The conversion between the private network IP address and the public network IP address is not fixed, that is, a dynamic NAT mapping relationship is established between the private network IP address that needs to access the public network and the public network IP address, and the private network IP address in the packet is converted into a dynamic NAT mapping relationship. The corresponding temporary replacement is performed. When the returned packet reaches the device, the reverse (inbound) will temporarily replace the public network IP address with the corresponding private network IP address according to the mapping table, and send it to the host to realize the communication between the internal network users and the external network. .
There are two ways to realize dynamic NAT: BasicNAT and NAPT
Basic NAT is a one-to-one address translation, which is dynamic.
When the internal network initiates a request to the public network, the private network ip address in the request packet will dynamically establish a NAT mapping table entry between the private network ip address and the public network ip address through the pre-configured public network ip address pool, and use the The mapped public IP address replaces the source address in the packet (only the source address is replaced). Then send it to the destination host on the external network.
When the external network host responds after receiving the request message, after the response message reaches the NAT device, it will reverse the mapping relationship between the private network address and the public network address in the NAT address translation table entry established when the request message is initiated. (inbound) Replace the destination IP address in the packet (the public IP address mapped from the private IP address of the internal host in the request packet mapping relationship) with the private IP address of the internal host, and send it to the internal host.
Usage scenarios :
Because the one-to-one dynamic conversion of Basic NAT cannot realize the multiplexing of public network IP addresses and waste public network IP addresses, NAPT is used to realize concurrent address forwarding. NAPT allows multiple internal addresses to be mapped to the same public network IP. On the address, it can also be called many-to-one address translation to realize address multiplexing.
NAPT uses the form of IP address + port number for translation, which is also through the public network address pool (you need to create a public network address pool on the NAT device first).
The working principle of Easy IP is similar to that of NAPT. The difference is that EasyIP does not need to create a public IP address pool and is suitable for small networks.
scenes to be used:
Dynamic NAT cannot use the same public network IP address and port number to replace the same private network IP address and port number at different times during address translation. There is uncertainty, because the implementation of dynamic NAT is from the address pool. Randomly select an idle address and port number from the port list to map the private network IP address, but some important hosts on the internal network cannot be fixed to use a fixed public network IP address to access the external network.
Static NT can establish a fixed one-to-one mapping between public network IP addresses and private network IP addresses, and specific private network IP addresses will be replaced by specific public network IP addresses, ensuring that internal hosts can use fixed public network IP addresses. Access the extranet.
However, in practical applications, this scenario is rare, and it wastes IP addresses. Internal hosts do not need to use a fixed public IP address to access the external network. It is usually used for internal servers to access the external network, but there are basically no This kind of demand for the internal server to actively access the external network, usually the internal server passively accepts the connection, so the internal server usually uses “NAT Server” to access the external network.
NAT Server: Both static NAT and dynamic NAT are accessed from the internal network to the external network. Through NAT, multiple internal networks can be used to share one or more public network IP addresses to achieve access to the external network. The network IP addresses have been converted, so it has the function of hiding and shielding the IP address of the internal host. If it is attacked by the external network, the exit is usually a device such as a firewall, which can resist certain external network attacks and protect the security of internal network devices. .
Sometimes the internal network needs to provide services for external network hosts. For example, various servers (WEB FTP mail, etc.) set up on the internal network need to provide services to external network users. In this case, the internal network server must not be blocked, and external network users may It is necessary to access the intranet server at any time. This is a NAT translation situation where the access is initiated from the extranet to the intranet.
NAT Server can solve this problem very well. When an external network user accesses the intranet server, it passes through the fixed connection between the pre-configured server’s [public network IP address: port number] and [private network IP address: port number]. Mapping relationship, replace [public network ip address: port number] with [private network ip address: port number], so as to enable external network users to access the internal network server. Judging from the mapping relationship between private network IP addresses and public network IP addresses, this is also a static mapping relationship.
In some applications, private network users want to access internal servers located on the same private network as themselves through domain names, while the DNS server used to provide domain name resolution is located on the public network, and the private network is used to initiate requests to the public network DNS server first. The domain name resolution request performs domain name resolution and resolves the corresponding ip address. Since the internal server is a NAT server, the DNS resolution corresponds to the public network ip address mapped by the internal server. If the public network address is not replaced with the internal server The private network IP address will prevent the private network users from accessing the internal server through the domain name, because the private network users access the public network IP address at this time, but the actual internal server is located in the private network, and the IP address is the private network IP address.
The private network IP address of the internal server is 192.168.1.10. The nat server function is enabled on the GW device, and the private network IP address of the internal server 192.168.1.10 is mapped to 184.108.40.206. When the private network user 192.168.2.10 goes to the domain name When accessing the internal server, you first need to initiate a domain name resolution request to the DNS server 220.127.116.11 on the public network, and the DNS server 18.104.22.168 on the public network responds to the request, resolves it to the public network IP address 22.214.171.124 and sends it to The internal user host is 192.168.2.10. After the internal host gets the public network address 126.96.36.199, it can access the internal server, which will lead to inaccessibility.
To solve this problem, DNS mapping can be used to solve this problem. The root cause of this problem is that the response of the DNS server on the public network to the domain name resolution request is the public network ip address, and the public network ip address is not replaced with the private network server’s private address. network ip address, which leads to inaccessibility.
When DNS mapping replaces the data part information of the request message in response to domain name resolution, it is necessary to find the public IP used by the corresponding domain name by looking up the pre-configured [Domain Name-Public Network Address-Public Network Port-Protocol Type Mapping Table]. After address, use the NAT address mapping table to replace the destination IP address in the response domain name resolution message and the public IP address carried in the data part with the private IP address of the internal server. So far, the internal user host receives The resolved IP address carried in the DNS response packet is the private network IP address of the internal server, and the internal user host can use this address as the destination address to complete the access to the internal server.
When the internal user host PC accesses the internal server Ser through the domain name, it sends a domain name resolution request message to the DNS server 188.8.131.52 on the public network. The DNS server 184.108.40.206 responds to the DNS request with the destination address 220.127.116.11. The data part carries the parsed public IP address of 18.104.22.168 and sends it to the GW (nat server). After the GW receives the DNS response message, it queries the pre-configured [Domain Name-Public Network Address-Public Network] through the domain name carried in it. Port-protocol type] mapping table, find the corresponding public network ip address, find the corresponding private network ip address according to the static mapping table of public network ip address and private network ip address, and set the destination ip in the DNS response message The public IP address carried in the address and data parts is replaced with the private IP address of the internal server and sent to the internal user host. After receiving the packet, the internal user host completes the access to the internal server through the domain name.
Note: DNS Mapping can be applied to static NAT and NAT Server, but cannot be applied to dynamic NAT, which is also an obvious difference between it and ALG technology.
Twice NAT refers to the simultaneous translation of the source IP address and the destination IP address. It is mainly used in the case where the addresses of the internal network host and the external network host overlap, and the two-way source and destination addresses are respectively performed through a plurality of public network IP addresses in the middle. Translation can be used in the three NAT features of static NAT , dynamic NAT and NATServer .
- As shown in the figure, the internal network host needs to access the external network server with overlapping addresses through the domain name. PC1 will send a DNS resolution request message to the DNS server. The data part of the DNS response message carries the resolved IP address 4.4. 4.4, after the message reaches the GW, through DNSALG, the IP address 22.214.171.124 of the data part is converted into a unique temporary address 126.96.36.199, and then sent to PC1.
- After PC1 receives it, it uses its own interface IP address 188.8.131.52 as the source and the destination IP address as 184.108.40.206 to access the external network server. After the packet reaches the GW, it performs outbound source address translation to convert 220.127.116.11 to 5.5 .5.6, at this time, the GW checks that the translated source address 18.104.22.168 and the destination address 22.214.171.124 overlap, so the destination address translation is performed again, and the destination address of the message is converted to the real address of the external network server 126.96.36.199, and then Then send the message to the external network server.
- After the external network server receives it, it responds to the request message from PC1, takes its own IP address 188.8.131.52 as the source and the destination IP address 184.108.40.206 as the destination, and sends the data to the GW, and the GW receives the response message. After the message, perform inbound destination address translation, and convert 220.127.116.11 to 18.104.22.168. At this time, the GW checks that the destination address translated address overlaps with the source address, so it performs source address translation and converts the packet’s source address 22.214.171.124 is converted to 126.96.36.199, and then the message is sent to PC1.
ThinkMo CCNA Dump exam information exchange group：
CCNA/CCNP/CCIE telegram study group：https://t.me/ccie_ei_lab
ThinkMo CCNA 200-301 Tutorial VIP Exclusive：
The complete EVE_NG file, free learning PDF and PPT that can be used directly, as well as video explaining the technical points are all here!