Shulou(Shulou.com)06/03 Report--

I. Preface

The main role of ADC is to publish the application as a reverse proxy of the server, which is between the client and the server, so NAT is the work it must face. In the final analysis, NAT is the foundation of ADC's data forwarding. Whether it can support more, more flexible and more controlled NAT conversion is one of the key factors to measure whether an ADC is qualified or not. This also puts forward the most basic requirements for engineers. If you don't even know how to control NAT, you will not be able to make corresponding solutions in different scenarios.

What is NAT

Introduction to 1.NAT

With the help of NAT, when an "internal" network with a private (reserved) address sends a packet through a router, the private address is translated into a legitimate IP address, and a local area network only needs to use a small number of IP addresses (or even one) to realize the communication requirements between all computers in the private address network and Internet.

NAT will automatically modify the source IP address and destination IP address of IP messages, and Ip address verification will be completed automatically during NAT processing. Some applications embed the source IP address into the data portion of the IP message, so the message needs to be modified at the same time to match the modified source IP address in the IP header. Otherwise, applications with IP addresses embedded in the message data will not work properly.

2.NAT implementation method

There are three ways to implement NAT, namely, static translation Static Nat, dynamic conversion Dynamic Nat and port multiplexing OverLoad.

Static translation refers to the translation of private IP addresses in the internal network to public IP addresses. IP address pairs are one-to-one and are immutable, and a private IP address is only translated into a public IP address. With the help of static conversion, the external network can access some specific devices (such as servers) in the internal network.

Dynamic translation means that when the private IP address of the internal network is translated into a public IP address, the IP address is uncertain and random, and all private IP addresses authorized to access the Internet can be randomly translated into any specified legal IP address. That is, dynamic translation can occur as long as you specify which internal addresses can be translated and which legal addresses are used as external addresses. Dynamic translation can use multiple sets of legitimate external addresses. When the legal IP address provided by ISP is slightly less than the number of computers within the network. Dynamic conversion can be used.

Port multiplexing (Port address Translation,PAT) refers to changing the source port of outbound packets and performing port translation, namely port address translation (PAT,Port Address Translation). The port multiplexing mode is adopted. All hosts in the internal network can share a legitimate external IP address to access Internet, which can maximize the saving of IP address resources. At the same time, all hosts within the network can be hidden to effectively avoid * from internet. Therefore, port multiplexing is the most widely used in the network at present.

NAT of 3.Netscaler

Let's focus on how netscaler's NAT is done and which parameters affect netscaler's NAT action.

The parameters that affect netscaler to do NAT are mainly divided into the following 8 categories:

ü RNAT

ü INAT

ü IP mode

ü Netprofile

ü USIP

ü MAC mode

ü Service port=*

ü Service use proxy port

We test and understand each parameter separately. The following is an overview of the environment.

Experimental environment:

Client ip:192.168.20.1

SNIP: 192.168.20.11

192.168.0.21

192.168.10.11

VIP: 172.16.10.10

172.16.10.11

10.10.1.2

Server ip: 192.168.0.50

10.10.1.1

III. Parameter testing that affects NAT

1.RNAT

The gateway of the client is netscaler, but the server has no backhaul route for the client

The client accesses the server directly, and the network is not available.

Bag grabbing situation:

ICMP is not responding because the server does not have a backhaul route for client 192.168.20.1

Configure RNAT on Netscaler

The address of the client is replaced by 192.168.20.1 by netscaler to 192.168.10.11, so the server resources can be accessed.

Bag grabbing situation:

2.INAT

Configure INAT policy on netscaler to convert 10.10.1.2 to 192.168.0.50

No vserver of 10.10.1.2 is established in Netscaler

Bag grabbing situation:

Client 192.168.20.1 access 10.10.1.2 is converted by netscaler to 192.168.0.21 access 192.168.0.50.

If you successfully open the page, you can also flexibly control whether the source port, source address, destination port and so on are translated in INAT.

3.IP mode

The working mechanism of IP mode is to replace both source address and destination address by default, which is equivalent to static NAT.

Bag grabbing situation:

Client 192.168.20.1 accesses 172.16.10.10, which is replaced by Netscaler with 192.168.0.21 access to 192.168.0.50

4.Netprofile

Set up two Netprofile

Bind Netprofile_vs to Vserver

Bag grabbing situation:

Client 192.168.20.1 access 172.16.10.10 is replaced by Netscaler with 192.168.10.11 access 192.168.0.50, the source address is not snip:192.168.0.21 but the address of Netprofile_vs 192.168.10.11

Bind Netprofile_vs to Vserver and Netprofile_service to service

Vserver

Service

Bag grabbing situation:

Client 192.168.20.1 access 172.16.10.10 is replaced by Netscaler with 192.168.10.22 access 192.168.0.50, source address rather than 192.168.10.11 in Netprofile_vs

The Netprofile test shows that the priority of Netprofile binding to service is higher than that of vserver.

5.USIP

Leave Netprofile to enable USIP on service and point the server's gateway to netscaler

Bag grabbing situation:

The client 192.168.20.1 accesses 172.16.10.10, only the destination address is replaced by 192.168.0.50 by Netscaler, and the source address remains unchanged.

This note indicates that once USIP,netscaler is enabled, all operations based on source address substitution are disabled, whether by default using SNIP rotation training or specifying Netprofile will not take effect.

6.MAC mode

MAC mode does not replace the destination address. It must be an any protocol to enable it. It is mainly used in LLB.

Configure VS, servicegroup, member of mac mode

10.10.1.1 is the second IP of the server

Bag grabbing situation:

Client 192.168.20.1 accesses 10.10.1.1. After the source address 192.168.10.11 is replaced by netscaler, the client accesses 10.10.1.1 directly. The destination address is not replaced.

Of course, if necessary, you can also control whether to replace the source address, source port and destination port.

7.Service port=*

The server opens 8000 services at the same time.

Set up two service

8000 ports of http protocol and anyport of TCP protocol

Set up two vserver

Bag grabbing situation:

User 192.168.20.1 access to 172.16.10.10 virtual 3000 with port

When the source IP+ port and the destination IP+ port are replaced by NS, the source address becomes 192.168.0.21 and the destination address is changed to 192.168.0.50.

However, if the user accesses the Vserver of any, the destination port will not change.

Bag grabbing situation:

Client 192.168.20.1 accesses 172.16.10.11 VRU 8000

Replaced by netscaler with 192.168.0.21 virtual 40948 access 192.168.0.50 virtual 8000

The destination port of the access process does not change.

8.Proxy port

If you want the source port to remain unchanged, you need to remove the use proxy port option and enable USIP at the same time

Bag grabbing situation:

User-side 192.168.20.1 virtual 4503 accesses 172.16.10.10 purl 3000

Replaced by netscaler with 192.168.20.1 4503 accesses 192.168.0.50 8000, source address and source port are not replaced

1. Summary:

All the parameters that can control netscaler NAT behavior are shown above. You can see that netscaler has a wealth of parameters to flexibly control NAT behavior as needed (another article on INAT section is discussed in detail) according to the NAT terminology used by digital communication devices, the NAT types corresponding to each parameter of netscaler are summarized.

Project

Netscaler default

Netscaler adjustable condition

RNAT

Dynamic and static SNAT

Dynamic and static PNAT

INAT

Static DNAT

Static PNAT

IP mode

Dynamic and static SNAT+DNAT

Dynamic and static PNAT

Netprofile

Dynamic and static SNAT

Dynamic and static PNAT

USIP

Static SNAT

Static PNAT

MAC mode

Dynamic SNAT (fixed destination IP)

Service port=*

Destination port unchanged PNAT

Service use proxy port

Source port unchanged PNAT

Dynamic and static PNAT

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.