Shulou(Shulou.com)06/02 Report--

A lot of things happened in order to match a NAT.

I. inside and Outside

Many people who have configured NAT on Cisco have a question about the difference between inside and outside! The following is a description of the order in which NAT is executed in the official Cisco documentation:

Notice the red and blue circles. For inside-outside, NAT occurs after the route, while for outside-inside, NAT occurs before the route. This is the only thing we need to remember so far.

1. problem

The reason for confusion lies in that the name inside,outside is not good. In fact, if you replace inside-outside with POST-ROUTING and outside-inside with PRE-ROUTING, it will be very easy to understand. Most importantly, after changing the name, NAT no longer seems to be related to the inside/outside domain of the device, but has a relationship with "routing", although there is no change in essence.

As we will see later, in fact, when you understand the NAT of Cisco, you can't understand inside and outside alone. Inside and outside are just a locative qualifier that stands for "somewhere", and an adverb is needed for "to go to a place" or "to come from a place", that is, source and destination. Before we elaborate on this, let's use inside and outside separately.

Next, let me explain how important the relationship between NAT and routing is! Considering the following data flow, I focus on the action of "routing":

Forward packet:-- > NAT point1-- > routing-- > NAT point2-- >

Return packet: translating destination address from outside to inside

Among them, 1 and 4 imply each other, and 2 and 3 imply each other. So far, we have found that Cisco's NAT is not as simple as Linux. Linux actually defines two kinds of NAT, namely:

I > SNAT, source address translation

Ii > DNAT, destination address translation

Then the other constraints are built-in at design time:

DNAT is executed before routing and SNAT is executed after routing, including implicit rules.

This is the ultimate difference between Cisco and Linux's NAT design! Their focus is different. Cisco emphasizes the user's domain, and Linux emphasizes the rationality of the technology itself (how to configure it requires imagination). Let's first take a look at what Linux's NAT design benchmark is. Linux's NAT is global, and there is no such thing as "applying NAT to an interface", so the interface becomes a match. So the administrator only needs to write match/target.

For Cisco, in order to export all four NAT configuration interfaces to engineers, a prerequisite is to define the inside interface and outside interface, that is, on which interface inside nat is applied and on which interface outside nat is applied. At this point, all four NAT must be able to be individually combined with any type of interface (inside/outside). This breaks the balance and becomes a saddle face, and you can't find a point to do everything in PRE ROUTING and POST ROUTING. For example, if interface E1 enables inside nat,E0 enable outside nat, which means E1 is inside interface and E0 is outside interface, then we consider two translations from inside to outside, one is to translate the source address, the other is to translate the destination address. Shall we put them in one place or on both sides of a "virtual equilibrium" (not necessarily routing), that is, two places? Let's look at the following two diagrams, which actually represent two kinds of constraints:

After these two diagrams are expanded, there is a typical saddle surface, and the origin is routing. The reason for having an origin is that in the Domain-based configuration, the packet from inside to outside or vice versa must pass through a point. From the picture on the Cisco website at the top of this article, we can see that the NAT behavior based on Domain is not only a NAT, it needs to be linked with ACL matching, encryption and decryption and other operations. The IP address on which these operations depend is associated with the NAT, so the Domain-based NAT behavior must be on both sides of the routing behavior. Because Cisco is configured according to Domain, that is, inside/outside (applying the rules of a specific Domain on an interface), it must be this way of design, while for Linux,NAT, the interface is only a match, so it is designed entirely according to routing constraints.

Now, let's summarize the meaning of ip nat inside | outside source | destination. I formulated this command:

Ip nat P H

Among them, H stands for source conversion or target conversion. H also has a more hidden meaning, that is, it and P specify the direction of the data, that is to say, the data takes P as H. For example, ip nat inside destination indicates that the data is destined for inside (from outside) for destination address translation, while ip nat outside source indicates that the data is sent to inside from outside for source address translation.

Destination conversion of 4.Cisco

But, but how to translate the destination address, when you are about to access a public Global address, transfer it to an internal Local address, this is the destination address translation, also known as address mapping, how does Cisco do it? In fact, the ISO version of many Cisco devices does not allow you to do DNAT as unlimited as Linux, but only allows you to map specific IP addresses + TCP/UDP port pairs or full IP. This must be the destination address translation on outside, and the source address translation on inside in the opposite direction, that is:

Ip nat inside source static tcp $local_ip $local_port $global_ip $global_port

Note that it must be static's NAT, which involves "how to install NAT" in the next section

The customized NAT of ip nat inside destination, which is done by TCP load balancer, is beyond the scope of this article.

two。 How to install NAT0. style

Linux's NAT is based on a 5-tuple, that is, the NAT result is associated with a stream (conntrack), which leads to a consistent NAT policy for all packets belonging to a stream of a five-tuple. This stipulation is a bit too tough, so I made several patches on Linux to make up for the deficiency of Linux. Of course, we can also use RAWNAT.

For Cisco,NAT, it is not associated with a stream unless it is Stateful. Since it is not associated with the stream, how do you do it? Cisco will install "a NAT mapping policy" into the inside NAT table or outside NAT table of the system at a specific time. For packets entering from the network port, it will match the NAT rules in the inside NAT table or outside NAT table according to whether the network port is inside or outside, that's all.

There are two inside NAT tables and two outside NAT tables, one is SNAT table and the other is DNAT table. The data structure of NAT table can be:

NAT table {type:SNAT or DNATdirection:inside or outsidenodes:local/global mapping}

For each packet, the source IP address is used to query the SNAT table and the destination IP address is used to query the DNAT table. For Linux, however, all you need is to query the conntrack structure and then fetch the nat results recorded here when the first package is queried.

1. Static NAT

A static NAT is an one-to-one NAT mapping, that is, the translation between an Local IP address and an Global IP address. When the configuration takes effect, the NAT transformation rules are added to the NAT table.

1.1.Cisco mode

When a NAT is added in the direction of inside:

Ip nat inside source static a b

The system adds the source address translation of a-> b to the SNAT table of inside and the destination address translation of b-> a to the DNAT table of outside.

All subsequent packets, whether internal or external, are looked up and matched according to whether the interface is enabled by inside nat or outside nat.

1.2.Linux mode

Linux is based on conntrack, so even if you use

Iptables-t nat-A POSTROUTING-s a-j SNAT-- to-source b

Only for the first packet that matches this strategy, the translator an of Linux's NAT appears as a match, so it strictly matches the source address of the first packet, so packets in the opposite direction will not match, so the NAT of Linux is unidirectional.

two。 Dynamic NAT

Dynamic NAT does not specify the translated address when it is configured, but determines what address it will be translated to when the first packet with translation requirements (determined by ACL) arrives. Therefore, when the configuration takes effect, no NAT rules are added to the NAT table.

2.1.Cisco mode

When a dynamic NAT is added in the direction of inside:

Ip nat pool NAME...

Ip nat inside source list $acl pool NAME

...

The system will not add any NAT rules, only when a packet matches to the acl and the NAT is triggered, the system will dynamically (based on the pool type calculation) select an IP address to be translated from the pool, add it to the SNAT table of the inside, and generate and add the target address translation rules in the opposite direction to the DNAT table of the outside.

Therefore, the dynamic NAT of Cisco is unidirectional, so the reverse packet does not match the acl when it enters, does not trigger the generation of NAT rules, and therefore does not match any NAT rules.

2.2.Linux mode

Again, in Linux's nat, the IP address to be translated is a match, so whether it's an one-to-one translation or an one-to-many translation, the principle is the same. Linux does not distinguish between static and dynamic transformations. In the kernel, the so-called NAT mapping table never appears, the NAT rule added by iptables does not generate a mapping, the packet enters the matching nat successfully, and the mapping is not generated, and the nat result only exists in the conntrack as part of the tuple.

3. Query mode 3.1.Linux mode

Linux's nat query matches the iptables nat rules one by one for the first package, and translates to a conntrack hash query for quintuples for subsequent packages.

3.2.Cisco mode

For Cisco, unlike Linux, where DNAT,POSTROUTING occurs only where DNAT,POSTROUTING occurs, SNAT and DNAT may occur no matter in PREROUTING or POSTROUTING, so no matter which nat HOOK point it is, the source IP address and destination IP address of the packet are used to query the SNAT table and DNAT table, respectively. Since it is so symmetrical, the query process can be abstracted into a separate virtual interface for NVI!

three。 Use NVI virtual interface 0. Virtual interface concept

Let's not talk about this. Open × × × tap,Cisco IPSec × × × VTI, including the NVI described below, are virtual interfaces, and all virtual interfaces can import packets into it by routing. As for what to do in it, this is the "virtual" place of the virtual interface, which can export packets to character devices, encrypt and decrypt them, and of course can do NAT....

Nat route for 1.Linux 2.4

The nat route of Linux 2.4 relies on policy routing, which is a super failure and is not as good as what I wrote myself. "another two-way stateless NAT http://blog.csdn.net/dog250/article/details/8996666 for Linux" describes the implementation in detail.

Domainless NAT of 2.Cisco

Domainless means that it no longer distinguishes inside from outside, but simply does NAT. This is realized in Cisco without the so-called balance point, and the processing HOOK points of NAT in both directions are no longer symmetrical based on the balance point. All NAT operations are done on PREROUTING. However, Cisco is not implemented by adding configuration and connecting HOOK, but is implemented with a virtual interface called NAT Virtual Interface. What are the advantages of this? To be honest, you can't see it from the interface, but from the point of view of its implementation, you can route all the packets coming in from the interface with ip nat enable configuration into this virtual interface NVI0. Then query the SNAT table and the DNAT table with the source address and destination address of the packet, perform the NAT operation according to the result, and then enter the real routing query. The overall process is shown below:

It can be seen that, regardless of direction and routing, as long as the packet enters a physical network card with ip nat enable configuration, NAT matching and successful matching will be performed, both SNAT and DNAT are carried out here. Although this implementation is bold and unrestrained, it solves all the problems. The problem of balance no longer exists. The NAT is completed before the packet enters the real routing query. From the router's point of view, the NAT operation is hidden, as if the packet is like that.

Of course, the NAT of Domainless is no longer associated with any other operations. ACL, × × stream of interest matching, policy routing and so on have nothing to do with NAT. The difference between Cisco Domainless's NAT design and Linux's NAT device is more obvious. Although Linux's NAT is also Domainless, it is very similar to Cisco's Domain-based NAT in design, because both NAT and other Filter operations are linked, and Linux,NAT behavior needs to be linked with a large number of Netfilter behaviors.

four。 Summary and ideas

By using Cisco's NAT, I have some ideas of my own that need to be recorded for the time being.

1. The relationship with Microsoft, the relationship with freedom

When I configure Cisco, I feel like I'm using Microsoft. When there is a bottleneck, there is nothing I can do! In Microsoft's system, I want to do one-arm NAT, I want to configure routing with source, failed for a long time, when configuring Cisco, the same feeling! Sometimes, though, a higher version of IOS does solve the problem (just like Microsoft). Generally speaking, using these things makes you feel not free, there are too few places to HACK, and the threshold for HACK operation is too high. You should always be worried when using them. You can either do it all at once, as long as you encounter a roadblock, no matter how small it is, you may not be able to pass.

Linux is just the other side of the story, and UNIX is in the middle. Operating on Linux, your behavior will not be hindered, even if you encounter problems, the system will not prevent you from writing a program or kernel module, or even re-customize the kernel. Even if you don't go so deep, just take a look at iproute2 and iptables, and your own parameters will allow you to do almost everything. In this sense, people who are used to Linux may demand that Cisco's extended access control list is better. In fact, in the face of Netfilter's almost unlimited scalability, where is the "extension" of Cisco's extended access control list?

I don't buy a phone to hack, and I don't write code to install it on the phone. I just want to use it to make calls, send messages, and surf the Internet, so I don't buy Android. Because values are so different, I don't buy phones that have anything to do with Microsoft. No matter how good it is, I bought iOS because it has something to do with UNIX. In fact, Apple is very closed, but its closure is not technology itself, but value orientation and design. It is precisely because it is not closed technology, there is the theory of prison break, after prison break, you will face an authentic open UNIX. Openness is gold, and openness is everything.

two。 Functional technical points and solutions

If you encounter a problem, of course, you have to find a way to solve the problem. The first way is to find a functional technical point to solve the problem alone. For example, if you want to do an ACL-based address mapping, if you are using Linux BOX, then this functional technical point is iptables, but if you are using a Cisco low-end router, you cannot do it. The documentation clearly says that it is not supported. This is the second way, which is to completely negate the original plan and say, "Why are you doing this? XX will be better. We have a complete solution to meet all your needs." . In general, such as Cisco, Microsoft, IBM will provide solutions, their systems on the functional technology points often have shortcomings, used alone, only with other cooperation can. Therefore, if you want to hack, do not base yourself on these systems. You will be bored to death. On these systems, this will not work, and that will not work. This will not be flexible, and if you use it too much, people will become rigid, and their words will not sound good. The phrase "any technical problem can be solved" will become "this is impossible!" to people who use these closed systems.

3. Personnel conflict

Over the past week, I have clashed with people several times, and after that, I still proved that my idea was correct, so it once again made me feel how rubbish the level of most so-called senior network administrators is and how arrogant the level of junk personality is. This is really infuriating and sad. The views of these rubbish workers are basically divided into two categories:

1 > say it's impossible if you haven't done it.

Because I had never done this before, I said it was impossible, or even denied my technical solution. I appeared as a research and development, which makes them feel that I simply do not understand the Internet, no experience, etc., first, they have not done it, second, I do not have a network title, which makes them even more arrogant.

Take things for granted and say yes, but in fact, you can't do it at all.

I said to map the udp service one-to-one two-way:

Ip nat inside source udp 1.1.1.1 12345 2.2.2.2 12345

When testing, they have to use ping to test! This is obviously a mapping of udp, how to use it! However, they had to use ping, and I told them that they could not do full mapping because irrelevant addresses that should not be translated were also translated, because they knew that NAT could be done through ACL+pool, so they thought it could be done with ACL matching addresses in outside. These guys! If I want to do the destination address translation, it has to be two-way, that is to say, no matter where the data flow originates from! Those people don't even know when the NAT conversion item was installed in the system!

These people have the nerve to say that they are network engineers! Look at our NA/NP/IE/NE/SE, without exception, they rely on memorization, a lot of certificates have been obtained, but even the basic principles of the network are TMD do not understand! Let's take a look at the real CCIE, such as Petr Lapukhov, 4xCCIE/CCDE in CCIE Renewals, and the following IP Services:

Petr Lapukhov's career in IT begain in 1988 with a focus on computer programming, and progressed into networking with his first exposure to Novell NetWare in 1991. Initially involved with Kazan State University's campus network support and UNIX system administration, he went through the path of becoming a networking consultant, taking part in many network deployment projects. Petr currently has over 12 years of experience working in the Cisco networking field, and is the only person in the world to have obtained four CCIEs in under two years, passing each on his first attempt. Petr is an exceptional case in that he has been working with all of the technologies covered in his four CCIE tracks (races, Security, SP, and Voice) ona daily basis for many years. When not actively teaching classes, developing self-paced products, studying for the CCDE Practical & the CCIE Storage Lab Exam, and completing his PhD in Applied Mathematics.

Look at other people's experience, from programming, gradually in-depth, from computer architecture, TCP/IP stack, to UNIX, in the end, Cisco is just a platform for the master to attach all this. if he is not working on Cisco, but joining the IBM camp, or developing the Linux kernel, can you say that he is not a member of the circle? Remember, don't think of programmers as those who don't understand the Internet.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.