1. NAT Overview
1. Foreword
- With the development of the Internet and the increase in network applications, limited IPv4 public addresses have become a bottleneck restricting network development. To solve this problem, NAT (Network Address Translation) technology came into being.
- NAT technology is mainly used to enable hosts in the internal network to access external networks. On the one hand, NAT alleviates the shortage of IPv4 addresses. On the other hand, NAT technology prevents the external network from communicating directly with the internal network using private addresses, improving the security of the internal network.
2.NAT generation background
- As the number of Internet users increases, IPv4 public address resources become increasingly scarce.
- At the same time, IPv4 public address resources have the problem of uneven address distribution, which has led to a serious shortage of available IPv4 public addresses in some areas.
- In order to solve this problem, it is particularly necessary to use transition technology to solve the shortage of IPv4 public addresses.
3. Private IP address
- Public address: An IP address that is managed and allocated by a specialized organization and can be used for direct communication on the Internet.
- Private address: An IP address that organizations and individuals can use at will, cannot communicate directly on the Internet, and can only be used on the intranet.
- Some addresses in Class A, B, and C are reserved specifically as private IP addresses:
- Class A:10.0.0.0~10.255.255.255
- Class B:172.16.0.0~172.31.255.255
- Class C:192.168.0.0~192.168.255.255
4. Principles of NAT technology
- NAT: Translate IP addresses in IP data packets. It is a technology widely deployed in existing networks. It is generally deployed on network egress devices, such as routers or firewalls.
- Typical application scenarios of NAT: Use private addresses within private networks (campus, home), and deploy NAT on egress devices. For “inside-to-outside” traffic, network devices use NAT to convert the source address of the data packet (convert it into a specific public address), and for “outside-to-in” traffic, the destination address of the packet is translated.
- By using private addresses combined with NAT technology, public IPv4 addresses can be effectively saved.
2. Static NAT (not commonly used)
1. Static NAT principle
- Static NAT: Each private address has a corresponding and fixed public address, that is, the relationship between the private address and the public address is a one-to-one mapping.
- Supports two-way mutual access: When a private address accesses the Internet and undergoes NAT conversion by the egress device, it will be converted into the corresponding public address. At the same time, when the external network accesses the internal network, the public address (destination address) carried in the packet will also be converted into the corresponding private address by the NAT device.
2. Static NAT conversion example
3. Introduction to static NAT configuration
3.1. Method 1: Configure static NAT in interface view
[Huawei-GigabitEthernet0/0/0] nat static global { global-address} inside {host-address}
The global parameter is used to configure the external public address, and the inside parameter is used to configure the internal private address.
3.2. Method 2: Configure static NAT in system view
[Huawei] nat static global { global-address} inside {host-address}
The configuration commands are the same, the view is system view, and then static NAT is enabled on the specific interface.
[Huawei-GigabitEthernet0/0/0] nat static enable
Enable the nat static function under the interface.
3. Dynamic NAT (not commonly used, each person can only use IP alone, not at the same time)
1. Principle of dynamic NAT
- Dynamic NAT: Static NAT strictly performs one-to-one address mapping, which means that even if the intranet host is offline for a long time or does not send data, the corresponding public address is still in use. In order to avoid address waste, dynamic NAT proposes the concept of an address pool: all available public addresses form an address pool.
- When an internal host accesses the external network, it temporarily allocates an unused address in the address pool and marks the address as “In Use”. When the host no longer accesses the external network, the assigned address is recycled and re-marked as “Not Use”.
2. Introduction to dynamic NAT configuration
2.1. Create an address pool
[Huawei] nat address-group group-index start-address end-address
Configure the public address range, where group-index is the address pool number, start-address and end-address are the start address and end address of the address pool respectively.
2.2. Configure ACL rules for address translation
[Huawei] acl number [Huawei-acl-basic-number ] rule permit source source-address source-wildcard
Configure a basic ACL to match the source address range that needs to be dynamically translated.
2.3. Configure NAT Outbound with address pool in interface view
[Huawei-GigabitEthernet0/0/0] nat outbound acl-number address-group group-index [ no-pat ]
Associate the ACL and address pool under the interface for dynamic address translation, and the no-pat parameter specifies that port translation will not be performed.
3. Dynamic NAT configuration example
Configure dynamic NAT on R1 to dynamically map the private address of the intranet host to the public address.
[R1]nat address-group 1 122.1.2.1 122.1.2.3 [R1]acl 2000 [R1-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255 [R1-acl-basic-2000]quit [R1]interface GigabitEthernet0/0/1 [R1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat
4. NAPT (mainstream), Easy-IP
1.NAPT principle (P represents port)
- Dynamic NAT does not convert port numbers when selecting addresses in the address pool for address translation, that is, No-PAT (No-Port Address Translation, non-port address translation) public addresses and private addresses still have a 1:1 mapping relationship, which cannot improve the public address. Address utilization.
- NAPT (Network Address and Port Translation): When selecting an address from the address pool for address translation, it not only converts the IP address but also converts the port number, thereby achieving 1:n mapping of public addresses and private addresses. It can effectively improve the utilization rate of public addresses.
2.NAPT conversion example
3.NAPT configuration example
- Configure NAPT on R1 to allow all private addresses in the internal network to access the public network through 122.1.2.1.
[R1]nat address-group 1 122.1.2.1 122.1.2.1 [R1]acl 2000 [R1-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255 [R1-acl-basic-2000]quit [R1]interface GigabitEthernet0/0/1 [R1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1
4.Easy-IP
- Easy IP: The implementation principle is the same as NAPT. It converts IP addresses and transport layer ports at the same time. The difference is that EasyIP does not have the concept of an address pool and uses the interface address as the public address for NAT translation.
- EasyIP is suitable for scenarios that do not have a fixed public IP address: such as private network exits that obtain addresses through DHCP or PPPoE dial-up, and can directly use the obtained dynamic addresses for conversion.
5.Easy IP configuration example
- Configure Easy-IP on R1 to allow all private addresses in the intranet to access the public network through 122.1.2.1.
[R1]acl 2000 [R1-acl-basic-2000]rule 5 permit source192.168.1.0 0.0.0.255 [R1-acl-basic-2000]quit [R1]interface GigabitEthernet0/0/1 [R1-GigabitEthernet0/0/1]nat outbound 2000
5. NAT Server
1.NAT Server usage scenario
- NAT Server: Specify the one-to-one mapping relationship between [public address: port] and [private address: port] to map the intranet server to the public network. It is used when the server in the private network needs to provide services to the public network.
- The external network host actively accesses [public address:port] to access the internal network server.
2.NAT Server configuration example
- Configure the NAT Server on R1 to map port 80 of the intranet server 192.168.1.10 to port 8080 of the public address 122.1.2.1.
[R1]interface GigabitEthernet0/0/1 [R1-GigabitEthernet0/0/1]ip address 122.1.2.1 24 [R1-GigabitEthernet0/0/1]nat server protogol tcp global 202.10.10.1 www inside 192.168.1.1 8080
]interface GigabitEthernet0/0/1
[R1-GigabitEthernet0/0/1]ip address 122.1.2.1 24
[R1-GigabitEthernet0/0/1]nat server protogol tcp global 202.10.10.1 www inside 192.168.1.1 8080