NAT (Network address translation) implementation

NAT Basic Description:

Network Address translation (Nat,network addressing translation) is an Access wide area network (WAN) technology. is a conversion technology that converts a private (reserved) address into a legitimate IP address, which is widely used in various types of Internet access and various types of networks. The reason is very easy,nat not only perfectly solve the problem of LP address shortage, but also can effectively avoid attacks from outside the network, hide and protect the computer inside the network.

with Nat, the private (reserved) address of the "internal" network sends packets through the router. Private addresses are converted to legitimate IP addresses, and a local area network can only use a small number of IP addresses (or even 1) to realize the communication needs of all computers and the Internet in a private address network.

NAT will voluntarily alter the source IP address and destination IP address of the IP message itself. The IP address check is actively completed during NAT processing. Some applications embed the source IP address in the data portion of the IP packet, so it is also necessary to change the data portion of the message at the same time. To match the source IP address that has been changed in the IP header .

Otherwise, applications that embed the IP address in the message data will not work properly.

Three ways to implement NAT:

There are three ways to implement NAT, namely static translation of the statically NAT, dynamic NAT and Port multiplexing overload.

Static conversion refers to the conversion of the private IP address of the internal network to a public IP address, the IP address pair is one-to-one, is immutable, a private IP address is only converted to a public IP address. The use of static transformations enables external networks to access certain devices (such as servers) within the internal network.
Dynamic conversion means that when the private IP address of the internal network is converted to a public IP address, the IP address is indeterminate and is random. All authorized access the private IP address on the Internet can be randomly converted to whatever legal IP address is specified. That is, just specify which internal addresses can be converted, and which legal addresses to use as external addresses. can be dynamically converted. Dynamic conversions can use multiple legitimate sets of external addresses. When the ISP provides a legitimate IP address that is slightly less than the number of computers inside the network. Be able to use the dynamic conversion method.

Port Multiplexing (port address Translation,pat) refers to changing the source port of an out-of-Office packet and port conversion, which is the port translation (Pat,port. translation). The port multiplexing method is used. All hosts on the internal network can share a legitimate external IP address to access the Internet, thereby maximizing the savings in IP address resources.

At the same time, you can hide all the hosts inside the network. Effectively avoid attacks from the Internet.

So. The most widely used network is the port multiplexing method.

I. implementation of static address translation

If the LP address segment used by the internal LAN is 192.168.0.1~192.168.0.254, the IP address of the router LAN side (that is, the default gateway) is 192.168.0.1. The subnet mask is 255.255.255.0.

The legal IP address range for network allocation is 61.159.62.128~ 61.159.62.135, the IP address of the router in the WAN is 61.159.62.129, the subnet mask is 255.255.255.248 and the IP address range used for the conversion is 61.159.62.130~61.159.62.134.

The internal URL 192.168.0.2~192.168.0.6 is required to be converted to the legal IP address 61.159.62.130~61.159.62.134 respectively.
>>> first step, set the external port.
Interface Serial 0
IP address 61.159.62.129 255.255.255.248
IP Nat Outside
>>> second step. Set the internal port.
Interface Ethernet 0
IP address 192.168.0.1 255.255.255.0
IP nat Inside
>>> The third step is to establish a static address translation between the internal local and external legitimate addresses.
IP nat inside source static internal local address internal legal address.
Demo Sample:
IP nat inside source static 192.168.0.2 61.159.62.130//Convert Internal network address 192.168.0.2 to a legitimate IP address 61.159.62.130
IP nat inside source static 192.168.0.3 61.159.62.131//Convert Internal network address 192.168.0.3 to a legitimate IP address 61.159.62.131
IP nat inside source static 192.168.0.4 61.159.62.132//Convert Internal network address 192.168.0.4 to a legitimate IP address 61.159.62.132
IP nat inside source static 192.168.0.5 61.159.62.133//Convert Internal network address 192.168.0.5 to a legitimate IP address 61.159.62.133
IP nat inside source static 192.168.0.6 61.159.62.134//Convert Internal network address 192.168.0.6 to a legitimate IP address 61.159.62.134
So far. Static address translation configuration is complete.

Ii. Implementation of dynamic address translation

If the internal network uses an IP address segment of 172.16.100.1~172.16.100.254, the IP address of the router LAN port (that is, the default gateway) is 172.16.100.1, the subnet mask is 255.255.255.0. The legal IP address range for network allocation is 61.159.62.128~ 61.159.62.191, the router's IP address in the WAN is 61.159.62.129, the subnet mask is 255.255.255.192, and the IP address range that can be used for the conversion is 61.159.62.130~61.159.62.190.

Requires that the internal URL 172.16.100.1~172.16.100.254 be dynamically converted to a legitimate IP address 61.159.62.130~61.159.62.190.
>>> first step, set the external port.

The syntax for setting the external Port command is as follows:
IP Nat Outside
Demo Sample:
Interface serial 0//Enter serial portserial 0
IP address 61.159.62.129 255.255.255.192//to specify 61.159.62.129, subnet mask is 255.255.255.192
IP NAT outside//set serial port serial 0 to external port
Note that you can define multiple external ports.

>>> second step. Set the internal port.

The syntax for setting internal interface commands is as follows:
IP nat Inside
Demo Sample:
Interface Ethernet 0//Enter Ethernet Portethernet 0
IP address 172.16.100.1 255.255.255.0//assigns its IP addresses to 172.16.100.1. Subnet mask is 255.255.255.0
IP NAT inside//Ethernet 0 is set to intranet port.
Attention. Ability to define multiple internal ports.

>>> The third step, define a legitimate IP address pool.
The syntax for defining a legitimate IP address pool command is as follows:
IP NAT Pools Address pool name Start IP address End IP Address subnet mask
Of Address pool name can be set arbitrarily.
Demo Sample:
IP nat Pool chinanet 61.159.62.130 61.159.62.190 netmask 255.255.255.192//Indicates the name of the address buffer pool is CHINANET,IP address range of 61.159.62.130~ 61.159.62.190. The subnet mask is 255.255.255.192. It is important to note that even if the mask is 255.255.255.0, the IP address pool is also limited by the starting IP address and the terminating IP address.
or IP NAT pool Test 61.159.62.130 61.159.62.190 prefix-length 26
Note that it is assumed that there are multiple legitimate IP address ranges that can be added separately.

For example, suppose another legal IP address range is "211.82.216.1~211.82.216.254", then. It can be added to the buffer pool again by the following command.

IP nat Pool cernet 211.82.216.1 211.82.216.254 netmask 255.255.255.0
Or
IP NAT Pool Test 211.82.216.1 211.82.216.254 prefix-length 24
>>> Fourth step. Define an access list in your internal network that agrees to access the Internet.
The syntax for defining an internal access List command is as follows:
Access-list designator Permit Source address wildcard (in which the label is an integer between 1~99)
Access-list 1 Permit 172.16.100.0 0.0.0.255//Agree to access the Internet segment as 172.16.100.0~172.16.100.255, with an anti-mask of 0.0.0.255. It is important to note that. The inverse mask, not the subnet mask, is used here. The inverse mask is related to the subnet mask: the anti-mask + subnet mask =255.255.255.255.

For example, the subnet mask is 255.255.0.0, then the anti-mask is 0.0.255.255. The subnet mask is 255.0.0.0, then the anti-mask is 0.255.255.255. The subnet mask is 255.252.0.0, then the anti-mask is 0.3.255.255. The subnet mask is 255.255.255.192, then the anti-mask is 0.0.0.63.
In addition, it is assumed that multiple IP address segments can be converted to legitimate IP addresses to include multiple access lists. For example, when you want to convert 172.16.98.0~172.16.98.255 and 172.16.99.0~172.16.99.255 to a legitimate IP address, you should include the following command:
Access-list2 Permit 172.16.98.0 0.0.0.255
ACCESS-LIST3 Permit 172.16.99.0 0.0.0.255
>>> Fifth Step. Implement network address translation.

In global settings mode. The fourth step is address translation by the internal local address list specified by Access-list and the legitimate IP address pool specified in step three.

The command syntax is as follows:
IP NAT inside source list Checklist Label pool internal legal address pool name
Demo Sample:
IP nat inside source list 1 pool chinanet
Suppose there are multiple internal access lists that can be added one by one to achieve network address translation. Such as
IP nat inside source List 2 pool chinanet
IP nat inside source list 3 pool chinanet
Assuming that there are multiple address pools, you can also join one by one to add a legitimate address pool range, such as
IP nat inside source list 1 pool cernet
IP nat inside source List 2 pool cernet
IP nat inside source list 3 pool cernet
At this point, the dynamic address translation setting is complete.

Iii. Port multiplexing dynamic address translation (PAT)

The IP address segment used by the internal network is 10.100.100.1~10.100.100.254, and the IP address of the router LAN port (that is, the default gateway) is 10.100.100.1, the subnet mask is 255.255.255.0.

The network assignment's legal IP address range is 202.99.160.0~202.99.160.3. The IP address in the router Wan is 202.99.160.1, the subnet mask is 255.255.255.252, the IP address that can be used for the conversion is 202.99.160.2. Requires that the internal URL 10.100.100.1~10.100.100.254 be converted to a legitimate IP address of 202.99.160.2.

>>> first step, set the external port.

Interface Serial 0
IP address 202.99.160.1 255.255.255.252
IP Nat Outside
>>> The second step, set the internal port.
Interface Ethernet 0
IP address 10.100.100.1 255.255.255.0
IP nat Inside
>>> The third step, define a legitimate IP address pool.
IP nat Pool Onlyone 202.99.160.2 202.99.160.2 netmask 255.255.255.252
Indicates that the name of the address buffer pool is a ONLYONE,IP address range of 202.99.160.2 with a subnet mask of 255.255.255.252. Because this example has only one IP address available. Therefore, both the starting IP address and the terminating IP address are 202.99.160.2.

If you have more than one IP address, you should type the IP address to start and end separately.
>>> Fourth, define the internal interview column.

Access-list 1 Permit 10.100.100.0 0.0.0.255
Agree to visit Internetr the network segment is 10.100.100.0~10.100.100.255, the subnet mask is 255.255.255.0. It is important to note that in this case the subnet mask is in the opposite order of the usual writing, that is, 0.0.0.255.
>>> Fifth Step, set the multiplexed dynamic address translation.
In global settings mode. Set up a multiplexed dynamic address translation between the internal local address and the internal legitimate IP address. The command syntax is as follows:
IP nat inside the source list access list number pool internal legal address pool name overload
Demo Sample:
IP nat inside source List1 Pool Onlyone overload//Port multiplexing. Convert the private IP address in the Access list 1 to the legal IP address defined in the Onlyone IP address pool.
Note: Overload is the key word for multiplexed dynamic address translation.

At this point, the port multiplexing dynamic address translation is complete.

It can also be written like this:
IP nat inside source list 1 interface serial 0 overload

Copyright notice: This article blog original articles, blogs, without consent, may not be reproduced.

NAT (Network address translation) implementation