Shulou(Shulou.com)06/02 Report--

Overview diagram of NAT address translation

In this chapter, we will learn and practice static NAT address translation, dynamic NAT address translation, port mapping, PAT port multiplexing. Understand the advantages and disadvantages of NAT

II. How Nat works

Static conversion (Static Translation)

Dynamic conversion (Dynamic Translation)

Port Multiplexing (Port Address Translation)

III. Nat terms in the translation table

NAT address translation is a disguise that ensures the security of addresses as shown in the figure: the first thing PC1 does is to query the routing table before it is converted into a public network address according to the NAT table to access the external network. Source IP, destination IP, and then the external source IP becomes the public network address. PC2 first responds by querying the NAT translation table and then querying the routing table to send packets. In response, if the two interfaces first query the routing table, they cannot find it. One interface is 125.0 and the other is inside: source IP: inside local address destination IP: outside local address external: source IP: inside global address destination IP: outside global address IV. Nat translation entry

Simple translation entries based on IP extension translation entries based on IP and port v. Nat working process

1: the address of your host 10.1.1.12. According to the NAT translation table, you need to manually configure the TCP protocol, using local IP address inside, global IP address inside, and global IP address 3. 5 outside. Destination IP address 4. Visit the extranet 5. Destination IP address and source IP address VI. Working process of Pat

PAT translates multiple private network addresses into one public network address. If there are more ports, the port can set * both ends of the tunnel are fixed IP addresses, and the translation address will change. There is a technology to traverse the * technology and bypass 7. Static NAT address experiment diagram

Sw1: turn off routing function, set rate and full-duplex R3: assign IP to interface, configure default route f0/0:12.0.0.2/24f0/1:13.0.0.1/24R2: assign IP to interface, configure default route back, configure static NAT address translation Applied to interface f0/0:12.0.0.1/24f0/1:192.168.100.1/24PC1:192.168.100.10/24PC2:192.168.100.20/247.1. Configure the switch with rate, full-duplex, off routing function sw1#conf tsw1 (config) # no ip routing / / turn off routing function sw1 (config) # int f1/0sw1 (config-if) # speed 100 / / rate 100sw1 (config-if) # dup full / / full-duplex mode sw1 (config-if) # ex7.2 configure router R3 interface with d address Configure the default route R3#conf tR3 (config) # int f0/0R3 (config-if) # ip add 12.0.0.2 255.255.255.0 / configure address R3 (config-if) # no shut / / enable address interface R3 (config-if) # int f0/1R3 (config-if) # ip add 13.0.0.1 255.255.255.0R3 (config-if) # no shutR3 (config-if) # do show ip route / / View routing table entry Codes: C-connected S-static, R-RIP, M-mobile, B-BGP D-EIGRP, EX-EIGRP external, O-OSPF, IA-OSPF inter area N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2 E1-OSPF external type 1, E2-OSPF external type 2i-IS-IS, su-IS-IS summary, L1-IS-IS level-1, L2-IS-IS level-2 ia-IS-IS inter area, *-candidate default U-per-user static route o-ODR, P-periodic downloaded static routeGateway of last resort is not set 12.0.0.0 is subnetted, 1 subnetsC 12.0.0.0 is directly connected, FastEthernet0/0 13.0.0.0 is subnetted, 1 subnetsC 13.0.0.0 is directly connected FastEthernet0/1R3 (config-if) # ex R3 (config) # ip route 0.0.0.0 0.0.0.0 12.0.0.1 / / configure default route R3 (config) # 7.3 assign IP to R2 interface Configure the default route back to R2#conf tR2 (config) # int f0/0R2 (config-if) # ip add 192.168.100.1 255.255.255.0 / / configure address R2 (config-if) # no shutR2 (config-if) # int f0/1R2 (config-if) # ip add 12.0.1255.255.255.0 / / configure address R2 (config-if) # exR2 (config) # ip route 0 .0.0.0 0.0.0.0 12.0.0.2R2 (config) # 7.4 configure each host with the address PC1 > ip 192.168.100.10 192.168.100.1Checking for duplicate address...PC1: 192.168.100.10 255.255.255.0 gateway 192.168.100.1PC2 > ip 192.168.100.20 192.168.100.1Checking for duplicate address...PC1: 192.168.100.20 255.255.255.0 gateway 192.168.100.1PC3 > ip 13.0.0.13 13.0.0.1Checking for duplicate address...PC1: 13.0.0.13 255.255.255.0 gateway 13.0.0.17.5 configure R2 with static NAT address translation Apply to interface R2#conf tR2 (config) # ip nat inside source static 192.168.100.10 12.0.0.10 / set static NAT address intranet translation from intranet to extranet R2 (config) # ip nat inside source static 192.168.100.20 12.0.0.20R2 (config) # int f0/0R2 (config-if) # ip nat inside / / set internal R2 (config-if) # int f0/1R2 (config-if) to F0ex0 interface # ip nat outside / / set external R2 (config-if) # endR2#debug ip nat / / to the F0amp1 interface to view the NAT address translation status IP NAT debugging is on 8. Static NAT mapping

NAT Port Mapping Protocol (English: NAT Port Mapping Protocol, abbreviated NAT-PMP) is a network protocol that automatically creates network address translation (NAT) settings and port mapping configurations without user intervention. The protocol can automatically determine the external IPv4 address of the NAT gateway and provide a method for the application to communicate with the peer. NAT-PMP was launched by Apple in 2005 as an alternative to the more common ISO standard Internet gateway device protocol (implemented by many NAT routers). The protocol was released by the Internet Engineering Task Force (IETF) in RFC 6886. NAT-PMP uses user Datagram Protocol (UDP) and runs on port 5351. The protocol does not have a built-in authentication mechanism because forwarding a port usually does not allow any activity and cannot be implemented using the STUN method. The advantage of NAT-PMP over STUN is that it does not need a STUN server, and the NAT-PMP map has a known expiration time, so applications can avoid inefficiently sending live packets. NAT-PMP is the predecessor of Port Control Protocol (PCP).

8.1 Experimental figure in the wide area network, if you want to access a private network address, you must have a mapping address. The purpose of the experiment is to enable hosts on the external network to access linux WEB services.

8.2 install the HTTPD service in the linux server and write a web page to test yourself

[root@localhost ~] # yum install httpd-y / / install the HTTPD service

[root@localhost ~] # vim / var/www/html/index.html / / create files and content under the site

This is web NAT

~

[root@localhost ~] # systemctl start httpd / / enable HTTPD service

[root@localhost ~] # systemctl stop firewalld.service / / turn off the firewall

[root@localhost ~] # setenforce 0 / / enable enhanced features

The 8.3linux server binds the network card and sets the fixed IP

[root@localhost ~] # vim / etc/sysconfig/network-scripts/ifcfg-ens33TYPE=EthernetPROXY_METHOD=noneBROWSER_ONLY=noBOOTPROTO=static / / set static DEFROUTE=yesIPV4_FAILURE_FATAL=noIPV6INIT=yesIPV6_AUTOCONF=yesIPV6_DEFROUTE=yesIPV6_FAILURE_FATAL=noIPV6_ADDR_GEN_MODE=stable-privacyNAME=ens33UUID=849aa04e-1874-490f-8cb0-b2fde4b9a6f8DEVICE=ens33ONBOOT=yesIPADDR=192.168.100.100 / / IP address NETMASK=255.255.255.0 / / subnet mask GATEWAY=192.168.100.1 / / gateway [root@localhost ~] # systemctl restart network / / restart network service [root@ Localhost ~] # ifconfigens33: flags=4163 mtu 1500 inet 192.168.100.100 netmask 255.255.255.0 broadcast 192.168.100.255 inet6 fe80::e3c7:14af:6e4d:7216 prefixlen 64 scopeid 0x20 ether 00:0c:29:c9:dd:05 txqueuelen 1000 (Ethernet) RX packets 4309 bytes 4579244 (4.3MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1123 bytes 96283 (94.0 KiB) 8.4 bind the network card to win10

8.5 to GNS3 configure R1 router, configure the interface with the address R1#conf tR1 (config) # int f0/0R1 (config-if) # ip add 192.168.100.1 255.255.255.0R1 (config-if) # no shutR1 (config-if) # int f0/1R1 (config-if) # ip add 12.0.0.1 255.255.255.0R1 (config-if) # no shut8.6 back to WIN10 to set the address

8.7 go back to GNS3 and start configuring port mapping

What does mapping mean? That is, if the extranet wants to access your private network address, it must be mapped, otherwise it is not secure.

R1#conf tR1 (config) # ip nat inside source static tcp 192.168.100.100 80 12.0.100 8080 extendable / / Internal port enables NAT,tcp protocol, IP address plus port, mapping extranet address plus port Be sure to add an extended extendable on Interface NVI0 after it. Changed state to upR1 (config) # int f0/0R1 (config-if) # ip nat inside / / set to internal R1 (config-if) # int f0/1R1 (config-if) # ip nat outside / / set to external R1 (config-if) # endR1#debug ip nat / / Test Startup Port Mapping IP NAT debugging is on8.8 Let's go back to a host in the extranet to access http://12.0.0.100:8080/ must add port 8080 It's mapped.

9. Dynamic NAT address translation

Dynamic NAT means that when the private IP address of the internal network is translated into the public IP address, the IP address pair is uncertain and random, and all private IP addresses authorized to access the Internet can be randomly translated into any specified legal IP address. That is, dynamic translation can occur as long as you specify which internal addresses can be translated and which legal addresses are used as external addresses. Dynamic translation can use multiple sets of legitimate external addresses. When the legal IP address provided by ISP is slightly less than the number of computers within the network. Dynamic conversion can be used.

The purpose of the dynamic NAT experimental diagram is to convert the internal private network into one of several public networks.

9.1 layer 2 switch turns off the routing function and sets the rate and full-duplex mode sw#conf tsw (config) # no ip routingsw (config) # int f1/0sw (config-if) # speed 100sw (config-if) # dup fullsw (config-if) # ex9.2 to set the address to the R1 router interface Dynamic NATR1#conf tR1 (config) # int f0/0R1 (config-if) # ip add 192.168.100.1 255.255.255.0R1 (config-if) # no shutR1 (config-if) # int f0/1R1 (config-if) # ip add 12.0.0.1 255.255.255.0R1 (config-if) # no shutR1 (config-if) # exR1 (config) # access-list 1 permit 192.168.100.0 0.0.0.255max / define internal allowed network segments It is followed by the reverse code R1 (config) # ip nat pool test 12.0.0.10 12.0.100 netmask 255.255.255.0max / defines the externally translated address paragraph, address range, start and end addresses and subnet mask R1 (config) # ip nat inside source list 1 pool test / / refers to the internal network segment Address pool R1 (config) # int f0/0R1 (config-if) # ip nat inside / / define intranet R1 (config-if) # int f0/1R1 (config-if) # ip nat outside / / define extranet R1 (config-if) # end R1#debug ip nat / / Test enable NATIP NAT debugging is on9.3. Configure each host with the IP address PC1 > ip 192.168.100.10 192.168.100.1Checking for duplicate address...PC1: 192.168.100.10 255.255.255.0 gateway 192.168.100.1PC2 > ip 192.168.100.20 192.168.100.1Checking for duplicate address...PC1: 192.168.100.20 255.255.255.0 gateway 192.168.100.1PC3 > ip 12.0.0.12 12.0.0.1Checking for duplicate address. .. PC1: 12.0.0.12 255.255.255.0 gateway 12.0.0.19.4PC1 and PC2 host to test whether there are multiple public network addresses PC1 > ping 12.0.1284 bytes from 12.0.0.12 icmp_seq=1 ttl=63 time=20.944 ms84 bytes from 12.0.12 icmp_seq=2 ttl=63 time=18.950 ms84 bytes from 12.0.0.12 icmp_seq=3 ttl=63 time=15.957 ms84 bytes from 12.0. 0.12 icmp_seq=4 ttl=63 time=22.452 ms84 bytes from 12.0.0.12 icmp_seq=5 ttl=63 time=19.952 ms*Mar 100: 19 expiring 47.327: NAT: expiring 12.0.0.11 (192.168.100.20) icmp 34108 (34108) R1#*Mar 100: 19 expiring 47.463: NAT*: slots 192.168.100.20-> 12.0.0.11 NAT: expiring 12.0.0.11 (192.168.100.20) icmp 34364 (34364) Mar 34364: 1948.0.11: NAT*: slots 192.168.100.20-> 12.0.0.11-> 192.168.100.20-> 12.0.0.11 NAT: expiring 12.0.0.11 (192.168.100.20) icmp 34620 (34620) Mar 34620 (34620) R1#*Mar 34620: 190.0.11: NAT*: slots 192.168.100.20-> 192.168.100.20-> 12.0.0.11 Mar 12.0.0.12 [15554] * Mar 49.519: NAT*: 12.0.0.12, dice 12.0.0.11-> 192.168.100.20 [15554] * Mar 50.399: NAT: expiring 12.0.0.11 (192.168.100.20) icmp 34876 (34876) R1#*Mar: 190.531: NAT*: slots 192.168.100.20-> 12.0.0.11 NAT*: 12.0.0.12 [15555] * Mar 100: 19expiring 50.543: NAT*: slots 12.0.0.11-> 192.168.100.20 [15555] * Mar 100: 19NAT: expiring 12.0.0.11 (192.168.100.20) icmp 35132 (35132) R1#10.PAT translation experiment purpose: to convert all private network addresses into the same public network address

Port Address Translation, port multiplexing (port address translation). By changing the source IP and source port of outbound packets, and port translation, all hosts in the internal network can share a common IP to access the external network, saving IP.

10.1 the layer 2 switch turns off the routing function and configures the rate and full-duplex mode sw#conf tsw (config) # no ip routingsw (config) # int f1/0sw (config-if) # speed 100sw (config-if) # dup full10.2R2 to configure the address to the interface Configure PAT address Translation R1#conf tR1 (config) # int f0/0R1 (config-if) # ip add 192.168.100.1 255.255.255.0R1 (config-if) # no shutR1 (config-if) # int f0/1R1 (config-if) # ip add 12.0.0.1 255.255.255.0R1 (config-if) # no shutR1 (config-if) # exR1 (config) # access-list 1 permit 192.168.100.0 0.0.0.255 / / define the internal allowed network segments Add reverse code R1 (config) # ip nat inside source list 1 interface fastEthernet 0ram 1 overload// directly refer to the external interface Overlload all extranets R1 (config) # int f0/0R1 (config-if) # ip nat in / / define intranet R1 (config-if) # int f0/1R1 (config-if) # ip nat out / / define extranet R1 (config-if) # endR1#debug ip natIP NAT debugging is on / / Test launch NAT10.3 to configure IP address PC1 > ip 192.168.100.10 192.168.100.1Checking for duplicate address...PC1 for each host: 192.168.100.10 255.255.255.0 gateway 192.168.100.1PC2 > ip 192.168.100.20 192.168.100.1Checking for duplicate address...PC1: 192.168.100.20 255.255.255.0 gateway 192.168.100.1PC3 > ip 12.0.0.12 12.0.0.1Checking for duplicate address...PC1: 12.0.12 255.255.255.0 gateway 12.0.0.110.4 Test PC1 and PC2 Does the private network address access the same public network address PC1 > ping 12.0.0.12-t 12.0.0.12 icmp_seq=1 timeout84 bytes from 12.0.0.12 icmp_seq=2 ttl=63 time=20.943 ms84 bytes from 12.0.0.12 icmp_seq=3 ttl=63 time=17.919 ms84 bytes from 12.0.0.12 icmp_seq=4 ttl=63 time=16.956 msR1#*Mar 100: 19pura 04.779: NAT: 192.168.100.10-> 12.0.0.1 Mar 12.0.0.12 [18124] R1#*Mar: 197.807: 192.168.100.10-> 12.0.0.1, NAT*:: 192.168.100.10: 197.807: NAT*:: 192.168.100.10-> 12.0.0.1 R1#*Mar 12.0.0.12 [18126] * Mar 100: 19NAT*: 0.0.12 [18127] * Mar 100: 192.168.100.10 [18126] Mar 100: 192.168.100.10-> 192.168.100.10-> 12.0.0.12 Mar 12.0.0.1-> 192.168.100.10 [18127] R1#*Mar: 199.843: NAT*: slots 192.168.100.10-> 12.0.0.1, dudes 12.0.0.12 [18128] * Mar 100: 19Ze09.847: NAT*: slots 12.0.0.12 Ping 12.0.0.12-> 192.168.100.10 [18128] R1#PC2 > ping 12.0.0.12-t84 bytes from 12.0.0.12 icmp_seq=1 ttl=63 time=29.921 ms84 bytes from 12.0.12 icmp_seq=2 ttl=63 time=16.981 ms84 bytes from 12.0.12 icmp_seq=3 ttl=63 time=15.958 ms84 bytes from 12.0.12 icmp_seq=4 ttl=63 time=23.936 msR1#*Mar 100: 20 icmp_seq=2 ttl=63 time=16.981 ms84 bytes from 28.715: NAT*: slots 192.168.100.20-> 12.0.0.1 NAT*: 12.0.0.12 [18208] * Mar 100: 20 R1#*Mar 28.719: NAT*: 12.0.0.12, dice 12.0.0.1-> 192.168.100.20 [18208] NAT*: 100: 20 NAT*: 12.0.0.12-> 12.0.0.1, dice 12.0.0.12 [18209] * Mar 100: 20 NAT*: 29.739: NAT*: slots 12.0.0.12 NAT*: 12.0.0.1-> 192.168.100.20 [18209] R1#*Mar 100: 20 R1#*Mar 30.751: NAT*: slots 192.168.100.20-> 12.0.0.1, dudes 12.0.0.12 [18210] * Mar 100: 20 Mar 30.759: NAT*: slots 12.0.0.12, dads 12.0.0.1-> 192.168.100.20 [18210] R1#*Mar 100: 20Rd 31.775: NAT*: slots 192.168.100.20-> 12.0.0.1 Dudes 12.0.0.12 [18211] * Mar 100: 20 NAT 31.779: NAT*: slots 12.0.0.12, dudes 12.0.0.1-> 192.168.100.20 [18211] Thank you for watching The next chapter is more exciting.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.