Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to realize NAT Technology

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how to realize NAT technology". In daily operation, I believe many people have doubts about how to realize NAT technology. I have consulted all kinds of materials and sorted out simple and easy operation methods. I hope to help you answer the doubts about "how to realize NAT technology"! Next, please follow the small series to learn together!

About NATNAT

NAT (Network Address Translation) is the process of translating an IP address in an IP packet header to another IP address. In practical applications, NAT is mainly used to realize the function of Private Cloud accessing public network. This way of using a small number of public IP addresses to represent a large number of private IP addresses will help slow down the depletion of available IP address space.

A private IP address refers to the IP address of an internal network or host, and a public IP address refers to a globally unique IP address on the Internet.

RFC 1918 reserves three IP address blocks for Private Cloud, as follows:

Class A: 10.0.0.0~10.255.255.255

Class B: 172.16.0.0~172.31.255.255

Class C: 192.168.0.0~192.168.255.255

(Addresses in these three ranges are not allocated on the Internet, so they can be freely used within a company or enterprise without having to apply to an ISP or registry.)

NAT was originally designed to enable a Private Cloud to access a public network, and then extended to address translation applications when accessing any two networks. In this paper, these two networks are called internal networks (intranet) and external networks (extranet) respectively. Usually, a private network is an internal network, and a public network is an external network.

Figure 1 illustrates a basic NAT application.

Figure 1 Basic process of address translation

(1)IP packets sent from the intranet user host (192.168.1.3) to the extranet server (1.1.1.2) pass through the NAT device.

(2)The NAT device checks the header content and finds that the packet is sent to an external network, converts the private network address 192.168.1.3 in the source IP address field into a public network address 20.1.1.1 that can be routed on the Internet, sends the packet to the external network server, and records this mapping in the network address translation table of the NAT device.

(3)After the response message sent by the external network server to the intranet user (its initial destination IP address is 20.1.1.1) reaches the NAT device, the NAT device checks the header content again, then searches the records in the current network address translation table, and replaces the initial destination IP address with the intranet private address 192.168.1.3.

The NAT process described above is transparent to the endpoints (Host and Server in the figure). For the external network server, it thinks that the IP address of the internal network user host is 20.1.1.1, and does not know that there is an address of 192.168.1.3. NAT therefore "hides" the enterprise's Private Cloud.

The advantage of address translation is that it enables hosts on the internal network to access resources on the external network while providing "privacy" protection for hosts on the internal network. But it also has some disadvantages:

Because IP address translation is required for datagrams, headers of datagrams involving IP addresses cannot be encrypted. In an application protocol, a message cannot be encrypted if it has an address or port that needs to be translated. For example, encrypted FTP connections cannot be used, otherwise the FTP port command cannot be translated correctly.

Network debugging becomes more difficult. For example, if a host on an internal network tries to attack another network, it is difficult to tell which host is malicious because the host's IP address is blocked.

address translation control

In practice, we may want some hosts on the internal network to be able to access the external network, while some hosts are not allowed access, that is, when the NAT device looks at the header content of the IP data packet, if it finds that the source IP address belongs to an internal host that is prohibited from accessing the external network, it will not perform address translation. It is also desirable that only specified public network addresses be available for address translation.

Devices can control address translation using ACL (Access Control Limit) and address pools.

Access control lists can effectively control the use of address translation, and only data messages that meet the rules of access control lists can be addressed.

An address pool is a collection of contiguous public network IP addresses used for address translation, which can effectively control the use of public network addresses. Users can define the appropriate address pool according to the number of legitimate IP addresses they own, the number of internal network hosts, and the actual application. During address translation, the NAT device selects an IP address from the address pool as the source IP address of the translated data packet.

NAT implements basic address translation

As can be seen from the address translation process, when the internal network accesses the external network, the address translation will select an appropriate external address to replace the source address of the internal network data message. Figure 1 shows the IP address (public network IP address) of the NAT device exit interface. This allows all hosts on the internal network to access the external network with only one IP address on the external network, so only one host on the internal network is allowed to access the external network at the same time.

NAT can also respond to concurrency requests when multiple hosts on the internal network concurrently request access to the external network, allowing NAT devices to have multiple public IP addresses. When the first intranet host accesses the external network, NAT selects a public address IP1, adds records to the address translation table and sends datagrams; when another intranet host accesses the external network, NAT selects another public address IP2, and so on, thus satisfying the request of multiple intranet hosts to access the external network.

NAT devices have far fewer public IP addresses than hosts on the internal network because all hosts on the internal network do not access the external network simultaneously. The determination of the number of public IP addresses should be based on the statistical value of the number of intranet hosts that may access the external network during peak network hours.

NAPT

NAPT (Network Address Port Translation) is a variant of basic address translation that allows multiple internal addresses to be mapped to the same public address, also known as many-to-one address translation.

NAPT maps IP address and port number simultaneously: the source address of data packets from different internal addresses can be mapped to the same external address, but their port numbers are converted to different port numbers of the address, so they can still share the same address, that is, the conversion between "private network IP address + port number" and "public network IP address + port number."

Figure 2 Schematic diagram of basic principle of NAPT

As shown in Figure 2, three data messages with internal addresses arrive at the NAT device, where message 1 and message 2 come from the same internal address but have different source port numbers, and message 1 and message 3 come from different internal addresses but have the same source port number. Through NAPT mapping, the source IP addresses of the four datagrams are all translated to the same external address, but each datagram is assigned a different source port number, thus preserving the distinction between the packets. When the reply message of each message arrives, NAT device can still distinguish the internal host to which the message should be forwarded according to the destination IP address and destination port number of the reply message.

NAPT can make full use of IP address resources and realize simultaneous access of more internal network hosts to external networks.

Currently, NAPT supports two different modes of address translation:

Endpoint-Independent Mapping (regardless of peer address and port translation mode)

In this mode, NAT devices allocate addresses and filter packets by establishing triplet (source address, source port number, protocol type) entries. That is, as long as the packets come from the same source address and source port number, regardless of whether the destination address is the same or not, after NAPT mapping, their source address and source port number are converted to the same external address and port number, and NAT equipment allows hosts of external networks to access hosts of these internal networks through the translated address and port. This pattern works well to support mutual visits between hosts located behind different NAT devices.

Address and Port-Dependent Mapping

In this mode, NAT devices allocate addresses and filter messages by establishing quintuple entries (source address, source port number, protocol type, destination address, destination port number). That is, for packets from the same source address and source port number, if the destination address and destination port number are different, after NAPT mapping, the same source address and source port number will be converted into different external addresses and port numbers, and the NAT device only allows hosts of external networks corresponding to these destination addresses to access hosts of these internal networks through the converted addresses and ports. This mode is secure, but it is not convenient for hosts located behind different NAT devices to visit each other.

internal server

NAT hides the structure of the internal network and has the effect of "shielding" the internal host, but in practice, it may be necessary to provide an opportunity for the external network to access the internal host, such as providing a Web server or an FTP server for the external network.

The internal server function provided by NAT device is to realize the "reverse" conversion from public network IP address to private network IP address by statically configuring the mapping relationship between "public network IP address + port number" and "private network IP address + port number." For example, you can configure 20.1.1.1: 8080 as the external network address and port number of a Web server on your intranet for external network access.

As shown in FIG. 3, when a data packet of an external network user accessing an internal network server passes through the NAT device, the NAT device searches an address translation table entry according to the destination address of the packet, and converts the destination IP address and port number of the request packet for accessing the internal server into a private IP address and port number of the internal server. When the internal server responds to the message, the NAT device converts the source IP address and port number of the response message into a public network IP address and port number according to the existing address mapping relationship.

Figure 3 Schematic diagram of basic principle of internal server

DNS mapping

The support of this feature depends on the model of the equipment. Please refer to the actual situation of the equipment.

In general, DNS servers and users accessing private network servers are in the public network. By configuring internal servers on the public network interface of NAT devices, information such as public network addresses and ports can be mapped to servers in the private network, so that public network users can access internal servers through the domain name or public network address of internal servers. However, as shown in Figure 4, if the DNS server is in the public network and the private network user wishes to access the private network Web server through the domain name, the response message sent by the DNS server to the private network user may contain the public network address of the private network server, resulting in that the private network user receiving the response message cannot access the private network server through the domain name. This can be resolved by configuring DNS mapping on the device.

Figure 4: NAT DNS mapping

DNS mapping function refers to establishing the corresponding relationship between the domain name of the internal server and the public network information of the internal server by configuring the mapping table of "domain name + public network IP address + public network port number + protocol type." On the interface configured with NAT, the device checks the received DNS response message, searches the DNS mapping table configured by the user according to the domain name in the message, searches the private network address corresponding to the information in the internal server address mapping table according to the information of "public network address + public network port + protocol type" in the table entry, and replaces the public network address in the DNS query result. In this way, the DNS response message received by the private network user contains the private network address of the internal server to be accessed, and the internal server domain name can be used to access the internal server in the same private network.

Easy IP

Easy IP function means that when performing address translation, the external IP address of the interface is directly used as the translated source address, which can save IP address resources to the greatest extent. It can also use access control lists to control which internal addresses are eligible for address translation.

Special protocols supported by NAT

NAT not only implements the general address translation function, but also provides a perfect address translation ALG (Application Layer Gateway) mechanism, so that it can support some special application protocols without any modification to the NAT platform, with good scalability. The payload of these special protocols carries address or port information, which may also require address translation.

Special protocols that can be supported include: FTP File Transfer Protocol, PPTP Point-to-Point Tunneling Protocol, ICMP Internet Control Message Protocol, DNS Domain Name System, ILS Internet Location Service (RTSP)(Real Time Streaming Protocol), H.323, SIP (Session Initiation Protocol), NetMeeting 3.01, NBT (NetBIOS over TCP/IP), etc.

NAT special protocol support depends on the model of the device, please refer to the actual situation of the device.

NAT multi-instance support

NAT multi-instance allows users belonging to different MPLS VPNs to access external networks through the same egress, while allowing users belonging to different MPLS VPNs to use the same private network address. When an MPLS VPN user accesses an external network, address translation replaces the IP address and port of the internal network host with the external network address and port of the device, while also recording the MPLS VPN information of the user (such as protocol type and routing identifier RD). When the response packet arrives, the address translation restores the external network address and port to the IP address and port of the internal network host, and at the same time can know which MPLS VPN user is accessing.

At the same time, address translation supports multiple instances of internal servers, giving outsiders access to hosts within MPLS VPN. For example, the address of the host providing Web services in MPLS VPN1 is 10.110.1.1, and 202.110.10.20 can be used as the external address of the Web server. Internet users can access the Web services provided by MPLS VPN1 by using the address of 202.110.10.20.

In addition, NAT can also use MPLS VPN information carried by external network addresses to support mutual visits between multiple MPLS VPNs. The support of this feature depends on the model of the equipment, please refer to the actual situation of the equipment.

NAT log

NAT log is a kind of system information generated by NAT device during NAT translation. This information includes the source IP address, source port, destination IP address, destination port, converted source IP address, converted source port, and the operation performed by the user. It is only used to record the access of intranet users to external networks, and does not record the access of external users to intranet servers.

When an intranet user accesses an external network through a NAT device, multiple users share an external network address, so that the user accessing the network cannot be located. Log function can be used to track and record the situation of intranet users accessing external network in real time, and enhance the security of network.

At this point, the study of "how to realize NAT technology" is over, hoping to solve everyone's doubts. Theory and practice can better match to help you learn, go and try it! If you want to continue learning more relevant knowledge, please continue to pay attention to the website, Xiaobian will continue to strive to bring more practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 237

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report