NAT (Network Address Translation) Implementation

Labels: TCPIP

Basic Introduction to Nat:

NAT (Network Address Translation) is a WAN technology used to convert private (retained) addresses into valid IP addresses, it is widely used in various types of Internet access methods and networks. The reason is simple. Nat not only perfectly solves the problem of insufficient LP addresses, but also effectively avoids attacks from outside the network and hides and protects computers inside the network.

With the help of NAT, when a "internal" network with a private (retained) Address sends data packets through a router, the private address is converted to a valid IP address. a lan only needs to use a small number of IP addresses (or even one) the communication between all computers in the private address network and the Internet can be realized.

Nat automatically modifies the source IP address and destination IP address of the IP packet. The IP address verification is completed automatically during the NAT process. Some applications embed the source IP address into the data part of the IP Message. Therefore, you also need to modify the data part of the packet to match the source IP address that has been modified in the IP header. Otherwise, the application that embeds IP addresses in packet data cannot work normally.

Three Nat implementation methods:

There are three Nat implementation methods: static translation static Nat, dynamic translation dynamic Nat, and port multiplexing overload.
Static conversion refers to converting private IP addresses in the internal network to public IP addresses. IP address pairs are one-to-one and remain unchanged. A private IP address is only converted to a public IP address. Static conversions allow external networks to access certain devices (such as servers) in the internal network.
Dynamic conversion refers to the process of converting a private IP address of an internal network to a public IP address. The IP address is random and uncertain, all private IP addresses authorized to access the Internet can be randomly converted to any specified legal IP address. That is to say, dynamic conversion can be performed as long as you specify which internal addresses can be converted and which legitimate addresses can be used as external addresses. Multiple valid external address sets can be used for dynamic conversion. When the valid IP addresses provided by the ISP are slightly less than the number of computers in the network. You can use a dynamic conversion method.
Port address translation (PAT) is used to change the source port of an outbound packet and perform port conversion, that is, port address translation (Pat, port address translation ). port multiplexing is used. All hosts in the internal network can share a valid external IP address to access the Internet, thus saving IP Address resources to the maximum extent. At the same time, all hosts in the network can be hidden to effectively prevent attacks from the Internet. Therefore, port multiplexing is the most widely used network.

I.Static address translation implementation

Assume that the LP address segment used by the internal LAN is 192.168.0.1 ~ 192.168.0.254: the IP address of the Local Area Network (Default Gateway) of the router is 192.168.0.1, And the subnet mask is 255.255.255.0. The valid network IP address range is 61.159.62.128 ~ 61.159.62.135: the IP address of the router in the Wan is 61.159.62.129, And the subnet mask is 255.255.255.255.248. The IP address range for conversion is 61.159.62.130 ~ 61.159.62.134. Request that the internal website address 192.168.0.2 ~ 192.168.0.6 is converted to a valid IP address 61.159.62.130 ~ 61.159.62.134.
>>> Step 1: Set the external port.
Interface serial 0
IP address 61.159.62.129 255.255.255.248
Ip nat outside
>>> Step 2: Set the internal port.
Interface Ethernet 0
IP address 192.168.0.1 255.255.255.0
Ip nat inside
>>> Step 3: Create a static address conversion between the internal and external valid addresses.
Ip nat inside source static the internal local address is a valid address.
Example:
Ip nat inside source static 192.168.0.2 61.159.62.130 // convert the internal network address 192.168.0.2 to a valid IP address 61.159.62.130
Ip nat inside source static 192.168.0.3 61.159.62.131 // convert the internal network address 192.168.0.3 to a valid IP address 61.159.62.131
Ip nat inside source static 192.168.0.4 61.159.62.132 // convert the internal network address 192.168.0.4 to a valid IP address 61.159.62.132
Ip nat inside source static 192.168.0.5 61.159.62.20.// convert the internal network address 192.168.0.5 to a valid IP address 61.159.62.20.
Ip nat inside source static 192.168.0.6 61.159.62.134 // convert the internal network address 192.168.0.6 to a valid IP address 61.159.62.134
So far, static address translation configuration is complete.

II.Implementation of Dynamic Address Translation

Assume that the IP address segment used by the internal network is 172.16.100.1 ~ 172.16.100.254, the IP address of the router LAN port (that is, the default gateway) is 172.16.100.1, And the subnet mask is 255.255.255.0. The valid network IP address range is 61.159.62.128 ~ 61.159.62.191: the IP address of the router in the Wan is 61.159.62.129, The subnet mask is 255.255.255.255.192, And the IP address range that can be used for conversion is 61.159.62.130 ~ 61.159.62.190. The internal website must be 172.16.100.1 ~ 172.16.100.254 dynamic conversion to a valid IP address 61.159.62.130 ~ 61.159.62.190.
>>> Step 1: Set the external port.
The syntax for setting the external PORT command is as follows:
Ip nat outside
Example:
Interface serial 0 // enter the serial port serial 0
IP address 61.159.62.129 255.255.255.255.192 // specify the IP address as 61.159.62.129 and the subnet mask as 255.255.255.255.192
Ip nat outside // set serial port serial 0 to an Internet Port
Note: Multiple external ports can be defined.
>>> Step 2: Set the internal port.
The syntax for setting internal interface commands is as follows:
Ip nat inside
Example:
Interface Ethernet 0 // enter Ethernet port ethernet 0
IP address 172.16.100.1 255.255.255.0 // set the IP address to 172.16.100.1 and the subnet mask to 255.255.255.0.
Ip nat inside // set Ethernet 0 to an intranet port.
Note: multiple internal ports can be defined.

>>> Step 3: Define a valid IP address pool.
The syntax for defining a valid IP address pool command is as follows:
Ip nat pool address pool name start IP address end IP address Subnet Mask
The address pool name can be set at will.
Example:
Ip nat pool Chinanet 61.159.62.130 61.159.62.190 netmask 255.255.255.192 // specify the Address Buffer Pool name as Chinanet and the IP address range is 61.159.62.130 ~ 61.159.62.190. The subnet mask is 255.255.255.255.192. Note that, even if the mask is 255.255.255.0, the IP address pool is restricted by the starting IP address and ending IP address.
Or ip nat pool test 61.159.62.130 61.159.62.190 prefix-length 26
NOTE: If there are multiple valid IP address ranges, you can add them separately. For example, if a valid IP address range is "211.82.216.1 ~ 211.82.216.254 ", you can use the following command to add it to the buffer pool.
Ip nat pool CERNET 211.82.216.1 211.82.216.254 netmask 255.255.255.0
Or
Ip nat pool test 211.82.216.1 211.82.216.254 prefix-length 24
>>> Step 4: Define the Internet access list in the internal network.
The syntax for defining the internal access LIST command is as follows:
Access-list label: permit source address wildcard (where the number is 1 ~ An integer between 99)
Access-List 1 permit 172.16.100.0 0.0.255 // The CIDR block that allows Internet access is 172.16.100.0 ~ 172.16.100.255, the anti-mask is 0.0.255. Note that the anti-mask instead of the subnet mask is used here. The relationship between the anti-mask and the subnet mask is: the anti-mask + subnet mask = 255.255.255.255. For example, if the subnet mask is 255.255.0.0, the anti-mask is 0.0.255.255; if the subnet mask is 255.0.0.0, the anti-mask is 0.255.255.255; if the subnet mask is 255.252.0.0, the anti-mask is 0.3.255.255; The subnet mask is 255.255, the anti-mask is 0.0.63.
In addition, if you want to convert multiple IP address segments to valid IP addresses, you can add multiple access lists. For example ~ 172.16.98.255 and 172.16.99.0 ~ To convert 172.16.99.255 to a valid IP address, add the following command:
Access-list2 permit 172.16.98.0 0.0.0.255
Access-list3 permit 172.16.99.0 0.0.0.255
>>> Step 5: Implement Network Address Translation.
In global setting mode, convert the internal local address list specified by access-list to the valid IP address pool specified by step 3. The command syntax is as follows:
Ip nat inside source list access list entry valid address pool name inside pool
Example:
Ip nat inside source list 1 pool Chinanet
If there are multiple internal access lists, you can add them one by one to achieve network address translation, as shown in figure
Ip nat inside source list 2 pool Chinanet
Ip nat inside source list 3 pool Chinanet
If there are multiple address pools, you can also add them one by one to increase the valid address pool range, as shown in figure
Ip nat inside source list 1 pool CERNET
Ip nat inside source list 2 pool CERNET
Ip nat inside source list 3 pool CERNET
Now, the dynamic address translation settings are complete.

III.Port multiplexing Dynamic Address Translation (PAT)

The IP address range used by the internal network is 10.100.100.1 ~ 10.100.100.254, the IP address of the router LAN port (that is, the default gateway) is 10.100.100.1, And the subnet mask is 255.255.255.0. The valid network IP address range is 202.99.160.0 ~ 202.99.160.3: the IP address in the vro Wan is 202.99.160.1, The subnet mask is 255.255.255.252, And the IP address used for conversion is 202.99.160.2. The internal website 10.100.100.1 ~ is required ~ 10.100.100.254 to a valid IP address 202.99.160.2.
>>> Step 1: Set the external port.
Interface serial 0
IP address 202.99.160.1 255.255.255.252
Ip nat outside
>>> Step 2: Set the internal port.
Interface Ethernet 0
IP address 10.100.100.1 255.255.255.0
Ip nat inside
>>> Step 3: Define a valid IP address pool.
Ip nat pool onlyone 202.99.160.2 202.99.160.2 netmask 255.255.255.252
// Specify the Address Buffer Pool name as onlyone, the IP address range is 202.99.160.2, And the subnet mask is 255.255.255.252. In this example, only one IP address is available, so the start IP address and end IP address are both 202.99.160.2. If you have multiple IP addresses, enter the start and end IP addresses respectively.
>>> Step 4: Define the internal access column.
Access-List 1 permit 10.100.100.0 0.0.255
The IP address range for internetr access is 10.100.100.0 ~ 10.100.100.255. The subnet mask is 255.255.255.0. Note that the subnet mask is in the opposite order as it is written, that is, 0.0.0.255.
>>> Step 5: Configure dynamic address translation.
In global setting mode, you can set up dynamic address conversion between the internal local address and the internal valid IP address. The command syntax is as follows:
Ip nat inside source list access list No. The pool's internal legal address pool name overload
Example:
Ip nat inside source list1 pool onlyone overload // convert the private IP address in access list 1 to the valid IP address defined in the onlyone IP address pool in Port multiplexing mode.
Note: overload is a keyword for reusing dynamic address translation.
Now, dynamic address translation for port multiplexing is complete.
You can also write as follows:
Ip nat inside source list 1 interface serial 0 overload