Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
Network security and acce...

Network security and access - NAT introduce

Latest reply: Mar 2, 2022 07:58:12 1208 28 26 0 2
View the author 1#

In practice, due to limited IPv4 addresses, private IP addresses are usually used in LANs.

l  Class A: 10.0.0.0 - 10.255.255.255

l  Class B: 172.16.0.0 - 172.31.255.255

l  Class C: 192.168.0.0 -192.168.255.255

A private network is not allowed to connect to the Internet because it uses a private IP address. Driven by requirements, many private networks also need to connect to the Internet to implement communication between private networks and the Internet and between private networks through the Internet. The interconnection between the private network and the Internet must be implemented using the NAT technology.

Network address translation (NAT) translates the IP address in an IP datagram header to another IP address, allowing users on private networks to access public networks.

NAT


Static NAT

Static NAT: A private IP address is mapped to a fixed public IP address.

Feather:

1. Bidirectional access: When an internal host with a private IP address accesses the Internet, the egress NAT device translates the private IP address into a public IP address. Similarly, when an external network device sends packets to access an internal network, the NAT device translates the public address (destination address) carried in the packets into a private address.

2. Static NAT strictly maps addresses in one-to-one mode. As a result, even if an internal host is offline for a long time or does not send data, the public address is still occupied by the host.

NAT


Dynamic NAT(NO-PAT)

Dynamic NAT: A private IP address is mapped to a public IP address from a NAT address pool containing a group of public IP addresses.

When an internal host accesses an external network, an available IP address in a NAT pool is temporarily assigned to the host and marked as In Use. When the host no longer accesses the external network, the assigned IP address is reclaimed and marked as Not Use.

As shown in the following figure, the dynamic NAT process is as follows:

1.       The Router receives a request packet sent from the host on the private network for accessing the server on the public network. The source IP address of the packet is 192.168.1.1.

2.       The Router selects an idle public IP address (122.1.22.2) from the IP address pool, and sets up forward and reverse NAT entries that specify the mapping between the source IP address of the packet and the public IP address. The Router translates the packet's source IP address to the public IP address based on the forward NAT entry, and sends the packet to the server on the public network. After the translation, the packet's source IP address is 122.1.22.2, and its destination IP address is 200.1.2.3.

NAT


3.       After receiving a response packet from the server on the public network, the Router queries the reverse NAT entry based on the packet's destination IP address. The Router translates the packet's destination IP address to the private IP address of the host on the private network based on the reverse NAT entry and sends the packet to the host. After the translation, the packet's source IP address is 200.1.2.3, and its destination IP address is 192.168.1.1.

NAT

 

NATP

In addition to one-to-one address translation, Network Address and Port Translation ( NAPT)  allows multiple private IP addresses to be mapped to the same public IP address. It is also called many-to-one address translation or address reuse.

NAPT translates the IP address and port number of a packet so that multiple users on a private network can use the same public IP address to access the public network.

 

The NAPT process is as follows:

1.  The Router receives a request packet sent from the host on the private network for accessing the server on the public network. For example, the packet is sent from Host A to Router, its source IP address is 192.168.1.1, and its port number is 10321.

2.  The Router selects an idle public IP address and an idle port number from the IP address pool, and sets up forward and reverse NAPT entries that specify the mapping between the source IP address and port number of the packet and the public IP address and port number. The Router translates the packet's source IP address and port number to the public IP address and port number based on the forward NAPT entry, and sends the packet to the server on the public network. For example, after the translation is performed on the packet of Host A, the packet's source IP address is 122.1.2.2, and its port number is 1025.

NAT


3.  After receiving a response packet from the server on the public network, the Router queries the reverse NAPT entry based on the packet's destination IP address and port number. The Router translates the packet's destination IP address and port number to the private IP address and port number of the host on the private network based on the reverse NAPT entry, and sends the packet to the host. For example, after the translation is performed on the packet sent from the server to Host A, the packet's destination IP address is 192.168.1.1, and its destination port number is 10321.

NAT



Easy IP

Easy IP: translates both IP addresses and transport-layer port numbers. The implementation of Easy IP is the same as that of NAPT. The difference is that Easy IP does not involve address pools. It uses an interface address as apublic address for NAT.

Easy IP applies to scenarios where public IP addresses are not fixed, such as scenarios where public IP addresses are dynamically obtained by egress devices on private networks through DHCP or PPPoE dialup.

NAT


NAT Server

For security purposes, most private network hosts do not expect access from public network users. However, in some applications, public network users need to access a private network server, for example, a WWW server or a private network FTP server . In dynamic nat or NAPT, NAT entries cannot be dynamically created for the access initiated by public network users. As a result, public network users cannot access private network hosts.

To address this problem, the NAT Server function (also called NAT internal server) can be configured. This function creates mappings between private IP addresses+port numbers and public IP addresses+port numbers on a NAT device. With this function, the NAT device can reversely translate public IP addresses to private IP addresses so that users on a public network can access the internal servers.

 For example, as shown in the following figure, the NAT server function is enabled on a NAT device, and a private network server's IP address+port number (192.168.1.10:80) is mapped to a public network IP address+port number (122.1.1.1:80). When a public network host requires to access the server 192.168.1.10, the NAT device converts 122.1.1.1:80 to 192.168.1.10:80, so that the service request can reach the server 192.168.1.10 on the private network.

NAT

4


The post is synchronized to: HCIA - Datacom class notes

Like (26) Dislike (0) Favorite(2) Share Report
Previous: New IP technogy - YANG
Next: Default VLAN
(0) (0)
2#
Unicef
MVE Created Jul 20, 2021 09:39:57

Nice
View more
  • x
  • convention:
(0) (0)
3#
daniellima
HCIE Created Jul 20, 2021 15:05:41

Very useful
View more
  • x
  • convention:
(0) (0)
4#
Adriale
Created Jul 20, 2021 15:40:10

Nice
View more
  • x
  • convention:
(0) (0)
5#
simchamnan
Created Jul 21, 2021 04:30:27

great
View more
  • x
  • convention:
(0) (0)
6#
Kevin_Thomas
Created Jul 23, 2021 17:15:03

Thank you for sharing and keep up the good work!
View more
  • x
  • convention:
(0) (0)
7#
andersoncf1
MVE Author Created Jul 26, 2021 13:35:36

Very useful. Thanks for sharing
View more
  • x
  • convention:
(0) (0)
8#
Caroline_Herrera
Created Sep 25, 2021 06:48:55

Very good share
View more
  • x
  • convention:
(0) (0)
9#
Herediano
Created Oct 10, 2021 18:57:49

Excellent, thank you for sharing!
View more
  • x
  • convention:
(0) (0)
10#
AL_93
Moderator Created Oct 11, 2021 16:46:24

Excellent, thank you for sharing!
View more
  • x
  • convention:
123
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.