Newh3c - network address translation (NAT)

1、 introduce

The Internet is developing rapidly , IPv4 The address is not enough ; Private address users need to access Internet; therefore NAT Provide conversion from private address to public address

2、 Concept

Definition ： By converting private addresses to public addresses , Make private IP The address host can access the Internet , To solve the problem of insufficient public address
By converting private addresses to public addresses , Make private IP The address host can access the Internet , To solve the problem of insufficient public address

3、 classification

1. static state NAT： Use one-to-one static mapping of public addresses to private addresses
2. basic NAT： Create a public address pool , Dynamically map the public address in the address pool to the private address （ Who needs who uses ）
3. NAPT：（ Get out of the inside ） Dynamically map public address and port to private address and port , Realize that a public address can be used by multiple private addresses to access the Internet at the same time . Conversion source IP And source port , Packet restore purpose IP And the destination port
4. Easy IP： It is suitable for scenarios where the public address is not fixed
5. NAT Server：（ Come in from the outside ） The public network IP A port of is fixed mapped to the private network IP A port of , So that users on the public network can actively access services in the private network . Switching purposes IP And the destination port , Data packet restore source IP And source port

4、 experiment

1、 To configure IP The address is omitted

2、R1 and R3 Configure the default route on to point to the public network , The configuration steps are omitted

3、 The private network A Internal single arm routing configuration

R1:
int g0/1.1
vlan-type dotlq vid 10
ip add 192.168.1.254 24

SW:
vlan 10
port g1/0/2
vlan 20
port g1/0/3
int g1/0/1
port link-type trunk
port trunk permit vlan 10 20

4、 The private network A adopt NAPT send Vlan10 and Vlan20 Can be used R1 Access the Internet with your public network address

analysis ： According to the demand, we know ,ACL Configuration is required to allow 192.168.1.0/24 and 192.168.2.0/24 Network segment ; The private network A Only 1 Public network addresses are available , It means creating NAT The start and end addresses of the address pool are 100.1.1.1

step 1：R1 Create basic ACL, allow 192.168.1.0/24 and 192.168.2.0/24 Network segment

[R1]acl basic 2000
[R1-acl-ipv4-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[R1-acl-ipv4-basic-2000]rule permit source 192.168.2.0 0.0.0.255

step 2：R1 To create a NAT Address pool , Set public address

[R1]nat address-group 1
[R1-address-group-1]address 100.1.1.1 100.1.1.1

step 3： stay R1 Configure on the public network interface of NAPT

[R1]interface g0/1
[R1-GigabitEthernet0/1]nat outbound 2000 address-group 1 

step 4： stay PCA On Ping R3 The public address of , Test whether you can access the Internet

<PCA>ping 100.2.2.3
Ping 100.2.2.3 (192.168.2.10): 56 data bytes, press CTRL_C to break
56 bytes from 100.2.2.3: icmp_seq=0 ttl=254 time=22.000 ms
56 bytes from 100.2.2.3: icmp_seq=1 ttl=254 time=51.000 ms
56 bytes from 100.2.2.3: icmp_seq=2 ttl=254 time=21.000 ms
56 bytes from 100.2.2.3: icmp_seq=3 ttl=254 time=43.000 ms
56 bytes from 100.2.2.3: icmp_seq=4 ttl=254 time=34.000 ms

The private network B By means of R3 On the configuration EASY IP Visit the Internet

analysis ： According to the demand, we know ,ACL Configuration is required to allow 192.168.1.0/24 Network segment ; Use EASY IP, No configuration is required NAT Address pool , You can configure it directly on the public network interface ,EASY IP It will automatically identify the public network interface IP Address

step 1：R3 Create basic ACL, allow 192.168.1.0/24 Network segment

[R3]acl basic 2000
[R3-acl-ipv4-basic-2000]rule permit source 192.168.1.0 0.0.0.255

step 2： stay R3 Configure on the public network interface of EASY IP

[R3]interface g0/0
[R3-GigabitEthernet0/0]nat outbound 2000

step 4： stay PCB On Ping R1 The public address of , Test whether you can access the Internet

<PCB>ping 100.1.1.1
Ping 100.1.1.1 (192.168.1.10): 56 data bytes, press CTRL_C to break
56 bytes from 100.1.1.1: icmp_seq=0 ttl=254 time=32.000 ms
56 bytes from 100.1.1.1: icmp_seq=1 ttl=254 time=29.000 ms
56 bytes from 100.1.1.1: icmp_seq=2 ttl=254 time=41.000 ms
56 bytes from 100.1.1.1: icmp_seq=3 ttl=254 time=33.000 ms
56 bytes from 100.1.1.1: icmp_seq=4 ttl=254 time=34.000 ms

The private network A To configure NAT SERVER hold FTPA Of FTP Publish services to the public network , send PCB You can visit

analysis ： According to the demand, we know , Need to publish FTPA Of FTP service , That is the R1 The public network address of 20 and 21 Port maps to FTPA The private address of

To configure FTP Service steps
A little ( See the previous blog ）

step 1： stay R1 Configure on the public network interface of NAT SERVER, Port mapping 20 and 21

[R1-GigabitEthernet0/1]nat server protocol tcp global current-interface 20 21 inside 192.168.1.10 20 21

step 2： stay PCB Whether the test can pass R1 Public address access FTPA Of FTP service

<PCB>ftp 100.1.1.1
Press CTRL+C to abort.
Connected to 100.1.1.1 (100.1.1.1).
220 FTP service ready.
User (100.1.1.1:(none)): zhangwei