Shulou(Shulou.com)06/01 Report--

I. NAT category

II. NAT work flow

Third, source NAT knowledge points

4. Objective NAT knowledge points

Nat address-group pool 0 # defines the address group name pool

Route enable # generates a UNR route for the address pool. The UNR route serves the same purpose as the black hole route and can prevent routing loops.

Mode no-pat local # represents the local triple schema or no-pat schema, which generates the Server-Map table

Section 0 123.126.1.1 123.126.1.100 # Public Network address range

Nat-policy

Rule name no-pat

Source-zone trust

Destination-zone untrust

Source-address 192.168.1.0 24

Action nat address-group pool

Nat-policy interzone trust untrust outbound source address translation

Policy 1

Action source-nat

Easy-ip G0/0/2

Nat server IPS1 zone 10M protocol tcp global 123.226.100.202 211 inside 192.168.2.22 211

Nat server IPS2 zone 100M protocol tcp global 222.226.100.202 211 inside 192.168.2.22 211

Nat server mail protocol tcp global 123.124.1.1 1414 inside 192.168.100.100 81 # server port mapping

Nat server OA protocol tcp global 123.124.1.1 8000 inside 192.168.1.3 80 no-reverse # can access the public network

Firewall interzone untrust dmz

Detect ftp

VI. Black hole routing

Display nat server view server mapping relationship

Display firewall session aging-time # View session aging time

Display firewall server-map View server-map

The addresses in the NAT address pool are not necessarily contiguous (some special IP addresses in this address range can be excluded using the exclude address feature)

Configure source NAT policy: when a device translates a message, it first looks up the security policy between domains. Only by passing the security policy check will the address translation be carried out if the NAT policy matching condition between domains is hit.

Configure NAT Server: after the device receives the message that matches the Server-map table, it first translates the destination address of the message, and then checks the security policy, so the source address specified in the security policy is the translated address and the private network address.

Whether NAT translation is valid for ESP messages: the source NAT policy and NAT Server that do not allow port translation are valid for ESP messages

The firewall only matches the first packet to form a conversation table, and subsequent messages are forwarded according to the rules.

UDP can also form a conversation table, and so can ICMP

The messages before and after the same link are related.

When an enterprise deploys a network boundary firewall, it configures NAT Server, source NAT,OSPF routing and related security policies. When the data arrives at the firewall, the firewall wall processing order is

NAT server > OSPF routing > Security Policy > Source NAT (the firewall produces static Server MAP entries when configuring NAT Server)

NAT supports FTP protocol and is not compatible with all IPsec protocols, such as AH

NO-PAT only supports protocol address translation at the network layer, that is, only layer 3 translation, not layer 4 port translation.

NAT server or SLB (server load balancing)

After configuring NAT server, the device generates static server-map entries in both positive and negative directions, which are used to store the mapping between global addresses and inside addresses. The device translates and forwards the address of the message according to this mapping relationship.

In the SLB function, because multiple servers in the private network need to be published at the same IP address, server-map table entries similar to NAT server will be established, but one forward table entry and N reverse table items need to be established according to the number of private network servers.

NO-PAT: the device establishes a server-map table for data streams with actual traffic, which is used to store the mapping between private network IP addresses and public network IP addresses

Server-map table items generated by NO-PAT, with positive and negative table items

When forward server-map is used to ensure that trust area accesses internet, addresses can be translated quickly and efficiency can be improved.

Reverse server-map allows users on the internet to actively access hosts in the trust zone (need to pass security policy checks)

Dis firewall server-map no-pat

NAT ALG (Application level Gateway) is a translation agent for specific application protocols, which can complete the translation of address and port number information carried in application layer data.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.