NAT Network address translation

One 、 Why NAT

NAT The main application of the technology is to realize the conversion of a large number of private network addresses to a small number of public network addresses . Ensure communication and save on the basis ip Address resources .

Private addresses cannot be routed in the public network , Otherwise, it will cause communication chaos .

Two 、NAT The classification of

NAT No-PAT： Message only IP Address , Do not convert ports .

NAPT（PAT）： Simultaneously converting messages IP Address and port .

Easy-IP（ special NATPT）： Simultaneously converting messages IP Address and port , Converted IP The address can only be of the interface IP Address .

NAT-Server： Public address and private address are mapped one-to-one , It is used in the scenario that public network users access private network internal servers

NAT No-PAT Introduce

Applicable scenario ： It is suitable for a small number of private network users who need to surf the Internet , Public network IP The number of addresses is basically the same as the largest number of private Internet users who surf the Internet at the same time .

“No-PAT” Indicates no port conversion , therefore NAT No-PAT Mode only converts IP Address .

for example ：NAT The address pool is 202.100.1.100~202100.1.102, Contains three IP Address , There are four machines in the intranet NAT transformation , Then there is a machine that cannot do NAT Address translation is discarded

NAT Address pool （CLI）
NAT Address pools are contiguous IP Address set , When the message from the private network is converted to the public network through the address IP when , An address in the address pool will be selected as the translated address
NAT The address in the address pool can be a public network IP Address , You can also implement multiple public networks IP Address , An address pool can only support the configuration of one address segment .
establish NAT The command of the address pool is ：

nat address-group adress-group-name
section [section-id | section-name] start-adress end-adress
nat-mode { pat | no-pat }
 example ：
[USG] nat address-group qyt_nat1
[USG-nat-adress-group-qyt_nat1] section 1.1.1.10 1.1.1.15
[USG-nat-adress-group-qyt_nat1] nat-mode pat

Configuration source NAT, When Trunst Area visit Untrust Regional time , Original address translation 202.100.1.100/24

NAT No-PAT The configuration process

1. To configure NAT Address pool , Address range is 202.100.100-202.100.1.100. Only one IP Address , Port conversion is not allowed

2. New source NAT Strategy , When trust Area visit untrust Regional time , The source address is converted to 【Nat_Pat_Pool】 Addresses in the address pool

Configure the security policy for the source address , Then the original address should be matched NAT Private network address before conversion .

nat-policy 
source-zone trust
destination-zone untrust
action nat adress-group Nat_Pat_Pool

4.NAT No-PAT The sessions table
stay Trust Regional Inside_PC On , Visit Internet search engines . amen Trust Regional Inside_Server because NAT The address pool is not enough to access untrust Area .
inside_PC test and Inside_Server test

View the session table entry on the firewall

[FW1] display firewall session table
Current Total Sessions:38
DNS VPN:public-->public 10.1.2.1:6553[202.100.1.100:62553]-->114.114.114.114:53
tcp VPN:public-->public 10.1.2.1:504845[202.100.1.100:50485]-->10.1.11.30:17889
 It can be seen from the meeting table ,trust The address of the area , Has been converted to NAT Addresses in the address pool .
 brackets  []  Inside is after address translation IP Address and port .

display nat-policy all see nat Address policy

NAT No-PAT And Server-Map surface

CLI Configuration ideas ：

First step ： Configure address pool

nat adress-group no_pat
section 0 202.100.1.100 202.100.1.103    # The address of the address pool can be a  , It can be multiple 
nat-mode no-pat                          # Default pat

The second step ： To configure NAT Strategy

nat-policy 
rule name no_pat
source-zone trust
destination-zone untrust
action nat adress-group no_pat

The third step ： Release security strategy

security-policy
rule name trust_untrust
source-zone trust
destination-zone untrust
source-adress 10.1.2.0 mask 255.255.255.0
action permit

Step four ： Check the phenomenon

[FW1]display firewall session table
20:49:44 2022/7/19
dns VPN:public-->public 10.1.2.1:49431[202.100.1.100:49431]-->114.114.114.114:53
http VPN:public-->public 10.1.2.2:49179[202.100.1.101:49179]-->202.89.233.101:80

no_pat To produce server-map Conditions ： Need to trigger traffic

[FW1]dsiplay firewall server-map
20:57:38 2022/7/19
server-map 4 time(s)
---------------------------------------------------------
No-Pat,10.1.2.1[202.100.1.100]-> any,Zone:---
Protocol:any(Appro:---),Left-Time:00:12:00,Addr-Pool:0
VPN:public-->public    # positive Server-map
No-Pat Reverse,any->202.100.1.100[10.1.2.1],Zone:untrust
Protocol:any(Appro:---),Left-Time:--:--:--,Addr-Pool:---
VPN：public->public        # reverse Server-map
---------------------------------------------------------

effect ： Let Internet users actively initiate access to the intranet , There is no need to configure the destination conversion NAT, But you need to configure security policy to release .

NAT Produced Server-map Table cannot directly generate session table , and ASPF Produced server-map A session table can be generated between .

NAPT Configuration steps

establish NAT Address pool , Original must be deleted NATcelve1he1NAT Address pool recreated

CIL Configuration ideas

First step ： Configure address pool

nat adress-group napt
section 0 202.100.1.100 202.100.1.103    # The address of the address pool can be a  , It can be multiple 
nat-mode no-pat                          # Default pat

The second step ： To configure NAT Strategy

nat-policy 
rule name napt
source-zone untrust
destination-zone untrust
action nat adress-group pat

The third step ： Release security strategy

security-policy
rule name trust_untrust
source-zone trust
destination-zone untrust
source-adress 10.1.2.0 mask 255.255.255.0
action permit

Step four ： Check the phenomenon

View the session table entry on the firewall
[FW1]display firewall session table nat source global 202.100.1.100
Current Total Sessions: 67
HTTPS VPN: public–>public 10.1.2.1:56527[202.100.1.100:2053]–>180.76.22.32:443
HTTPS VPN: public–>public 10.1.2.2:49522[202.100.1.100:2055]–>180.76.22.32:443
Different sources IP The address is converted to NAT Addresses in the address pool , Identify different sessions by port number .

Easy-NAT

Easy-NAT It's a special kind NAPT, Use only the output interface address for conversion .

CLI To configure
First step ： To configure
nat-policy
21:26:41 2022/09/20
nat-policy
rule name napt
source-zone trust
destination-zone untrust
action nat easy-ip
The second step ： Check
display firewall session table
21:27:10 2022/07/20
Current Total Sessions:2
https VPN:public–> public 192.168.0.100:49824–>192.168.0.10:8843
https VPN:public–> 10.1.2.1:49793[202.100.1.100:49793]–>54.191.53.147:443