Simple Explanation of single-port NAT

A few days ago, I saw some configuration about single-port nat on the Internet and found that the configuration was all out of one person's hand, and the comments were not clear. I did not quite understand what I said on the cisco official site, I will give you a detailed explanation of his principles!

The following is a reference to this post, which may be inconvenient. Sorry!

First of all, what is single-port nat? You don't know if you have ever encountered this situation. There is an adsl line, but each machine has only one network card and you want to share the Internet with all the machines, what do you do? ^ _ ^, You can buy another card for five yuan. This is of course simple, but we need to think about other methods when doing technology. challenge yourself. to put it bluntly, a single-port nat is just one port on the route. You must also perform nat to access the Internet.
The outside method is different. One port and one link must carry the information of two networks, one is the Intranet and the other is the Internet. therefore, this port must have two addresses, one for Intranet interaction and the other for isp interaction. the actual topology is as follows: the isp line is directly connected to the vswitch, instead of the vro. The vro is also connected to a port of the vswitch. Its function is only for nat, re-encapsulate the original address of the package and the destination address of the returned package (see the original post). If the Intranet host wants to send packets to the Internet host, after these packets are sent to the Ethernet port of the route, after a series of transformations, the Ethernet port finally comes out to the isp end.

Next we will analyze the process of a package in detail so that everyone can understand it.

A host (172.16.1.1) on the Intranet needs to send a packet to a public address. Of course, it first forwards the packet to the gateway, so the gateway receives the packet. in order, the router first checks the policy route entry, then the normal route is followed. Now the route finds that the package matches the access-list 101 permit ip address 172.16.1.0 0.0.255 any, so he routes the package to the loopback port. note: loopback is called the loopback interface because the package at this port will go out of this port and return immediately. Hahaha, it may be hard to understand because it is a virtual port, the router can call him as needed, so this function is available. Here, when a packet is sent out of this port, because the packet source is Ethernet port (nat inside ), the loopback port (nat ouside) is used at the exit. Therefore, the loopback port is configured with a nat packet. The source address is changed to one of the pool addresses (ip nat pool pool1 192.168.0.2 192.168.0.3, the nat package's slave ring Port Go out, switch (I really don't know where he is going to go), and I want to go back to the route from the loopback port, but this time, the route does not change the packet because nat outside, ip nat inside "source "...... only nat is performed for packets going out of the route. now, the source address of the package is, for example, 192.168.0.2. the destination address is the address you want to access from the public network. The next step of this package is to accept the route check, because the loopback port does not configure the ip policy route-map, this time only matches the regular route. Well, check the original post ............, In addition to the direct connection route, it is the default route (ip route 0.0.0.0 0.0.0.0 192.168.0.6), so he finally routes the package to the isp ).

In other words, the Internet will respond to the local external address (192.168.0.2). The Ethernet port of the local route receives the packet sent by the isp through the switch, because this package is used for the vro from the inside out (the route does not know that the Ethernet is actually connected to the isp), it is necessary to first route, then nat, good, the router also matches the policy route first. See the original post ................., he matched this sentence: access-list 101 permit ip any 192.168.0.0 0.0.7, because the original address is a public address, that is, "any", so he routes to the loopback port, at the ring port, this package will be nat again. However, please note that this package does not meet the nat requirements here. Please refer: ip nat inside source list 10 pool pool1 overload, access-list 10 permit 172.16.1.0 0.0.255, because the original address of this package is not in access-l In the range specified by ist 10, the package is not nat. This is also the most ingenious technology, so that the package retains the authenticity of the original address !! Well, this package slipped back from the ring port again. Note ::!!! Because the vronat has done nat operations, a nat table is saved.
So the router is going from the outbound traffic to the inbound traffic. Therefore, the router needs to be nat first and then routed, so it needs to match the nat table, he checked that the destination address 192.168.0.2 actually corresponds to the internal host 172.16.1.1, so He nat the destination address of the package to 172.16.1.1. Well, now he can accept route matching (so troublesome! Haha) Let's see ..................., because the loopback port does not need to match the policy route, you can check the regular route and find that the destination address 172.16.1.1 exists in the direct connection route. Therefore, the destination host is 172.16.1.1.

The same principle applies to single-nic proxy of adsl, except that the vro has become a host and some agent software such as ccproxy is installed. The functions of these software are the same as those of the preceding vrouters, implement single-port nat.Single-interface NAT configuration instance example

Single interface NAT configuration instance

Condition:

1. IOS 12.1 (5) T9 and later versions. Earlier versions are not verified.

2. Have at least two or more global addresses provided by the ISP.

Implementation ideas:

1. Configure the ISP address as the secondary address on the Ethernet interface. This Ethernet interface is also used as the inside interface. As the gateway of the internal host.

2. Create a loopback interface as the nat outside.

3. Use route-map to forcibly route data packets sent from the Intranet and corresponding data packets returned from the outside to the loopback interface.

Instance:

Shows the topology:

The configuration is as follows:

Interface Loopback0

Ip address 172.16.2.254 255.255.255.252

Ip nat outside

!

// Create a loopback interface and use it as the NAT outside interface.

Interface Ethernet0

Ip address 192.168.0.1 255.255.255.255.248 secondary

Ip address 172.16.1.254 255.255.255.0

Ip Nat inside

Ip policy route-map rm-nat

!

// Configure 172.16.1.254 as the IP address on the E0 interface, and use the IP address provided by the ISP as the Secondary address. E0 is used as the inside interface.

Apply the route-map rm-nat to this interface.

Ip nat pool pool1 192.168.0.2 192.168.0.3 prefix-length 29

Ip nat inside source list 10 pool pool1 overload

// General NAT configuration

Ip classless

Ip route 0.0.0.0 0.0.0.0 192.168.0.6

Ip route 172.16.1.0 255.255.255.0 Ethernet0

Access-list 10 permit 172.16.1.0 0.0.255

// Configure the access-list required by the route and NAT

Access-list 101 permit ip 172.16.1.0 0.0.255 any

Access-list 101 permit ip any 192.168.0.0 0.0.7

// Configure the acl required by route-map. The first clause matches the output package and the second clause matches the returned package.

Route-map rm-nat permit 10

Matches ip address 101

Set ip next-hop 172.16.2.254

// Configure the required route-map. All packages that meet the access-list 101 Conditions are forwarded to 172.16.2.254 (loopback0 interface ). Article entry: csh responsible editor: csh