Shulou(Shulou.com)06/02 Report--

The following is an excerpt from the latest network equipment book, "Deluxe four-piece set", Cisco Router configuration and Management complete Manual (second edition) (the other three books are: Cisco switch configuration and Management complete Manual (second Edition), H3C switch configuration and Management complete Manual (second Edition) and H3C Router configuration and Management complete Manual (second Edition). Currently in JD.com, Dangdang, Zhuoyue, Interactive Publishing Network and other bookstores, the purchase of this set will be reduced by 30 yuan: http://book.dangdang.com/20130730_aife, http://item.jd.com/11299332.html http://www.china-pub.com/STATIC/zt_mb/zt_huodong_2013_1.asp?filename=2013_slwd_0801

In the process of IP address translation in NAT, many readers are always confused about the translation principles corresponding to several IP address translation methods, let alone the difference between internal and external address translation. Some questions are often raised in the reader QQ group. Therefore, the author comprehensively picks out this part of the content from the latest "four-piece set" book for everyone to share. As for the principles of network communication involved, you can get a comprehensive and in-depth understanding through the widely acclaimed book "in-depth understanding of computer Networks". You can check out the relevant information of this book here: http://product.dangdang.com/23166396.html

6.2 the mode and principle of NAT conversion

In NAT applications, only internal addresses need to be translated (that is, "internal local addresses" are translated into "internal global addresses"), which is the most typical application, for example, internal network users share the Internet through NAT translation, or they only need to translate external addresses (that is, the translation between "external global addresses" and "external local addresses"), such as external users want to access servers located in the internal network. Of course, both internal and external addresses can be translated at the same time.

To make it easier to understand some of the configurations described later in this section, we will briefly introduce the basic configuration ideas of NAT:

(1) use the ip nat inside source (define inside local address to inside global address mapping), or ip nat outside source (define external global address to external local address mapping), or ip nat pool (define an inside global address pool, or an outside local address pool) command to define an IP address mapping. Which command to use and how to configure address mapping depends on the type of NAT and address translation used. It can be static address mapping, dynamic address mapping, or port address mapping (PAT); it can be internal address translation, external address translation, or both internal and external address translation.

For convenience, this section only uses static NAT transformations as an example, so only the ip nat inside source static, or ip nat outside source static command, is used in the following sections.

(2) use the ip nat inside command to specify the internal interface and the ip nat outside command to specify the external network interface.

6.2.1 NAT basic IP address translation principle

Generally speaking, the process of address translation in NAT is the translation process between "local address" and "global address", regardless of whether the packet is sent from the internal network to the external network or from the external network to the internal network. The only difference is that the network corresponding to the local address and the global address is different, and the source and destination addresses of the packet re-encapsulation are different. It is shown in figure 6-8. This process is achieved through the local address and global address mapping entry in NAT, so configure such a mapping entry on the NAT router in advance.

Figure 6-8 NAT basic address translation principle

When an internal network user accesses an external network, it translates between the inside local address and the inside global address.

When a NAT router receives a packet from a host on the inside network, its source IP address (SA) is the inside local address and the destination IP address (DA) is the outside local address. When a packet is forwarded to an external network, the source IP address (SA) of the packet is transformed into an "inside global address", while the destination IP address (DA) is transformed into an "outside global address". That is, all source IP addresses (SA) and destination IP addresses (DA) of the packet are translated from local addresses to global addresses. See the schematic diagram of IP address translation of some packets on figure 6-9.

On the contrary, when an external network user accesses the internal network, the translation is made between the external local address and the external global address.

When a NAT router receives a packet from an external network host, its source IP address (SA) is the "outside global address" and the destination IP address (DA) is the "inside global address". It is equivalent to the exchange of the source IP address (SA) and the destination IP address (DA) in the packet when the packet is sent from the internal network to the external network. When the packet is forwarded to the local network by the router, the source IP address (SA) is transformed into the "external local address" and the destination IP address (DA) is transformed into the "internal local address", which is equivalent to the exchange of the source IP address (SA) and the destination IP address (DA) in the packet when the packet is sent from the internal network to the external network. See the schematic diagram of IP address translation of some packets under figure 6-9.

Figure 6-9 NAT basic IP address translation principle

The above is a general introduction to the principle of IP address translation of NAT. Practical NAT applications sometimes do not need to fully replace the source IP address and IP address, but only need to translate the source IP address or the destination IP address to achieve the desired purpose. It will be introduced below.

6.2.2 NAT translation principle of internal address

In most cases, the purpose of using NAT is to enable multiple users in the internal network to access the external network using a registered IP address, so only the internal address NAT translation needs to be configured. That is, the translation from "internal local address" to "internal global address" is realized through ip nat inside source command (either static NAT or dynamic NAT). It only needs to define the mapping between internal local address and internal local address.

Figure 6-10 is a simple example of a NAT transformation. To achieve the following purpose: when a packet with the source address 10.10.10.1 and the destination IP address 171.16.68.1 is received on the inside network S0 interface of the NAT router, when forwarded to the S1 interface, the inside local address 10.10.10.1 of the original packet source address is translated into the inside global address 171.16.68.5, but the destination address remains the same. And then continue to send. In this process, all that is done is the translation of the source IP address in the packet, from the inside local address to the inside global address, and only between the inside addresses.

Figure 6-10 A simple example of NAT transformation

Conversely, when an external server response packet with a source address of 172.16.68.1 and an inside global address of 172.16.68.5 is received on the outside network interface S1 of the NAT router, the destination address is translated to the inside local address of 10.10.10.1 and then continues to send. In this process, all that is done is the translation of the destination IP address in the packet, from the inside global address to the inside local address, and only between the inside addresses.

The following is only to take the static NAT translation as an example to introduce the configuration steps of internal address translation. The detailed NAT configuration method will be described later in this chapter.

(1) use the "ip nat inside source static" global configuration command to enable static NAT IP address translation based on internal source IP addresses. In other words, the internal local address and the internal global address are defined to form an one-to-one mapping relationship between them.

Router (config) # ip nat inside source static 10.10.10.1 171.16.68.5!-establish a static NAT mapping between the inside local address 10.10.10.1 and the inside global address 171.16.68.5, so that the internal network host knows to reach the external network host with the address 171.16.68.5

(2) use the following two statements to configure the router's S0 as the internal network interface of NAT.

Router (config) # interface S0!-enter S0 serial port configuration mode

Router (config-if) # ip nat inside!-specify the S0 serial port as the internal network interface

(3) use the following two statements to configure the router S1 as the external network interface of NAT.

Router (config) # interface S1!-enter S1 serial port configuration mode

Router (config-if) # ip nat outside!-specify S1 serial port as the external network interface

(4) use the show ip nat translations privileged mode command to verify the router NAT configuration described above. The output shows that the NAT entry configured above is configured with an inside local address of 10.10.10.1 and an inside global address of 171.16.68.5. This is consistent with the above configuration, which proves that the configuration is successful.

Router#show ip nat translations!-displays the current router NAT configuration in privileged mode

Pro Inside global Inside local Outside local Outside global

-171.16.68.5 10.10.10.1-

At this point, if the ping is performed on the destination host of the external network, packets will be forwarded from the internal network to the external network. Then execute the "show ip nat translations" command in router privileged mode, which displays the following NAT information. An extra icmp protocol type packet (added after performing the ping operation) is displayed, but because the local address and global address of the external network are not configured at this time, the external local address and the outside global address are the same, which is the ping operation destination host address 171.16.68.1.

Router#show ip nat translations

Pro Inside global Inside local Outside local Outside global

Icmp 171.16.68.5:15 10.10.10.1:15 171.16.68.1:15 171.16.68.1:15

-171.16.68.5 10.10.10.1-

After the above configuration, packets sent from the internal network to the external network are only the source address (SA) will be translated after passing through the router (from the inside local address 10.10.10.1 to the inside global address 171.16.68.5), but the destination address (DA) remains the same, but the source address of the reply packet sent from the external network to the internal network does not change. Only the destination address of the packet passing through the router is translated (from the inside global address 172.16.68.5 to the inside local address 10.10.10.1), but the source address (SA) remains the same. Because the local address and global address translation of the external network is not configured for the NAT router at this time.

At this point, the source address and destination address of the packet in the internal and external network are translated as shown in figure 6-11.

Figure 6-11 example of internal address NAT translation

[experience] in the NAT translation of internal addresses, no matter where the packet comes from, the only change in the address in the packet is the translation between internal addresses. Note, however, that the address change corresponds to the source address, or whether the destination address depends on whether the packet is from the internal network or from the external network: if it is from the internal network, the translation is the source address; if it is from the external network, the destination address is translated.

6.2.3 principle of external address NAT translation

When the company server is located in the internal network and uses the private IP address of the internal network, in order to facilitate external network users to access the internal network server, it is necessary to use the ip nat outside source command to configure the translation between "external global address" and "external local address" (either static NAT or dynamic NAT). External address NAT translation is the opposite of the internal address NAT translation described in the previous section, which only requires the definition of external addresses (including external local addresses and external global addresses).

The example shown in figure 6-10 is also described below. The purpose of this example is that when the external network interface S1 of the NAT router receives the source IP address 171.16.68.1 from the external network user and the packet with the external local address 10.10.10.1, when it is forwarded to the S0 interface by the router The source IP address in the packet is converted to the external local address 10.10.10.5 (that is, from the outside global address to the external local address), and the destination IP address remains the same, that is, it is only the translation of the source IP address. However, the response packet sent by the internal network user is only the translation of the destination IP address (that is, the translation from the external local address to the external global address), and the source IP address remains the same.

The following is only to take the static NAT translation as an example to introduce the configuration steps of external address NAT translation. The detailed NAT configuration method will be described in detail later in this chapter.

(1) use the ip nat outside source static global configuration command to enable static NAT IP address translation based on external source IP addresses. That is, the mapping between the outside global address and the outside local address is defined.

Router (config) # ip nat outside source static 171.16.68.1 10.10.10.5!-establish a static NAT translation relationship between the external global address 171.16.68.1 and the external local address 10.10.10.5, so that the external network host knows to reach the internal network host with the address 10.10.10.1

(2) use the following two statements to configure router S0 as the internal network interface of NAT.

Router (config) # interface S0

Router (config-if) # ip nat inside

(3) use the following two statements to configure router S1 as the external network interface of NAT.

Router (config) # interface S1

Router (config-if) # ip nat outside

[note] for a specific NAT network, the internal and external network interfaces on the router are fixed and will not change with the change of communication direction. As in the example of NAT translation of internal addresses introduced in the previous section, we also use interface S0 as the internal network interface and interface S1 as the external network interface.

(4) use the show ip nat translations privileged mode command to verify the router NAT configuration described above. You can see that the outside local address of NAT is 10.10.10.5 and the outside global address is 171.16.68.1. This is consistent with the above configuration, which proves that the configuration is successful.

Router#show ip nat translations

Pro Inside global Inside local Outside local Outside global

-10.10.10.5 171.16.68.1

Similarly, if you perform a ping operation from the external network host (171.16.68.1) to the internal network host (10.10.10.1) at this time, and then execute the "show ip nat translations" command in router privileged mode, the following result is displayed. Because only the outside local address and the outside global address are configured at this time, the inside local address and the global address shown in the result are the same, which is the ping operation destination host address 10.10.10.1.

Router#show ip nat translations

Pro Inside global Inside local Outside local Outside global

-10.10.10.5 171.16.68.1

Icmp 10.10.10.1:37 10.10.10.1:37 10.10.10.5:37 171.16.68.1:37

In contrast to configuring only internal addresses described in the previous section, the source IP address (SA) of packets sent from the external network to the internal network will be translated after passing through the router (from the external global address 171.16.68.1 to the external local address 10.10.10.5), but the destination address (DA) remains the same. However, the source IP address of the response packet sent from the internal network to the external network has not changed, except that the data destination IP address has changed after passing through the router (translated from the external local address 10.10.10.5 to the external global address 171.16.68.1). Because the inside local address and inside global address translation are not configured for the NAT router at this time. At this point, the source IP address and destination IP address of the packet inside and outside the network are translated as shown in figure 6-12.

[rule of thumb] when only external address NAT translation is performed, no matter where the packet comes from, the address in the packet changes only between external addresses. It is also important to note that whether the address change corresponds to the source IP address or the destination IP address depends on whether the packet is from the internal network or from the external network: if it is from the internal network, the translation is the destination IP address; if it is from the external network, the source IP address is translated. This is the opposite of the previous internal address NAT translation.

Figure 6-12 example of external address NAT translation

6.2.4 principle of NAT translation of internal / external addresses

The following describes the principle and basic configuration steps of simultaneous internal and external address NAT translation. It requires the simultaneous use of the ip nat inside source command to define the translation between the inside global address and the inside local address, and the use of the ip nat outside source command to define the translation between the outside global address and the outside local address (either static NAT or dynamic NAT). In this way, no matter which direction the packet is sent, the source and destination addresses in the packet will change at the same time. It is mainly used in NAT applications in overlay networks (Overloading Network). The specific configuration method will be described in section 6.6 of this chapter.

The basic network structure shown in figure 6-10 is also introduced as an example. In the following example, this can be achieved by configuration: when the NAT router internal network interface S0 receives a packet with the source IP address 10.10.10.1 and the destination IP address 10.10.10.5 from the inside network, the source IP address in the packet will be translated to the inside global address 171.16.68.5 before being forwarded to the S1 interface The destination IP address will be translated to the outside global address 171.16.68.1.

When the outside interface S1 of the NAT router receives a packet from the outside network with the source IP address 171.16.68.1 and the destination IP address 172.16.68.5, the source IP address is translated to the outside local address 10.10.10.5, and the destination IP address is translated to the inside local address 10.10.10.1.

The following only takes the static NAT translation mode (you can use dynamic NAT translation mode) as an example to introduce the configuration steps of internal and external address translation at the same time. The detailed static or dynamic NAT translation configuration methods will be described later in this chapter.

Router (config) # ip nat inside source static 10.10.10.1 171.16.68.5!-establish a static NAT mapping between the inside local address 10.10.10.1 and the inside global address 171.16.68.5, so that the internal network host knows to reach the external network host with the address 171.16.68.5

Router (config) # ip nat outside source static 171.16.68.1 10.10.10.5!-establish a static NAT mapping between the external global address 171.16.68.1 and the external local address 10.10.10.5, so that the external network host knows to reach the internal network host with the address 10.10.10.5

Router (config) # interface s 0

Router (config-if) # ip nat inside

Router (config-if) # end

Router (config) # interface s 1

Router (config-if) # ip nat outside

Router (config-if) # end

Router (config) # end

Router#show ip nat translations

Pro Inside global Inside local Outside local Outside global

-10.10.10.5 171.16.68.1

171.16.68.5 10.10.10.1-

Similarly, if you perform a ping operation from the internal host to the external host and from the external host to the internal host at this point, and then execute the "show ip nat translations" command in router privileged mode, the following results are displayed. Because the inside and outside local addresses and global addresses are configured at the same time, two NAT configuration items are displayed in the result, showing the ping operation icmp messages corresponding to the local address and global address translation in the external network and the internal network respectively: the Ping operation ICMP message corresponding to the external local address and global address shows that the local address and global address in the internal network are the same The Ping operation ICMP message corresponding to the local core address and the global address of the internal network shows that the local address and the global address in the external network are the same, which are the corresponding Ping operation destination host addresses.

Router#show ip nat translations

Pro Inside global Inside local Outside local Outside global

-10.10.10.5 171.16.68.1

Icmp 10.10.10.1:4 10.10.10.1:4 10.10.10.5:4 171.16.68.1:4

Icmp 171.16.68.5:39 10.10.10.1:39 171.16.68.1:39 171.16.68.1:39

-171.16.68.5 10.10.10.1-

After the above configuration, when the packet is sent (no matter from which side), not only the source IP address will change, but also the destination IP address will change at the same time, as shown in figure 6-13.

In packets sent from the internal network to the external network, the source IP address is translated from the inside local address (10.10.10.1) to the inside global address (172.16.68.5), and the destination IP address is translated from the outside local address (10.10.0.5) to the outside global address (171.16.68.1). In packets sent from the external network to the internal network, the source IP address is translated from the outside global address (171.16.68.1) to the outside local address (10.10.0.5), and the destination IP address is translated from the inside global address (172.16.68.5) to the inside local address (10.10.10.1). The translation of source IP addresses and destination IP addresses in packets in both directions is shown in figures 6-14 and 6-15, respectively.

Figure 6-13 example of NAT translation with both internal and external address translation configured

Figure 6-14 address translation when packets are sent from the internal network to the external network figure 6-15 address translation when packets are sent from the external network to the internal network

As you can see from figures 6-14 and 6-15, the source IP address translation process in figure 6-14 is exactly the reverse of the destination address translation in figure 6-15. Similarly, the destination IP address translation process in figures 6-14 happens to be the inverse of the source IP address translation in figures 6-15.

In addition, after careful analysis, we can find that the address translation in the packets sent from the internal network to the external network is translated from the local address to the global address, that is, from the address on one side of the internal network to the address on the external network side. On the contrary, the address translation in the packets sent from the external network to the internal network is translated from the global address to the local address, that is, from the address on one side of the external network to the address on the internal network side.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.