NAT basic IP address conversion Principle

NAT basic IP address conversion Principle
In general, the NAT address translation process is the conversion process between the "local address" and "Global Address", whether the packets are sent from the internal network to the external network, or from the external network to the internal network. The difference is that the network corresponding to the local address and global address is different, and the source and destination addresses of data packets are different. See Figure 6-8. This process is implemented through the local address ing and global address ing entries in NAT. Therefore, you must configure such ing entries on the NAT router in advance. Figure 6-8 NAT basic address translation principle when an internal network user accesses an external network, the translation is performed between "internal local address" and "Internal Global Address. When a NAT router receives a packet from an internal network host, its source IP address (SA) is "internal local address", and the destination IP address (DA) is "external local address ". When a data packet is forwarded to an external network, the source IP address (SA) of the data packet is changed to "Internal Global IP Address", and the destination IP address (DA) changed to "external global address ". That is, all the source IP addresses (SA) and destination IP addresses (DA) of the data packet are converted from the local IP address to the Global IP address. IP address translation for some data packets on the 6-9th. On the contrary, when an external network user accesses an internal network, the conversion is performed between "external local address" and "external global address. When a NAT router receives a packet from an external network host, its source IP address (SA) is "external global address", and the destination IP address (DA) is "Internal Global Address ". It is equivalent to the exchange of the source IP address (SA) and destination IP address (DA) In the data packet when the internal network sends data packets to the external network. When a data packet is forwarded to a local network by the router, the source IP address (SA) is changed to an external local address, and the destination IP address (DA) is changed to an internal local address ", it is also equivalent to the exchange of the source IP address (SA) and destination IP address (DA) in the packet when the internal network sends data packets to the external network. IP address translation for some data packets under 6-9. Figure 6-9 NAT basic IP address translation principle the above describes the nat ip address translation principle in general. In actual NAT applications, the source IP address and IP address do not need to be completely replaced, you only need to convert the source IP address or the target IP address. The following is an introduction. 6.2.2 internal address NAT translation principle in most cases, NAT is used to enable multiple users in the internal network to use one registered IP address to access the external network. Therefore, you only need to configure the internal address NAT translation. That is to say, the ip nat inside source command is used to convert the "internal local address" to "Internal global address" (either static NAT or dynamic NAT ), you only need to define the ing between the internal address and the internal address. Figure 6-10 shows a simple NAT translation example. To achieve the following purpose: When the s0 interface of the NAT router receives a packet whose source address is internal local address 10.10.10.1 and the destination IP address is external local address 171.16.68.1, when forwarding data to the s1 interface, the internal local address 10.10.10.1 of the original data packet source address is converted to the internal global address 171.16.68.5, but the destination address remains unchanged. In this process, only the source IP address in the data packet is converted from the internal local address to the internal global address, and only the conversion between the internal addresses. Figure 6-10 the opposite is a simple NAT translation example. When the receiving source address on the external network interface s1 of the NAT router is 172.16.68.1, when the destination address is an external server response packet with the internal global address 172.16.68.5, the destination address will be converted to the internal local address 10.10.1, and then continue sending. In this process, only the conversion of the destination IP address in the data packet is performed, from the internal Global Address to the internal local address, but also between the internal addresses. The following uses static NAT translation as an example to describe how to configure internal address translation. The detailed NAT configuration method is described later in this chapter. (1) use the "ip nat inside source static" global configuration command to enable static NAT ip address translation based on internal source ip addresses. That is to say, define the internal local address and the internal global address to form a one-to-one ing relationship between them. Router (config) # ip nat inside source static 10.10.10.1 171.16.68.5! --- Establish a static NAT ing relationship between the internal local address 10.10.10.1 and the internal global address 171.16.68.5 so that the internal network host knows that the address 171.16.68.5 must be used to reach the external network host (2) use the following two statements to configure the vro0 s0 as the NAT internal network interface. Router (config) # interface s0! --- Enter the s0 serial port configuration mode Router (config-if) # ip nat inside! --- Specify the s0 serial port as an internal network interface (3) use the following two statements to configure s1 as an external network interface for NAT. Router (config) # interface s1! --- Enter the s1 serial port configuration mode Router (config-if) # ip nat outside! --- Specify the s1 serial port as an external network interface (4) use the show ip nat translations privileged mode command to verify the above-mentioned router NAT configuration. The above NAT entries are displayed in the output. The internal local address is 10.10.10.1 and the internal global address is 171.16.68.5. This is consistent with the above configuration and proves that the configuration is successful. Router # show ip nat translations! --- In privileged mode, the current vronat NAT configuration Pro Inside global Inside local Outside global --- 171.16.68.5 10.10.10.1 --- If ping is performed on the target host of the external network, packets are forwarded from the internal network to the external network. Then run the "show ip nat translations" command in vro privileged mode. The displayed NAT information is as follows. An icmp packet (added after the ping operation) is added, but the local address and Global Address of the external network are not configured, therefore, the external local address displayed is the same as the external global address, and the host address is 171.16.68.1 for the ping operation. Router # show ip nat translations Pro Inside global Inside local Outside globalicmp 171.16.68.5: 15 10.10.10.1: 15 171.16.68.1: 15 171.16.68.1: 15 --- 171.16.68.5 10.10.10.1 --- after the above configuration, the packet sent from the internal network to the external network is only the source address (SA) will be converted after the router (from the internal local address 10.10.10.1 to the internal global address 171.16.68.5), but the target address (DA) but the source address of the response packet sent from the external network to the internal network has not changed, only the destination address of the data packet after the router is converted (from the internal global address 172.16.68.5 to the internal local address 10.10.10.1), but the source address (SA) remains unchanged. At this time, the local address and global address translation of the external network have not been configured for the NAT router. In this case, the conversion parameters of the source address and destination address in the packet inside and outside the network are 6-11. Figure 6-11 internal address NAT translation example [experience] in the internal address NAT translation, no matter where the packet comes from, the address in the packet changes only between the internal addresses. However, it should be noted that the address change corresponds to the source address, or the destination address depends on whether the packet is from the internal network or from the external network: If the packet is from the internal network, the conversion is the source address; if it is from an external network, the destination address is converted. 6.2.3 principle of external address NAT translation when the company's server is located in the internal network, the private IP address of the internal network is used, in order to facilitate external network users to access the internal network server, you need to use the ip nat outside source command to configure the conversion between "external global address" and "external local address" (static NAT can be used to achieve this, you can also use dynamic NAT ). External address NAT translation is opposite to the internal address NAT translation described in the previous section. It only needs to define external addresses (including external local addresses and external global addresses ). The following example is also illustrated in Figure 6-10. The purpose of this example is: when the external network interface s1 of the NAT router receives the source IP address sent by the user from the external network as the external global address 171.16.68.1, when a packet whose destination address is 10.10.10.1 is forwarded to the s0 interface by the router, the Source IP address in the data packet is changed to the external local IP address 10.10.5 (that is, the external global IP address is converted to the external local IP address), and the destination IP address remains unchanged, that is, only the conversion of the source IP address; in response packets sent by internal network users, only the destination IP address (that is, the external local address is converted to the external global address) is converted, and the source IP address remains unchanged. The following describes how to configure NAT for external addresses by using static NAT translation as an example. The detailed NAT configuration method is described later in this chapter. (1) Use the ip nat outside source static global configuration command to enable static NAT ip address translation based on external source ip addresses. That is, to define the ing between the external global address and the external local address. Router (config) # ip nat outside source static 171.16.68.1 10.10.10.5! --- Create a static NAT translation relationship between the external global address 171.16.68.1 and the external local address 10.10.10.5, so that the external network host knows to use the address 10.10.10.1 to reach the internal network host (2) use the following two statements to configure the s0 of the vronat as the NAT internal network interface. Router (config) # interface s0Router (config-if) # ip nat inside (3) use the following two statements to configure s1 as the external network interface of NAT. Router (config) # interface s1Router (config-if) # ip nat outside [note] for a specific NAT network, the internal and external network interfaces on the Router are fixed, it will not change as the communication direction changes. For example, in the NAT translation example of the internal address described above, we also use the s0 interface as the internal network interface and the s1 interface as the external network interface. (4) run the show ip nat translation mode command to verify the router NAT configuration. We can see that the external local address of NAT is 10.10.10.5, and the external global address is 171.16.68.1. This is consistent with the above configuration and proves that the configuration is successful. Router # show ip nat translations Pro Inside global Inside local Outside global --- 10.10.10.5 171.16.68.1 Similarly, If you execute a host from an external network (171.16.68.1) to an internal network (10.10.10.1) and then run the "show ip nat translations" command in vro privileged mode. The following result is displayed. Because only the external local address and the external global address are configured at this time, the internal local address and the global address displayed in the result are the same, and both are the destination host address 10.10.10.1 for the ping operation. Router # show ip nat translations Pro Inside global Inside local Outside global --- 10.10.10.5 171.16.68.1icmp 10.10.10.1: 37 10.10.10.1: 37 10.10.10.10.5: 37 171.16.68.1: 37. Opposite to configuring only the internal address described above, the source IP address (SA) of the packets sent from the external network to the internal network) the conversion will be performed after the router (from the external global address 171.16.68.1 to the external local address 10.10.5), but the target address (DA) will not change; however, the source IP address of the response packet sent from the internal network to the external network has not changed, the IP address of the Data destination after the router is changed (from the external local address 10.10.5 to the external global address 171.16.68.1 ). Because no internal local address and internal global address translation have been configured for the NAT router. In this case, the conversion method of the source IP address and destination IP address in the packet inside and outside the network is 6-12. [Experience] When performing NAT translation for external addresses only, no matter where the data packet comes from, the addresses in the Data Packet Only change between external addresses. Also note that the source IP address or destination IP address is the IP address of the packet from the internal network or from the external network. If the packet is from the internal network, the destination IP address is the IP address; if the source IP address is from an external network. This is opposite to the NAT translation of the previous internal address. Figure 6-12 external address NAT translation example 6.2.4 principle of Intranet/external address NAT translation The following describes the principle and basic configuration steps for simultaneous Intranet/external address NAT translation. It also needs to use the ip nat inside source command to define the conversion between "Internal Global Address" and "internal local address, and use the ip nat outside source command to define the conversion between "external global address" and "external local address" (either static NAT or dynamic NAT ). In this way, the source address and destination address of the data packet change at the same time regardless of the direction in which the data packet is sent. It is mainly used in NAT applications in overlapping networks. The configuration method is described in Section 6.6 of this chapter. Take the basic network structure shown in Figure 6-10 as an example. In the following example, you can configure the source IP address 10.10.10.1 when the s0 interface of the NAT router receives the packet from the internal network, the destination IP address is a packet from the external local address 10.10.5. before forwarding the packet to the s1 interface, the source IP address in the packet will be converted to the internal Global IP address 171.16.68.5, the destination IP address is converted to the external global IP address 171.16.68.1. When the external interface s1 of the NAT router receives a packet from the external network, the source IP address is 171.16.68.1, And the destination IP address is 172.16.68.5, convert the source IP address to the external local IP address 10.10.10.5, and convert the destination IP address to the internal IP address 10.10.10.1. The following uses static NAT translation (Dynamic NAT translation can be used) as an example to describe how to configure simultaneous conversion of internal and external addresses, alternatively, the dynamic NAT translation configuration method will be described later in this chapter. Router (config) # ip nat inside source static 10.10.10.1 171.16.68.5! --- Create a static NAT ing relationship between the internal local address 10.10.10.1 and the internal global address 171.16.68.5 so that the internal network host knows that the address 171.16.68.5 must be used to reach the external network host Router (config) # ip nat outside source static 171.16.68.1 10.10.10.5! --- Create a static NAT ing relationship between the external global address 171.16.68.1 and the external local address 10.10.10.5, so that the external network host knows to use the address 10.10.10.5 to reach the internal network host Router (config) # interface s 0 Router (config-if) # ip nat insideRouter (config-if) # endRouter (config) # interface s 1 Router (config-if) # ip nat outsideRouter (config-if) # endRouter (config) # endRouter # show ip nat translations Pro Inside global Inside local Outside global --- 10.10.10.5 171.16.68.1 171.16.6 8.5 10.10.10.1 --- Similarly, if you perform ping from the internal host to the external host and from the external host to the internal host respectively, then run the "show ip nat translations" command in vro privileged mode. The following result is displayed. Because both the internal and external local addresses and the global addresses are configured, two NAT configuration items are displayed, the ping operation icmp messages corresponding to the local address and global address translation in the external network and internal network are displayed respectively: the Ping operation ICMP message corresponding to the external local address and global address shows that the local address and global address in the internal network are the same, the Ping operation ICMP message corresponding to the local and global addresses in the internal network shows that the local and global addresses in the external network are the same, and both are the corresponding Ping operation target host addresses. Router # show ip nat translations Pro Inside global Inside local Outside global --- 10.10.10.5 10.10.10.1: 4 10.10.10.1: 4 10.10.10.5: 4 171.16.68.1: 4 icmp 171.16.68.5: 39 10.10.10.1: 39 171.16.68.1: 39 171.16.68.1: 39 --- 171.16.68.5 10.10.10.1 --- after the preceding configuration, when a packet is sent (no matter which aspect the packet is sent), not only the source IP address will change, the target IP address also changes, as shown in Figure 6-13. In data packets sent from an internal network to an external network, the source IP address is converted from an internal local IP address (10.10.10.1) to an internal Global IP address (172.16.68.5), and the destination IP address is from an external local IP address (10.10.0.5) to an external global address (171.16.68.1). In a packet sent from an external network to an internal network, the source IP address is converted from an external global address (171.16.68.1) to an external local address (10.10.0.5 ), the destination IP address is converted from the internal Global Address (172.16.68.5) to the internal local address (10.10.10.1 ). The conversion between the source IP address and destination IP address in two directions is shown in 6-14 and 6-15, respectively. Figure 6-13 NAT translation example after both internal and external address translation is configured Fig 6-14 address translation mode when data packets are sent from the internal network to the external network Fig 6-15 the address translation method sent from the network to the internal network is shown in Figure 6-14 and figure 6-15, the source IP address conversion process in Figure 6-14 is exactly the reverse process of the destination IP address conversion in Figure 6-15. Similarly, the conversion process of the destination IP address in Figure 6-14 is exactly the inverse process of the source IP address conversion in Figure 6-15. In addition, after careful analysis, we can find that the address translation performed in the packets sent from the internal network to the external network is from the local address to the global address, that is, the address on the internal network side is converted to the address on the external network side. On the contrary, the address translation in the packets sent from the external network to the internal network is from the Global Address to the local address, that is, the address on the external network side is converted to the address on the internal network side.