Solve the communication problem between network and intranet (NAT conversion)

Source: Internet
Author: User

This article

In the network code will find that the program is applicable in the local area network, but between the external network and intranet and intranet and intranet is not feasible.
The problem is NAT. First, the following NAT is introduced.
NAT is the function of NAT (network address Translator), which is the translation of networks. As the name implies, it is a technology that translates an internal private network IP address into a public network IP address, as shown in 5-1. NAT is generated when the IP address is increasingly scarce, and its main purpose is to make the address reusable [9].

Figure 5-1 NAT Model
There are five types of IP addresses: Class A, Class B, Class C, Class D, and Class E (where reserved IP addresses are not considered). A, B, Class C can be the computer as an IP address, Class D is a multicast address, Class E for a special purpose address. A, B, C class, but also can be divided into public address and private address, private address for intranet, different intranet, private address can be reused, thereby saving the public network address, it is not in the public network is routed, so the host to access the intranet network server, you have to go through NAT. Public addresses are globally unique and can be routed on the public web.

Intranet host with private address in the intranet can communicate with other intranet host without error, but it can not directly use the private address to access the host network, because the private address can not be routed. It wants to communicate with the extranet and must go through a NAT device (such as a gateway, router), as shown in 5-2. Host A and server s communication, it must first through the gateway, when the gateway changes its packet address and port, the private address ( to the public address (, so that the packet can be routed on the public network, sent to the server side. After the packet returned by the server arrives at the gateway, the gateway changes the public address to the corresponding private address and forwards it to host a. Through this method, an intranet only needs a public IP address, and the whole intranet computer is connected to the Internet to solve the problem of lack of IP address.
NAT functionality is typically integrated into routers, firewalls, ISDN routers, or separate NAT devices. This functionality is also available through the software, which is included in Windows 98 SE, Windows 2000.
Classification and working principle of NAT

Nat is divided into two main classes, basic NAT and Napt (Network address/port Translator) [10][11], as shown in basic Nat and napt5-3.
Basic NAT, it only translates the private IP address of the intranet host into the public IP address, but does not convert the TCP/UDP port information, there is dynamic and static distinction. Because most of the time now belongs to another type, namely NAPT, the basic NAT is not discussed in detail here.
Another kind of NAT is called NAPT (Network address/port Translator), and we can see from the name that NAPT not only changes the IP address of the IP datagram that passes through the NAT device, but also changes the TCP/UDP port of the IP datagram. NAPT the address and port of the conversion process, see figure 5-4:

A host client A ( in the private network, one of its processes through port 1234, wants to access 1235 ports on the extranet server So when the packet passes through NAT, the NAT's extranet address is, first NAT will change the original IP address of the packet, instead and assign a port (such as 62000) to client A to change the packet's original port number to 62000. So it was (> that the packet went to the internet and became (>, 5-4 left. Nat remembers that port 62000 corresponds to the 1234 port, and the data sent from the extranet server to the 62000 port will be automatically changed by NAT to the destination IP and port number, and then forwarded to the (5-4 right image)
Cone-type NAT and symmetric NAT

NAPT is also divided into tapered (Cone) and symmetric (symmetric), 5-5, the difference is that in the case of NAT has assigned the port number to client A, if client a continues to use 1235 port to communicate with another external network server, The taper NAT will also continue to use the original 62000 port, that is, the assigned port number is not changed. For the peer Nat,nat, the other port number (such as 62001) is assigned to 1235 ports of client A. In other words, the same intranet host with the same port number, for the cone-type NAT, regardless of which external network host communication, does not change the assigned port number, and for peer Nat, the same intranet host with the same port number, each time with a different external network host communication, the other port number is reassigned.
Full-cone NAT, restricted-cone NAT, and port-restricted NAT
Cone-type NAT can be classified separately as a fully conical (full Cone) NAT, Limited cone (Restricted Cone) NAT, and the port is limited by the cone (Port Restricted Cone) Nat.
① fully conical (full Cone) NAT
When host a inside the NAT is connected to the outside Host C, Nat opens a port. Then any UDP datagram that is sent to this open port on the extranet can reach a, whether or not the C is sent over [12].
For example a: nat: c:
A (, NAT (, C (
Any data sent to NAT ( can reach a (
② Limited cone (Restricted Cone) NAT
After this NAT internal host A is connected to host C on the outside network, Nat opens a port. Then C can communicate with any port and a, but the other extranet hosts are not available.
For example a: nat: c:
A (, NAT (, C (
Any data sent from C to Nat ( can reach a (
③ Port Limited Cone (port Restricted Cone) NAT
After this NAT internal host A is connected to host C on the outside network, Nat opens a port. Then C can only use the original port and a communication, the other external network host is not available.
For example a: nat: c:
A (, NAT (, C (
Only the data sent by C ( to NAT ( can reach a (
Problems with NAT
NAT solves the problem of address shortage, shielding the internal network, but also brings some problems. It is easy to connect the host to the Intranet (NAT is equivalent to transparent, and the intranet and extranet hosts do not have to know the situation of NAT). However, if the external computer is more difficult to access the computer within the subnet, this allows the intranet host to initiate a connection to resolve the problem. However, if both hosts are located behind two different Nat, the two hosts cannot communicate. When two hosts A and b that are behind two different Nat (Nat A,nat B) Want to communicate, if Host B is actively initiating the connection, which address does it connect to? In the first case, an intranet private address ( that tries to connect directly to host A will fail because is not an IP address that can be routed on the public network, and the second case is attempting to connect directly to the NAT public address of B ( : 62000), NAT a rejects the packet because the port is not bound to a port on the intranet host, or even if it is bound, the external address and port that the port is bound to is not the address and port of B. If a actively connects B, the result is the same.
There are two ways to solve this problem. Method One: Through the server, the server as the intermediary, forwarding the data between the host. However, if the number of users reaches a certain number, this method wastes bandwidth and brings great pressure to the server, so the method is not feasible. Method Two, or through the server, but the server only acts as "introducer", do not forward the data between the host, specifically, see the following "UDP drilling technology" (UDP hole punching)
Penetrating NAT--UDP Drilling Technology
The so-called "drilling technology" is the NAT device on the intranet to play a "hole" (that is, a NAT on the establishment of a session, binding address and port number), this hole can not be played by the external, can only be played by the host inside the intranet. And this hole may be in a direction, such as from an internal host (such as: to an external IP (such as: to send a UDP packet, then on this intranet NAT device to play a direction for the "hole [13] The will be able to connect to the of the intranet through this hole.
The following is a detailed explanation of how to "punch" a NAT based on the various types of NAT, and how to penetrate it.
1. Fully conical (full Cone) NAT
Host A and Host B in different intranet, each first connected to the server, so that on the respective NAT device opened a "hole", the server received host A and Host B connection, know the public address of A and B and Nat assigned to their port number, and then the NAT address and port number to tell A and B, Due to the features of the fully conical NAT, A and B open "holes" to the server, which can be used by any other host. So a and B can connect to each other's public address and port to communicate directly. The server acts as "Introducer" here, telling A and b the address and port number of each other.
2. Restricted cone (Restricted Cone) NAT
A and B still have to connect to the server first, the server sends the address and port information for A and b to a and B, but because of the limited cone NAT feature, they open the "hole" and can only communicate with the server. To enable them to communicate directly, the solution is as follows:
If host a starts to send a UDP message to Host B's public address, at the same time, it sends an invitation message to Host B through the server, requesting Host B also sends a UDP message to host A on the public address of host a. At this point, the information that host a sends to host B's public IP causes NAT A to open a session between host A and Host B, while Nat B also opens a session in Host B and host A. [14] Once the new UDP session is opened to each other, both host A and Host B can communicate directly.
3. Port Limited Cone (port Restricted Cone) NAT
For this type of NAT, the workaround is the same as the above method.
4. Symmetric type (symmetric) NAT
Symmetric NAT, for different external network host address, it will be assigned a different port number, so it is difficult to do UDP drilling, but also can do port prediction drilling, but not guarantee success.
Above the penetration of NAT, is the napt to penetrate, mainly for the UDP protocol. The TCP protocol is also possible, but the feasibility is very small and requires higher. Also, the Voice video communication is transmitted by UDP, so the NAT penetration for TCP is not discussed here. The base NAT does not modify the port number of the packets that pass through, and they can be seen as a thin version of a fully tapered NAT, that is, the underlying NAT can also be penetrated. The NAT device will turn off a UDP mapping after a certain amount of time, so in order to maintain communication with the server, the server or client must periodically send UDP packets, keeping the mappings from being closed.
Currently, the most common NAT types are full-cone NAT

As shown in 6-7, the steps are as follows:
① client A sends the UDP datagram via NAT A, sending the data to the server. NAT a assigns a port to client a. After the server receives the information, it records the address and port information of client a after NAT a.
② client B sends the UDP datagram via NAT B, sending the data to the server. NAT B assigns the port to client B. After the server receives the information, it records the address and port information of client B after Nat B.
The ③ server sends the address and port information of client B to client A, sends the address and port information of client A to client B, and client A and B can communicate through the obtained address and port number.

Solve the communication problem between network and intranet (NAT conversion)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.