Principle of network address translation

NAT The fundamentals of Technology

NAT Technology through to IP The source address or destination address in the message header , Can make a large number of private networks IP Address by sharing a small number of public networks IP Address to access the public network .
NAT Yes, it will IP In the message header IP Address translation to another IP Address process , General NAT Translation equipment maintains an address translation table , All through NAT Conversion equipment （ At the connection between the internal network and the external network , Common devices are ： Router 、 Firewall, etc ） And the message that needs address conversion , Will make corresponding changes through this table . The mechanism of address translation is divided into the following two parts ：

1、 Internal network host IP The address and port are converted to NAT Translate the external network address and port of the device .
2、 The external network address and port are converted to NAT Convert the internal network host of the device IP Address and port .
That is to say ：
< Private address + port > And < Public address + port > Mutual conversion between .

NAT The background

• IPv4 Addresses are drying up
• IPv6 Technology cannot be replaced in large areas immediately
• Various extensions IPv4 The technology of life is constantly emerging ,NAT Is one of them .

NAT Advantages and disadvantages

• advantage ：
  • Realization IP Address reuse , Save valuable address resources .
  • The address translation process is transparent to users .
  • Provide privacy protection for intranet users .
  • It can realize load balancing of internal servers .
• shortcoming ：
  • Network monitoring becomes more difficult .
  • Limit some specific applications

NAT classification

According to the application scenario, it can be divided into ：

• Source NAT（Source NAT）： It is used to enable multiple private network users to access at the same time Internet.
  • Address pool mode ： The public address in the address pool is used for address translation for private users , Suitable for a large number of private network users Internet Scene .
  • Interface address mode （Easy IP）： The intranet host directly borrows the public network interface IP Address access Internet, Especially suitable for public network interface IP Address is dynamically obtained .
• Server mapping ： It is used to enable Internet users to access private servers
  • Static mapping （NAT Server）： Public address and private address are mapped one-to-one , It is used in the scenario that public network users access private network internal servers .
• Purpose NAT： It is used to send the business traffic of mobile Internet to the right WAP gateway .

Source NAT technology

Based on the source IP Address of the NAT It means right Initiating the connection IP The source address in the message header convert . It can achieve the purpose of internal users accessing the external network . By converting the private address of the internal host to the public address , Make multiple hosts in a LAN use a few legal addresses to access external resources , Effective The host that hides the internal LAN IP Address , Played a role in security protection .

Source NAT Address pool mode

• Address pool mode without port translation
  By configuring NAT Address pool ,NAT The address pool can contain multiple public network addresses . Only address is converted during conversion , Do not convert ports , Realize the private network address to the public network address One to one conversion . If all the addresses in the address pool have been allocated , The remaining intranet hosts will not access the Internet NAT transformation , Not until there are free addresses in the address pool NAT transformation .
• Address pool mode with port translation
  By configuring NAT Address pool ,NAT The address pool can contain one or more public network addresses . Address and port are translated at the same time , It can realize the requirement that multiple private network addresses share one or more public network addresses （ For one more ）. In this way , Because the address conversion is also carried out at the same time as the port conversion , Multiple private network users can use a public network IP Address online , The firewall distinguishes different users according to ports , Therefore, the number of users who can access the Internet at the same time is more . This is a technology that uses layer 4 information to extend layer 3 addresses , One IP The address is 65535 Ports can be used . In theory , One address can be another 65535 Addresses provided NAT transformation , The firewall can also map data packets from different internal addresses to different port numbers of the same public address , So you can still share the same address , Compare one-to-one or many to many address translation . This greatly improves the address space , Added IP Address utilization . Therefore, port translation is the most commonly used method of address translation .

Without ports ： Realize one-to-one IP address translation , Ports are not converted .
With port ： Map different internal addresses to different port numbers of the same public address , Realize many to one address translation .

Easy IP（ Interface address mode ）

Directly use the public network address of the interface as the converted address , No configuration required NAT Address pool . On conversion Translate address and port at the same time , It can realize the requirement that multiple private network addresses share the public network address of the external network interface .（ For one more ）

NAT ALG（ Application level gateway ）

A conversion agent for a specific application protocol , It can complete the conversion of address and port number information carried in the application layer data .

Ordinary NAT Realized with UDP or TCP In the header IP Address and port translation function , But there's nothing you can do about the fields in the application layer data payload , In many application layer protocols , Like multimedia protocols （H.323、SIP etc. ）、FTP、SQLNET etc. ,TCP/UDP There is address or port information in the load , These contents cannot be NAT Make effective conversion , Can cause problems . and NAT ALG（ApplicationLevel Gateway） Technology can analyze application layer message information and address conversion for multi-channel protocol , The address that needs to be translated in the load IP Address and port or fields requiring special processing shall be converted and processed accordingly , So as to ensure the correctness of application layer communication .
for example ,FTP Application is completed by data connection and control connection , And the establishment of the data connection is dynamically determined by the load field information in the control connection , This requires ALG To complete the conversion of load field information , To ensure the correct establishment of subsequent data connections .

Server mapping

NAT Server（ Internal servers ）

Use a public address to represent the external address of the internal server .
NAT It hides the structure of the internal network , have “ shielding ” The function of the internal host . But in practice , You may need to provide an external access to the internal host , If it is provided to an external one WWW
Server for , The external host has no route to the internal address , Therefore, normal access is unavailable . In this case, you can use the internal server （Nat Server） Function to implement this function application . Use NAT You can flexibly add internal servers . for example ： have access to 202.202.1.1 Wait for the public address as Web The external address of the server , You can even use 202.202.1.1:8080 In this way IP Address plus slogan as Web External address of .
When an external user accesses an internal server , There are two operations as follows ：

• The firewall converts the destination address of the request message of the external user into the private address of the internal server .
• The firewall will send the source address of the response message of the internal server （ Private network address ） Convert to public address .

The firewall supports internal servers based on security zones . for example , When it is necessary to provide access services to external users in multiple network segments , Firewall combined with security zone configuration internal server can configure multiple public network addresses for an internal server . Configure different levels of security zones of the firewall to correspond to external networks of different network segments , And configure different public network addresses of the same internal server according to different security zones , When an external network in different network segments accesses the same internal server , That is, access to the internal server is realized by accessing the corresponding configured public network address .

To configure NAT Server when , The device will automatically generate Server-map Table item , To hold Global Address and Inside Address mapping .

Server-map Based on triples , Used to store a mapping relationship , This mapping relationship can be the data connection relationship negotiated by the control data , It can also be configuration NAT Address mapping in , The external network can actively access the internal network through the device

User deletion NATServer when ,Server-map Synchronization is also deleted .