255.0.0.0. The network assignment's legal IP address range is 202.110.198.80~202.110.198.87, and the IP address of the port FastEthernet 0/1 that connects the ISP is 202.110.198.81, the subnet mask is 255.255.255.0. Requires that all computers within the network have access to the Internet, and that load balancing is achieved on 3 Web servers and 2 FTP servers.

Case Analysis:

Since all computers in the network are required to be connected to the Internet, and only 5 of the legitimate IP addresses are available,

The port Multiplexing address translation method is used. The server by the use of static address translation, given its legitimate IP address can be

。 However, because the server's traffic is too large (or the performance of the server is poor), you have to use more than one server for

Load balancing, therefore, a legitimate IP address must be translated into a multi-phase internal IP address, with polling to mitigate each service

The access pressure of the device.

Configuration file:

Interface FASTETHERNET0/1

IP adderss 10.1.1.1 255.0.0.0//define LAN Port IP address

Duplex Auto

Speed auto

IP NAT inside//defined as local port

!

Interface Serial 0/0

IP address 202.110.198.81 255.255.255.0//define WAN port IP addresses

Duplex Auto

Speed auto

IP NAT outside//defined as wide-area port

!

Access-list 1 Permit 202.110.198.82//define polling address List 1

Access-list 2 Permit 202.110.198.83//define polling address List 2

Access-list 3 Permit 10.1.1.0 0.0.0.255//define local access list 3

!

IP nat Pool Websev 10.1.1.2 10.1.1.4 255.255.255.0 type rotary//define Web Service

The Rotary keyword indicates that the IP address is ready to be removed from the NAT pool using a polling policy to

Incoming IP packets, requests to access 202.110.198.82 will be sent to the Web server in turn: 10.1.1.2,

10.1.1.3 and 10.1.1.4

IP nat Pool Ftpsev 10.1.1.8 10.1.1.9 255.255.255.0 type rotary//define FTP Service

The IP address pool of the service device.

IP nat Pool normal 202.110.198.84 202.110.198.84 netmask 255.255.255.248//

Define a legitimate IP address pool with the name normal

IP nat inside Destination List 1 pool Websev//inside Destination List statement

The message that defines the IP address that matches the list 1 will use the polling policy

IP nat inside Destination List 2 pool Ftpsev