Shulou(Shulou.com)06/01 Report--

Human use of the computer network has now expanded to various fields, and the designers of the computer network could not imagine that the Internet could have the scale it is today. Any computer, mobile phone and smart TV connected to the Internet must have a legal IP address in order to swim in the Internet. IP addresses, once thought to be large enough to accommodate computers around the world, have been severely depleted today. The emergence of IPV6 is to solve the problem of insufficient addresses, but before the popularity of IPV6, there needs to be a transition technology-NAT. The emergence of NAT alleviates the problem of address shortage, which allows more than 60000 users in the same local area network to use a legitimate IP address to access the Internet at the same time. With regard to the NAT technology of Cisco equipment, unclear friends recommend the blog post-Network address Translation-NAT technology today mainly introduces the NAT technology of Huawei equipment.

Blog outline:

I. Classification of Huawei equipment NAT

Second, how to solve the loop and invalid ARP problems in the source address translation scenario

Third, the function of Server-map table

1. Solve the problem of FTP data transmission through Server-map table

The function of 2.Server-map Table in NAT

Fourth, the processing flow of messages in NAT

5. Various commonly used configuration methods of NAT

1.NAT NO-PAT configuration mode

2.NAPT configuration mode

3.Easy-IP configuration mode

4.NAT server configuration mode

I. Classification of Huawei equipment NAT

At the boundary of internal and external network, there are two directions of traffic: outbound and inbound, so NAT technology includes source address translation and destination address translation. In general, source address translation is mainly used to solve the scenario of internal LAN computers accessing Internet, while destination address translation is mainly used to solve the scenario of Internet users accessing LAN servers, and target address translation is often referred to as server address mapping.

The source address translation methods supported by Huawei devices are:

NAT NO-PAT: similar to Cisco dynamic translation, only translates source IP addresses, not ports, belongs to many-to-many translation, does not save public network addresses, and is rarely used in practice, and is mainly suitable for situations where few users need to surf the Internet and public network addresses are sufficient; NAPT: similar to Cisco's PAT translation, NAPT translates both the source address and the source port of the message. The translated address cannot be the IP address of the public network interface. It belongs to many-to-many or many-to-one translation, which can save IP addresses and is widely used. It is mainly suitable for scenarios where a large number of internal users need to access the Internet and only a few public network IP addresses are available. The outbound address: it is also called Easy-IP because of its simple translation method. Like NAPT, it translates both the source IP address and the source port. The difference is that the address after the outbound address translation can only be the IP address configured by the external network interface of the NAT device, which belongs to many-to-one translation, which can save the IP address. It is mainly suitable for the scenario where there is no additional public network address available and there are a large number of internal Internet users. The translation target is directly through the IP address of the external network interface itself. Smart NAT (Intelligent Translation): one public network address is reserved for NAPT translation, while other public network addresses are used for NAT NO-PAT translation. Its main users usually have relatively few Internet users, and the applied public network addresses can basically meet the needs of these small number of users for NAT NO_PAT conversion, but occasionally the number of Internet users doubles. Triple NAT: a translation related to source IP address, source port and protocol type. Translating source IP address and source port into fixed public network IP address and port can solve some problems that can not be realized in ordinary NAT. It is mainly used for external users to access some P2P applications of LAN users.

This blog mainly introduces the first three kinds of source address translation.

The target address translation technology of Huawei equipment is mainly NAT Server, which can be based on IP address translation or "IP+ Port + Protocol".

Second, how to solve the loop and invalid ARP problems in the source address translation scenario

When configuring Huawei NAT translation, black hole routing is often configured to solve routing loops and a large number of invalid ARP packets. About how it is generated, probably, in some NAT translation methods, it is to solve the internal network connection Internet, and a public IP is mapped to access the Internet through the mapped public network address. Then, if someone accesses the mapped public IP through internet, a routing loop and a large number of invalid ARP packets will be generated. It is troublesome to talk about it in detail, but it is very simple to solve these two problems, which is to configure black hole routing (assign the traffic of internet active access to the mapped address to the empty interface null 0). This avoids the formation of routing loops and the generation of large numbers of ARP packets.

Several common NAT translation methods for black hole routing need to be configured, as shown in the figure:

NAT Server (rough): to map a private network address directly to a public network address; NAT Server (fine): to map the port of an intranet address to a public network address; third, the function of Server-map table 1. Solve the problem of FTP data transmission through Server-map table

Huawei's firewall forwards packets based on statefulness, and strictly performs policy checks on the first packet. Once allowed by the policy, a conversation table will be generated, and subsequent packets and return reports of the same session will pass through the firewall directly because they can match the session table. No additional policy checks are required, thus improving the forwarding efficiency. However, in some cases, traffic for certain special applications cannot be forwarded only according to the lazy session table. For example, the workflow flow chart of FTP service in active mode is as follows:

From this, we can see that there is no problem when the client asks to actively connect to the FTP server, but when the FTP server initiates the request, the FTP connection fails. Huawei firewall uses Server-map table to solve similar problems. The Server-map table records the key information of the application layer, including the destination address, destination port and protocol strength. Similar to the session table, the data flow matching the Server-map table can also pass through the firewall directly, as shown in the figure:

This can solve the situation where the FTP server initiates a request without causing the FTP service connection to fail.

The difference between the Server-map table and the session table:

The session table records the connection information, including the connection status; the Server-map table records not the current connection information, but the information obtained by analyzing the messages of the current connection. This information can solve the problem that the next data flow passes through the firewall. The function of Server-map table can be understood as solving the problems that may occur in the future through prediction in advance; the role of 2.Server-map table in NAT

In addition to solving problems similar to FTP services, Server-map table is also used in NAT technology. When certain types of NAT are configured on the firewall, a server-map table is generated on the firewall, and two server-map entries are generated by default, namely a forward entry and a reverse entry (Reverse), as shown in the figure:

The role of the Server-map table in NAT is:

Forward entry: carries the port information, which is used to enable Internet users to translate the destination address directly through the server-map table when they visit the server in the intranet. Reverse entry (Reverse): does not carry port information, and the destination address is arbitrary, used to enable the server to access Internet

Summary:

The Server-map generated by NAT NO-PAT is dynamic, which means that the Server-map table is automatically generated only when traffic is passed; the Server-map generated by NAT Server is static, which means that the contents of the table items exist for a long time; in the NAT of NAPT and outgoing interface addresses, no Server-map entries are generated; note that not all NAT conversion methods generate Server-map tables; fourth, the message processing flow of NAT

The firewall interface needs to go through a series of processing processes from receiving an insulation to finally sending it out, and NAT is only one of the tasks. The configuration of NAT is affected by routing, that is, security policy, so understanding the message processing flow of NAT is very helpful to the configuration of NAT. The flow chart of message processing by NAT is as follows:

The process of NAT processing messages is as follows:

(1) after receiving the message, the firewall first checks whether the message matches the entry in Server-map, if so, converts the target address of the message according to the table item, and then carries out step (3) processing; otherwise, step (2) processing is carried out.

(2) find out whether there is a relevant configuration of the target NAT, and if so, and meet the NAT condition, the target address is translated and processed in step (3); otherwise, step (3) is processed directly.

(3) look up the routing table according to the destination address of the message, and if there is a target route, process it in step (4); otherwise, discard the message.

(4) match the rules in the security policy in turn, and if the policy allows the message to pass, process step (5); otherwise, discard the message.

(5) to find out whether there is a relevant configuration of the source NAT and whether it meets the NAT conditions. If so, the source address is translated and processed in step (6); otherwise, step (6) processing is carried out directly.

(6) create a session before sending a message, and the subsequent and returned messages can be directly matched with the session table for forwarding.

(7) the firewall sends messages.

Note: because the order in which the firewall processes messages is the destination address translation → security policy → source address translation, in the NAT environment, the source address of the security policy should be the address before the source address translation and the destination address should be the translated address of the destination address.

Fifth, various commonly used NAT configuration methods 1.NAT NO-PAT configuration mode 1) Experimental extension

2) Experimental requirements

PC1 communicates with PC2 through the address of 202.106.0.20x21!

Recommendation: the experimental environment should try not to use the firewall's G0Universe 0Universe 0 interface, which is a management interface by default and is configured by a large number of default configurations.

3) case implementation (1) Firewall configuration of network parameters and routing [FW1] int G1 undo shutdownInfo 0 [FW1-GigabitEthernet1/0/0] ip add 192.168.1.1 24 [FW1-GigabitEthernet1/0/0] undo shutdown [FW1-GigabitEthernet1/0/0] int g1max 0 pico 1 [FW1-GigabitEthernet1/0/1] ip add 202.106.0.1 24 [FW1-GigabitEthernet1/0/1] undo shutdownInfo: Interface GigabitEthernet1/0/1 is not shutdown. [FW1-GigabitEthernet1] / 0 FW1-zone-trust 1] que [FW1] ip route-static 0.0.0.0 0.0.0.0 202.106.0.2 (2) Firewall configuration Security Policy [FW1] firewall zone trust [FW1-zone-trust] add int g1qqt 0 [FW1-zone-trust] quitFW1 firewall zone untrust [FW1-zone-untrust] add int G1 Greater 0 Greater 1 [FW1-zone-untrust] quit / / add internal and external network interfaces to the specified area of the firewall [FW1] security-policy / / configure security policy [FW1-policy-security] rule name sec_1 / / configure rules and make rules called sec_1 [FW1-policy-security-rule-sec_1] source-zone trust [FW1-policy-security-rule-sec_1] destination -zone untrust [FW1-policy-security-rule-sec_1] source-address 192.168.1.0 24 / / specify condition [FW1-policy-security-rule-sec_1] action permit / / specify action [FW1-policy-security-rule-sec_1] quitters [FW1-policy-security] quit [FW1] (3) configure NAT address group [FW1] nat address-group natgroup / / configure NAT address group Specify the name as natgroup [FW1-address-group-natgroup] section 0 202.106.0.20 202.106.0.21 / specify the start and end addresses of the address group by the section keyword [FW1-address-group-natgroup] the mode of the address group specified by mode no-pat local// is no-pat. The local keyword means valid for the region [FW1-address-group-natgroup] quit [FW1] (4) configure NAT policy [FW1] nat-policy / / configure NAT policy [FW1-policy-nat] rule name natpolicy// configure NAT rule [FW1-policy-nat-rule-natpolicy] source-zone trust [FW1-policy-nat-rule-natpolicy] source-address 192.168.1.0 named natpolicy 24 [FW1-policy-nat-rule-natpolicy] destination-zone untrust / / specify condition [FW1-policy-nat-rule-natpolicy] action nat address-group natgroup// specified action Packets that meet the conditions will do NAT NO-PAT source address translation [FW1-policy-nat-rule-natpolicy] quit [FW1-policy-nat] quit [FW1] according to the address group.

Note: the NAT policy is different from the security policy. The security policy checks the rules for the passed data flow: matching packets are either forwarded or discarded, and the security policy determines whether the traffic can pass through the firewall; while the NAT policy checks the rules for the passed data flow, and the matched data packets either do address translation or do not do address translation. NAT policy determines which traffic needs NAT translation.

(5) configure the black hole routing for the translated global address [FW1] ip route-static 202.106.0.20 null 0 [FW1] ip route-static 202.106.0.21 32 null 0 (6) configure the router IP address and route [AR1] int g0lash 0 [AR1-GigabitEthernet0/0/0] ip add 202.106.0.2 24 [AR1-GigabitEthernet0/0/0] undo shutdown [AR1-GigabitEthernet0/0/0] int g0Univer / 1 [AR1-GigabitEthernet0/0/1] ip add 100.1.1.1 24 [AR1-GigabitEthernet0/0/1] undo shutdown [AR1-GigabitEthernet0/0/1] people [AR1] ip route-static 202.106.0.0 24 202.106.0.1 (7) configure the IP address of PC, Gateway Verify the configuration of NAT

PC to verify:

Firewall for authentication:

[FW1] display firewall session table / / check the conversation table of the firewall Current Total Sessions: 3 icmp: public-- > public 192.168.1.2 icmp 13610 [202.106.0.20 Current Total Sessions 13610]-- > 100.1.1.2 icmp 2048 icmp: public-- > public 192.168.1.2 FW1 13354 [202.106.0.20 Current Total Sessions 13354]-- > 100.1.2Rich 2048 icmp: public-- > public 192.168.1.2 : 13098 [202.106.0.20 lug 13098]-- > 100.1.1.2 purl 2048max / it can be seen from this The internal address 192.168.1.2 is changed to 202.106.0.20 after passing the firewall to communicate [FW1] display firewall server-map / / View firewall Server-map table Current Total Server-map: 2 Type: No-Pat Reverse, ANY-> 202.106.0.20 [192.168.1.2], Zone: untrust Protocol: ANY, TTL:---, Left-Time:---, Pool: 0, Section: 0: public Type: No-Pat 192.168.1.2 [202.106.0.20]-> ANY, Zone: untrust Protocol: ANY, TTL:360, Left-Time:360, Pool: 0, Section: 0: public// can see the mapping relationship between 192.168.1.1.2 and 202.106.0.20 2.NAPT configuration

The experimental extension is the same as NAT NO-PAT! (on the basis of NAT NO-PAT), for beginners to understand, I redeploy the network equipment!

1) Experimental requirements

PC1 communicates with PC2 through 202.106.0.100 address!

2) case implementation [FW1] int g1ax 0 [FW1-GigabitEthernet1/0/0] ip add 192.168.1.1 24 [FW1-GigabitEthernet1/0/0] int G1 + 0 [FW1-GigabitEthernet1/0/1] ip add 202.106.0.1 24 [FW1-GigabitEthernet1/0/1] Q [FW1] ip route-static 0.0.0.0 0.0.0 202.106.0.2 / configure firewall network parameters and routing [FW1] firewall zone trust [FW1-zone-trust] add int g1/0/0 [FW1-zone-trust] quit[FW1] firewall zone untrust [FW1-zone-untrust] add int g1/0/1 [FW1-zone-untrust] quit[FW1] security-policy [FW1-policy-security] rule name sec_2 [FW1-policy-security-rule-sec_2] source-zone trust [FW1-policy-security-rule-sec_2] source-address 192.168.1.0 24 [FW1-policy- Security-rule-sec_2] destination-zone untrust [FW1-policy-security-rule-sec_2] action permit [FW1-policy-security-rule-sec_2] que [FW1-policy-security] quit// configure firewall security policy [FW1] nat address-group natgroup1 [FW1-address-group-natgroup1] section 0 202.106.0.100 202.106.0.100 [FW1-address-group-natgroup1] mode pat// specifies that the mode of the address group is pat That is, NAPT mode [FW1-address-group-natgroup1] quit// configuration NAT address group [FW1] nat-policy [FW1-policy-nat] rule name natpolicy1 [FW1-policy-nat-rule-natpolicy1] source-address 192.168.1.0 24 [FW1-policy-nat-rule-natpolicy1] source-zone trust [FW1-policy-nat-rule-natpolicy1] destination-zone untrust [FW1-policy-nat-rule-natpolicy1] action nat address-group natgroup1// specified action Packets that meet the conditions will be translated [FW1-policy-nat-rule-natpolicy1] quit [FW1-policy-nat] quit// in NAPT manner according to the address group. Firewall NAT policy [FW1] ip route-static 202.106.0.100 32 null 0ax / configuration Black Hole routing [R1] int g0Charger 0 [R1-GigabitEthernet0/0/0] ip add 202.106.0.2 24 [R1-GigabitEthernet0/0/0] int g0Uniple 1 [R1] -GigabitEthernet0/0/1] ip add 100.1.1.1 24 [R1-GigabitEthernet0/0/1] quitR1] ip route-static 202.106.0.0 24 202.106.0.1 / configure the IP address and routing of the router

PC1 to verify:

Firewall for authentication:

[FW1] display firewall session table / / check the firewall conversation table Current Total Sessions: 2 icmp: public-- > public 192.168.1.2 icmp 12082 [202.106.0.100 icmp 2058]-- > 100.1.1.2 icmp 2048 icmp: public-- > public 192.168.1.2Fran 12338 [202.106.0.100 icmp 2059]-- > 100.1.1.2: 2048 [FW1] display firewall server- Map / / when viewing the Server-map Current Total Server-map: 0 / / NAPT of the firewall for NAT address translation Does not generate Server-map table 3.Easy-IP configuration method

The experimental extension is the same as NAT NO-PAT! (on the basis of NAPT), for beginners to understand, I redeploy the network equipment!

1) Experimental requirements

PC1 communicates with PC2 through firewall interface address!

2) case implementation [FW1] int g1ax 0 [FW1-GigabitEthernet1/0/0] ip add 192.168.1.1 24 [FW1-GigabitEthernet1/0/0] int G1 + 0 [FW1-GigabitEthernet1/0/1] ip add 202.106.0.1 24 [FW1-GigabitEthernet1/0/1] Q [FW1] ip route-static 0.0.0.0 0.0.0 202.106.0.2 / configure firewall network parameters and routing [FW1] firewall zone trust [FW1-zone-trust] add int g1/0/0 [FW1-zone-trust] quit[FW1] firewall zone untrust [FW1-zone-untrust] add int g1/0/1 [FW1-zone-untrust] quit[FW1] security-policy [FW1-policy-security] rule name sec_3 [FW1-policy-security-rule-sec_2] source-zone trust [FW1-policy-security-rule-sec_2] source-address 192.168.1.0 24 [FW1-policy- Security-rule-sec_2] destination-zone untrust [FW1-policy-security-rule-sec_2] action permit [FW1-policy-security-rule-sec_2] que [FW1-policy-security] quit// configure firewall security policy [FW1] nat-policy [FW1-policy-nat] rule name natpolicy2 [FW1-policy-nat-rule-natpolicy2] source-address 192.168.1.0 24 [FW1-policy-nat-rule-natpolicy2] source-zone trust [FW1-policy-nat- Rule-natpolicy2] destination-zone untrust [FW1-policy-nat-rule-natpolicy2] action nat easy-ip / / configure packets that meet the conditions to make interface translation according to the address group [FW1-policy-nat-rule-natpolicy2] quit [FW1-policy-nat] quitters [R1] int g0x0x0 [R1-GigabitEthernet0/0/0] ip add 202.106.0.2 24 [R1-GigabitEthernet0/0/0] int g0UniUniUniUni1 [R1-GigabitEthernet0/0/1 ] ip add 100.1.1.1 24 [R1-GigabitEthernet0/0/1] quitts [R1] ip route-static 202.106.0.0 24 202.106.0.1 / configure the IP address and routing of the router

PC1 to verify:

Firewall for authentication:

[FW1] display firewall session table / / check the firewall conversation table Current Total Sessions: 2 icmp: public-- > public 192.168.1.2Current Total Sessions 12082 [202.106.0.1 icmp 2073]-- > 100.1.1.2 icmp 2048 icmp: public-- > public 192.168.1.2 icmp 12338 [202.106.0.1 icmp]-- > 100.1.1.2: 2048 [FW1] display firewall server- Map / / when viewing the Server-map Current Total Server-map: 0 / Easy-IP of the firewall for NAT address translation Does not generate Server-map table 4.NAT Server configuration mode 1) Experimental topology

2) Experimental requirements

Internet users access the FTP server in the DMZ area through 202.106.0.20.

3) case implementation [FW1] int g1ax 0 [FW1-GigabitEthernet1/0/0] ip add 192.168.1.1 24 [FW1-GigabitEthernet1/0/0] int G1 Accord 1 [FW1-GigabitEthernet1/0/1] ip add 202.106.0.1 24 [FW1-GigabitEthernet1/0/1] quitts [FW1] ip route-static 0.0.0.0 0.0.0 202.106.0.2 Universe / configure firewall network parameters and routing [FW1] firewall zone dmz [FW1-zone-dmz] add int g1ax 0 [FW1-zone-dmz] quitts [FW1] firewall zone untrust [FW1-zone-untrust] add int g1and0 [FW1-zone-untrust] quit// add the firewall interface to the corresponding zone [FW1] security-policy [FW1-policy-security] rule name sec_4 [FW1-policy-security-rule-sec_4] source-zone untrust [FW1-policy-security-rule-sec_4] Destination-zone dmz [FW1-policy-security-rule-sec_4] destination-address 192.168.1.0 24 [FW1-policy-security-rule-sec_4] service ftp// configuration condition is ftp protocol This belongs to fine NAT-server. For rough NAT-server, you can omit [FW1-policy-security-rule-sec_4] action permit [FW1-policy-security-rule-sec_4] quitts [FW1-policy-security] quit// Firewall configuration Security Policy [FW1] firewall interzone dmz untrust [FW1-interzone-dmz-untrust] detect ftp [FW1-interzone-dmz-untrust] quit//. Configure FTP application layer detection. Default is enabled. You can omit [FW1] natserver natserver_ftp protocol tcp global 202.106.0.20 21 inside 192.168.1.2 21 inside / configure NAT server,natserver_ftp as the policy name. Global is followed by the global address and port [FW1] ip route-static 202.106.0.20 null 0 [R1] int g0 R1-GigabitEthernet0/0/0 0 [R1-GigabitEthernet0/0/0] ip add 202.106.0.2 24 [R1-GigabitEthernet0/0/0] int g0 Chara 0Chargo 1 [R1-GigabitEthernet0/0/1] ip add 100.1.1.1 24 [R1-GigabitEthernet0/0/1] quitts [R1] ip route-static 202.106.0.20 24 202.106.0. 1Universe / configure router interface address and routing

Verify the effect:

[FW1] display firewall session table Current Total Sessions: 1 ftp: public-- > public 100.1.1.2 public 49160 +-> 202.106.0.20 public 21 [FW1] display firewall server-map Current Total Server-map: 2 Type: Nat Server, ANY-> 202.106.0.20 Zone:---, protocol:tcp: public-> publicType: Nat Server Reverse 192.168.1.2 [202.106.0.20]-> ANY, Zone:---, protocol:tcp: public-> public, counter: 1

Verify it yourself! From the firewall session table, you can see the effect!

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.