In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
I. NAT category
II. NAT work flow
Third, source NAT knowledge points
4. Objective NAT knowledge points
Nat address-group pool 0 # defines the address group name pool
Route enable # generates a UNR route for the address pool. The UNR route serves the same purpose as the black hole route and can prevent routing loops.
Mode no-pat local # represents the local triple schema or no-pat schema, which generates the Server-Map table
Section 0 123.126.1.1 123.126.1.100 # Public Network address range
Nat-policy
Rule name no-pat
Source-zone trust
Destination-zone untrust
Source-address 192.168.1.0 24
Action nat address-group pool
Nat-policy interzone trust untrust outbound source address translation
Policy 1
Action source-nat
Easy-ip G0/0/2
Nat server IPS1 zone 10M protocol tcp global 123.226.100.202 211 inside 192.168.2.22 211
Nat server IPS2 zone 100M protocol tcp global 222.226.100.202 211 inside 192.168.2.22 211
Nat server mail protocol tcp global 123.124.1.1 1414 inside 192.168.100.100 81 # server port mapping
Nat server OA protocol tcp global 123.124.1.1 8000 inside 192.168.1.3 80 no-reverse # can access the public network
Firewall interzone untrust dmz
Detect ftp
VI. Black hole routing
Display nat server view server mapping relationship
Display firewall session aging-time # View session aging time
Display firewall server-map View server-map
The addresses in the NAT address pool are not necessarily contiguous (some special IP addresses in this address range can be excluded using the exclude address feature)
Configure source NAT policy: when a device translates a message, it first looks up the security policy between domains. Only by passing the security policy check will the address translation be carried out if the NAT policy matching condition between domains is hit.
Configure NAT Server: after the device receives the message that matches the Server-map table, it first translates the destination address of the message, and then checks the security policy, so the source address specified in the security policy is the translated address and the private network address.
Whether NAT translation is valid for ESP messages: the source NAT policy and NAT Server that do not allow port translation are valid for ESP messages
The firewall only matches the first packet to form a conversation table, and subsequent messages are forwarded according to the rules.
UDP can also form a conversation table, and so can ICMP
The messages before and after the same link are related.
When an enterprise deploys a network boundary firewall, it configures NAT Server, source NAT,OSPF routing and related security policies. When the data arrives at the firewall, the firewall wall processing order is
NAT server > OSPF routing > Security Policy > Source NAT (the firewall produces static Server MAP entries when configuring NAT Server)
NAT supports FTP protocol and is not compatible with all IPsec protocols, such as AH
NO-PAT only supports protocol address translation at the network layer, that is, only layer 3 translation, not layer 4 port translation.
NAT server or SLB (server load balancing)
After configuring NAT server, the device generates static server-map entries in both positive and negative directions, which are used to store the mapping between global addresses and inside addresses. The device translates and forwards the address of the message according to this mapping relationship.
In the SLB function, because multiple servers in the private network need to be published at the same IP address, server-map table entries similar to NAT server will be established, but one forward table entry and N reverse table items need to be established according to the number of private network servers.
NO-PAT: the device establishes a server-map table for data streams with actual traffic, which is used to store the mapping between private network IP addresses and public network IP addresses
Server-map table items generated by NO-PAT, with positive and negative table items
When forward server-map is used to ensure that trust area accesses internet, addresses can be translated quickly and efficiency can be improved.
Reverse server-map allows users on the internet to actively access hosts in the trust zone (need to pass security policy checks)
Dis firewall server-map no-pat
NAT ALG (Application level Gateway) is a translation agent for specific application protocols, which can complete the translation of address and port number information carried in application layer data.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.