NAT analysis (intranet users access the server through domain names)

NAT analysis (intranet users access the server through domain names) 1. environment hypothesis: the private network address of the Intranet server is 192.168.2.20., port 80 of the server is mapped to port 80 of port 202.101.1.1, and the domain name www.sina.com is applied. The IP address of the Intranet PC is 192.168.2.2, now we configure the following command on the Internet port of the router: sys acl number 2000 rule permit source 192.168.2.0 0.0.255 quit int g0/0 // ip address of the Internet port 202.101.1.1 255.255.255.0 nat server protocol tcp global 202.101.1.1 www indise 192.168.2.20.www nat outbound 2000 quit 2. the topology is shown as follows: 1. Internet users can access the server through the domain name or public IP address. The data process is as follows: 1. an Internet user initiates a connection to port TCP 80 of port 202.101.1.1. The IP header structure is as follows: Source IP: Internet user's public IP, destination IP: 202.101.1.1 2. data is routed to the enterprise edge source router. Because there is port ing on the Internet port, the data will match the ing and change the IP header structure to: Source IP: Internet user's public IP address, destination IP Address: 192.168.2.20.3. data is routed over the Intranet to the server, and the server responds to user data. The IP header structure is as follows: Source IP Address: 192.168.2.133, destination IP address: IP address of the Internet user 4. the data passes through the border router and the NAT Server has a higher priority than the NAT Outbound. Therefore, after the data arrives at the vro, it first matches the session table items recorded by the NAT Server and converts the IP header: source IP Address: 202.101.1.1, destination IP address: Internet user's public IP address 5. the data is finally delivered to the user through a public network route, and the data access is successful. 2. Intranet users cannot access the server through the domain name. The data process is as follows: 1. an Intranet user initiates a DNS request. The domain name resolution address is 202.101.1.1. The client sends the request. The IP header structure is as follows: Source IP Address: 192.168.2.2, destination IP address: 202.101.1.1 2. after the data arrives at the vro, because the vro has a direct connection route of 202.101.1.1, the data is directly transferred to the Internet port. Because the Internet port is configured with a NAT Server, the destination IP address is converted and sent to the Server, the IP header structure is as follows: Source IP Address: 192.168.2.2, destination IP address: 192.168.2.20.3. after the server receives the data, it finds that the source IP address is a local ip address. In this case, the server will not reply with the IP address 202.101.1.1, but with the ip address 192.168.2.6.2 as the source address. At this time, the IP packet structure is: Source IP Address: 192.168.2.20., Destination IP Address: 192.168.2.2. After the data is sent to the client, the client considers that the data requested is 202.101.1.1, however, if the message is sent at 192.168.2.2, it is deemed that the data is not required by the user. At this time, the data is discarded, causing TCP wait timeout and access failure. To solve this problem, we set the Intranet port as follows: acl number 3000 rule permit ip source 192.168.2.0 0.0.255 destination 192.168.2.20.quit int g0/1 // intranet port nat outbound 3000 nat server protocol tcp global 202.101.1.1 www inside 192.168.2.20.www quit after the above configuration, let's access the server through the domain name on the Intranet and see the data process: 1. an Intranet user initiates a DNS request. The domain name is resolved to the 202.101.1.1 address, and the client sends the request. The IP header structure is as follows: Source IP Address: 192.168.2.2, destination IP address: 202.101.1.1 2. the data is sent to the internal network port of the router. First, match the port ing and replace the destination IP address. The IP header structure is as follows: Source IP Address: 192.168.2.2, destination I P: 192.168.2.20.3. the vro finds that the data is intranet data and sends it out from the Intranet port. Then, it matches the nat outbound and replaces the source IP address. In this case, the IP header structure is: Source IP Address: 192.168.2.1, destination IP Address: 192.168.2.20.4. the server responds to the request after receiving the data. The header of the reply packet is: Source IP Address: 192.168.2.133, destination IP address: 192.168.2.1 5. after the data arrives at the vro, replace the source IP address and destination IP address according to the NAT Outbound and NAT Server record items. The IP header structure is: Source IP Address: 202.101.1.1, the destination IP address is 192.168.2.2 6. the target IP address and source IP address are correct when the data arrives at the customer. The access is successful. Now let's assume there is no nat server protocol tcp global 202.101.1.1 www inside 192.168.2.20.www. Let's see if the data packets can be completely completed: (currently, the port ing configuration on the MSR router is globally valid, you do not need to configure this command on the Intranet .) 1. an Intranet user initiates a DNS request. The domain name is resolved to the 202.101.1.1 address, and the client sends the request. The IP header structure is as follows: Source IP Address: 192.168.2.2, destination IP address: 202.101.1.1 2. the data will be mapped to the vro. Because there is port ing on the Internet port, the data will match the ing and change the IP packet structure to: Source IP: 192.168.2.2, destination IP: 192.168.2.20.3. the data is routed to the network port of the vro and matched with the nat outbound. The source IP address is changed to: Source IP Address: 192.168.2.1, and destination IP address: 192.168.2.20.4. the data is sent to the server, and the server replies to the message. The IP header is: Source IP Address: 192.168.2.133, And the destination IP address is 192.168.2.1 5. after the router receives the packet, it matches the record entry of the NAT Outbound of the Intranet port and changes its IP header to: Source IP Address: 192.168.2.133, destination IP address: 192.168.2.2 6. the data is directly handed over to the client. The requested data is discarded, waiting continues, timed out, and failed.