NAT Network address translation

Technical background

• IPv4 The address is exhausted .
• LAN users generally use private IPv4 Address , How to access the public network ？
• Use private in LAN IPv4 How does the address server provide services to the public network ？
• If you need to hide the intranet IP, At the same time, the specific server of the intranet needs to provide services to the outside, how to realize ？

Public network IP Address and private IP Address

Public address ：

• The public network address refers to the address that can be in Internet Address used on . To ensure the whole Internet Internal IP Address of the Uniqueness , The public address is from IANA（Internet Assigned Number Authority） This International Group The organization is responsible for the distribution . If a network device needs to use a public network address , You have to go to ISP（Internet Service Provider） Or Registration Center .

Private address ：

• In order to meet some laboratories 、 The independence of a company or other organization from Internet The need for private networks outside , RFCA（Requests For Comment）1918 Three are reserved for private use IP Address segment . private The address can't be in Internet Assigned to , Therefore, you can use it freely without applying .

NAT summary

NAT（Network Address Translator） The main principle of is through analysis IP Message header , Automatic replacement report The source address or destination address in the header , Realize private network users through private network IP The purpose of accessing the public network . The private network IP Convert to Public network IP The process of is transparent to users .

NAT type

dynamic NAT

The conversion between private address and public address is not fixed , It's dynamic .

There are ways to achieve this Basic NAT and NAPT(Network Address Port Translation) Two kinds of ：

Basic NAT

adopt Router Establish address pool to realize one-to-one address translation

NAPT

be based on Basic NAT This one-to-one approach cannot effectively solve the problem of address shortage , and NAPT That can be done .NAPT Can achieve concurrent address translation , Use “IP Address + Port” In the form of , Realize many to one address translation .

Easy IP

Easy IP The realization principle and NAPT be similar , count NAPT A special case of .

The difference is , Easy IP Yes, it will Router Of WAN The interface address is used as the mapped public address .

static state NAT

static state NAT It's in progress NAT Address conversion , Inside IP Address and public network IP The address is one-to-one statically bound , And every public network IP It will only be allocated to fixed intranet hosts for conversion . This is related to Basic NAT The principle of implementation is basically the same , The difference is to configure static in advance NAT Transformation mapping table .

static state NAPT Refer to “ Private network of internal network host IP Address + Agreement No + Port” And “ Public network IP Address + Agreement No + Port” It is statically bound one-to-one . This is related to NAPT Similar principle , The difference is to configure static in advance NAPT Transformation mapping table .

NAT Server

NAT Server For Internet users, you need to use a fixed public network IP Address access to a fixed server . Through the server with the pre configured number “ Public network IP Address + Port” With the server “ The private network IP Address + Port” Indirect static mapping relationship .

NAT To configure

static state NAT

• Suppose the company applies to the operator for a public network address 200.1.1.100, Realize static one-to-one mapping , Visit the Internet .

# global For public address , inside Private network address 
[NAT-Device]interface GigabitEthernet 0/0/1
[NAT-Device-GigabitEthernet0/0/1]nat static global 200.1.1.100 inside 192.168.1.1

see nat Convert information

use pc1 ping Internet

The address was converted successfully

dynamic NAT

• 192.168.1.0/24 All network segments need to access the external network , Through application 200.1.1.100~200.1.1.200 Address range , Achieve intranet address translation .

#  Define the address pool 
[NAT-Device]nat address-group 1 200.1.1.100 200.1.1.200
#  Definition ACL2000, Used to match the addresses that are allowed to access the Internet 
[NAT-Device]acl 2000
[NAT-Device-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255
[NAT-Device-acl-basic-2000]quit
[NAT-Device]interface GigabitEthernet 0/0/1
[NAT-Device-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat

notes ：no-pat It can also be called “ One to one address translation ”, This field is configured , Only IP Address translation , It's not going to happen Conversion on port , And when an address in the address pool is translated , This address cannot be used by other intranet addresses , That is, occupied .

Configured with no-pat, Namely Basic NAT; No configuration is NAPT.

nat outbound 2000 address-group 1   # Basic nat
nat outbound 2000 address-group 1 no-pat   # napt

Easy IP To configure

[NAT-Device]interface GigabitEthernet 0/0/1
[NAT-Device-GigabitEthernet0/0/1]nat outbound 2000

NAT Server

• Send the private server address 80 The port is mapped to the public address 200.1.1.100 Of 8080 On port

[NAT-Device]interface GigabitEthernet 0/0/1
[NAT-Device-GigabitEthernet0/0/1]nat server protocol tcp global 200.1.1.100 8080
 inside 192.168.1.1 www 
[NAT-Device-GigabitEthernet0/0/1]quit

use Client visit Web Server