Menu
Is free
check in
the main  /  BY / NAT connection type. NAT - Setting up network addresses conversion

Type of NAT connection. NAT - Setting up network addresses conversion

This is absolutely different technologies. Do not confuse them.

What is NAT.

NAT - collective term, denotes broadcast technology network addresses and / or protocols. NAT devices produce over passing transformation packages with replacing addresses, ports, protocols, etc.

There are a narrower concept of SNAT, DNAT, masquerading, PAT, NAT-PT, etc.

why do NAT need, how to use it

To display online internal network

  • through pool of external addresses
  • through one external address

For substitution of external IP address to others (traffic redirection)

For load balancing between identical servers with different IP addresses.

To combine two local networks with intersecting internal addressing.

how the NAT is arranged

s + D NAT (Branch Merging - Evil!)

port-mapping, port burning

Advantages and disadvantages

Incompatible with some protocols. The specific implementation of NAT should support the inspection of the required protocol.

Nat has the "screen" internal network from the outside world, but it cannot be used instead of a firewall.

Cisco IOS Setup

Cisco routers and firewalls support various types of NAT, depending on the set of options for software. The most used is the NAT method with the binding of internal local addresses to various ports of one external address (PAT in Cisco terminology).

To configure the NAT on the router, it is required: o Determine traffic that needs to be transmitted (using access-lists or route-map);

IP Access-List Extended Local Permit IP 10.0.0.0 0.255.255.255 Any

ROUTE-MAP INT1 MATCH IP ADDRESS LOCAL MATCH INTERFACE FASTERNET0 / 1.1

Aksss leaf Local chooses all traffic from 10 networks.

RUT-MAP int1 selects the Local Axes-Sheet Traffic, leaving the Sabeneface FA 0 / 1.1

o Determine what external addresses to conduct broadcast. Select pool external addresses. For PAT enough single address.

IP Nat Pool Global 212.192.64.74 212.192.64.74 NetMask 255.255.255.0

Setting the pool of external addresses with the name Global. In the pool of just one address.

o Enable NAT for selected internal and external addresses.

IP Nat Inside Source Route-Map Int1 Pool Global Overload

Enabling NAT to broadcast source addresses on the internal interface. Only traffic will be broadcast under the conditions of Rout-Map int1. The external address will be taken from the Pula Global.

IP Nat Inside Source Static TCP 10.0.0.1 23 212.192.64.74 23 EXTEND

Static "port of port" or "Publication of the Service". In the traffic going inside to the address 212.192.64.74, the address of 10.0.0.1 and port 23 will be replaced with the TCP 23 port 23.

o Assign internal and external interfaces.

Interface FastetherNet0 / 0 IP Nat Inside Interface Fastethernet0 / 1.1 IP Nat Outside

The FA 0/0 interface is assigned internal for NAT.

FA 0 / 1.1 Sabrider is assigned to external for NAT.

O Debugging and diagnostics:

SH IP Nat Translations - viewing table of current broadcasts; Clear IP Nat Translations - Delete all current broadcasts; Debug IP NAT - Enable debugging messages (Undebug All - Off debugging).

Examples

We give several demonstration examples for Cisco Packet Tracer emulator.

A simple diagram of the output of a small network to the Internet through the pool of external addresses

Simple network output circuit in the Internet through one external address

Mounting scheme with intersecting addressing

Operation of NAT.

The procedure for applying NAT rules differs from various manufacturers and on various equipment. We give the procedure for applying NAT policies for routers on Cisco iOS:

Inside-to-Outside

If IPSec then check input access list decryption - for CET (Cisco Encryption Technology) or IPSec check input access list check input rate limits input accounting redirect to web cache policy routing routing NAT inside to outside (local to global translation) crypto (check map and Mark for Encryption) CHECK OUTPUT ACCESS LIST INSPECT (CONTEXT-BASED ACCESS CONTROL (CBAC)) TCP Intercept Encryption Queueing

OUTSIDE-TO-INSIDE

If IPSec then check input access list decryption - for CET or IPSec check input access list check input rate limits input accounting redirect to web cache NAT outside to inside (global to local translation) policy routing routing crypto (check map and mark for encryption) check OUTPUT ACCESS LIST INSPECT CBAC TCP Intercept Encryption Queueing

Internet channel from one provider via Nat

Simple NAT implementation scheme with one provider

Reservation of the Internet channel from two providers with NAT, IP SLA

Danar: We get for several Internet computers from ISP1 provider. He allocated us address 212.192.88.150. The Internet access is organized from this IP address via NAT.

Task: Connect the backup provider - ISP2. He will allocate us address 212.192.90.150. Arrange traffic balancing: Web traffic can be allowed through ISP1, other traffic - via ISP2. In case of failure of one of the providers - to start all traffic on the living channel.

What is the complexity of the task? Clear IP Nat Translations?

Scheme

Config

1 Clear IP Nat Translations *

Found, such a piece of EEM is tested. Not all versions of ios. Event is generated .. We must clarify.

! Event Manager Applet Nat-Track Event Syslog Pattern "Tracking-5-State" Action 0.1 CLI Command "Enable" Action 0.2 Wait 3 Action 0.3 CLI Command "Clear IP Nat Translation *" Action 0.4 Syslog MSG "Nat Translation Cleared After Track State Change "!

2 when the interface falls on the provider, the chances are that his gateway will kick through the second

! UserName Password name 0 Password Enable Secret 0 Parolconfiga! ! Control input to the Line VTY router 0 4 Login Local! ! DHCP IP DHCP POOL LAN NETWORK VIETING MASK DEFAULT-ROUTER GATE DNS-Server 10.11.12.13! DNS - fictitious invented - not from our local network ! ! ! Ping Monitor to Provider-1 Gateway! Wait for a reply 100 ms! Pinging with a frequency of 1 second IP SLA Monitor 1 Type Echo Protocol Ipicmpecho Gaters1 Source-Interface Interfaces1 Timeout 100 Frequency 1! ! Ping Monitor on Provider-2 IP SLA Monitor 2 Type Echo Protocol Ipicmpecho Gaters2 Source-Interface Interfaces2 TimeOut 50 Frequency 1! ! Starting Pingovakov 1 and 2, Now And Forever IP SLA Monitor Schedule 1 Life Forever Start-Time Now IP Sla Monitor Schedule 2 Life Forever Start-Time Now! ! Tracks 10 and 20 - tracking of the penny state! Reacts to the state of DOWN or UP with a delay of 1 sec. Track 10 RTR 1 REACHABILITY DELAY DOWN 1 UP 1! Track 20 RTR 2 REACHABILITY DELAY DOWN 1 UP 1! ! ! Routes for all external networks on both providers! Routes are tied to tracks! and will be activated only if the track is in the Up state! those. If the gateway on the corresponding provider is available IP Route 0.0.0.0 0.0.0.0 Gaters1 Track 10 IP Route 0.0.0.0 0.0.0.0 Gaters2 Track 20! ! ! Int Fa 0/0 No Shut! ! Sub-interfaces towards external providers! marked as Outside for Nat Interface Fastetersnet0 / 0.1 Description ISP1 ENCAPS DOT1Q Number 1 IP Address iPnaps1 IP NAT OUTSIDE Mask! Interface Fastetersnet0 / 0.2 Description ISP2 Encapsulation Dot1Q Number2 IP Address iPNAPs2 IP Nat Outside Mask! ! Internal Network Interface! marked as inside for NAT! PRBR INTERFACE FASTERNET0 / 1 IP Address Routing Policy Privacy Policy IP Nat Inside IP POLICY ROUTE-MAP PBR NO SHUT! ! Aksess-sheets from the network outside! On web traffic and on everything else IP Access-List Extended Local Permit IP Insit Any! IP Access-List Extended Web Permit TCP Interior Any EQ WWW Permit TCP Innode Any EQ 443! IP Access-List Extended All Permit ip Any Any! ! ! Sly Ruth Map PBR! If traffic from LAN on the web! That appoint him to the first provider's gateway! Otherwise, other traffic from LAN! Assign a second provider gateway. ! When you assign a gateway, the tracks are checked by Route-Map PBR Permit 10 Match IP Address Web Set IP NEXT-HOP Verify-Availability Gaters1 1 Track 10! ROUTE-MAP PBR PERMIT 20 MATCH IP Address All Set IP Next-Hop Verify-Availability Gaters2 1 Track 20! ! ! Sunny root-map isp1! Works if traffic from LAN! Attempts to exit the FA0 / 0.1 ROUTE-MAP ISP1 PERMIT 10 MATCH IP Address Local Match Interface Fastethernet0 / 0.1! ! Sunny root-mapp ISP2! Works if traffic from LAN! Trying to exit the FA0 / 0.2 Route-Map ISP2 Permit 10 Match IP Address Local Match Interface Fastethernet0 / 0.2! ! ! Finally, Nat ;-)! ! Traffic from LAN in the first provider Watch through the first IP Nat Inside Source Route-Map ISP1 Interface Fastetersnet0 / 0.1 Overload! ! Traffic from LAN in the second provider to nat through the second IP Nat Inside Source Route-Map ISP2 Interface Fastetersnet0 / 0.2 Overload! ! The traffic on the fictitious DNS is to overpower to Google DNS IP Nat Outside Source Static 8.8.8.8 10.11.12.13 No-Alias! ! Internal port 3389 forward on the external port 1111 IP Nat Inside Source Static TCP Extrogous 3389 Outer 1111 Extendable IP Nat Inside Source Static TCP Extrogous 3389 Outer 1111 EXTENDABLE! !

miscellanea

CGN (CARRIER GRADE NAT) with a special pool of private addresses

NAT Like ALG (Application Layer Gateway), (Plain Text Protocols E.G. SIP)

Well, forget this lyrics for a while.
Generally speaking, access lists are different:

Standard
- Extended
- Dynamic
- Reflective
- timeless

We will stop our attention today on the first two, and in more detail about all you can read from tsiski.

Incoming and outgoing traffic

For soten, let's understand one thing. What to understand under the incoming and outgoing traffic? This will be needed in the future. Incoming traffic is the one that comes to the interface from the outside.

Outgoing is the one that is sent from the interface outside.

The access list you can apply either to the incoming traffic, then the incomplete packages will not even get to the router and, accordingly, further into the network, or on the outgoing, then packages come to the router, processed by them, reach the target interface and only drop it.

The standard access list checks only the address of the sender. Advanced sender address, recipient address, as well as port. Standard ACLs are recommended to put as close as possible to the recipient (so as not to cut more than necessary), and extended - closer to the sender (to drop unwanted traffic as soon as possible).

Practice

Let's immediately go to practice. What would we have such a reimbursement in our small network "Lift Mi AP"?

A) Web server. Allow access to all by port TCP 80 (HTTP protocol). For that device from which control will be made (we also have admin) you need to open Telnet and FTP, but we will give him full access. All the rest of the outstand.

B) File Server. We should have residents of the lift MI AP by ports for public folders, and all others on FTP.

C) mail server. Here we have SMTP and POP3 running, that is, TCP 25 and 110 ports. Also for the admin open access to management. Other blocking.

D) for the future DNS server you need to open the UDP 53 port

E) to allow ICMP messages to the network of servers

E) Because the Other network we have for all non-partisans who have not entered the FEO, PTO and accounting, then we will limit them all, and some only give access (among them we and admin)

E) On the control network you need to start again only the admin, and of course my beloved.

G) We will not build obstacles to communications among themselves.

a) access to the Web server

Here we have a policy forbidden everything that is not allowed. Therefore, we need to open something now, but everything else to close.
Since we protect the network of servers, then the sheet will hang on the interface going towards them that is, on Fe0 / 0.3 the question is only on iN. or at out. Do we need to do it? If we do not want to let packets in the direction of the servers that have already been on the router, it will be outgoing traffic. That is, the destination addresses (destination) will have in the network of servers (of which we will choose which the server is going on), and source addresses (source) can be anyhow - as from our corporate networkand from the Internet.
Another note: Since we will filter, including at the destination address (on the Web server, one rules, on the mail - others), then the access control list will need advanced (extended), only it allows you to do it.

Rules in the access list are checked in order from top to bottom to the first coincidence. As soon as one of the rules worked, regardless of whether Permit is or Deny, the check is stopped and the processing of traffic is based on the ruled rule.
That is, if we want to protect the Web server, then first of all we need to give permission, because if we set up in the first line dENY IP Any Any - It will always work and traffic will not walk in general. Any. - This is a special word that means the address of the network and the reverse mask 0.0.0.0 0.0.0.0 and means that there are absolutely all nodes from any networks. Another special word - host. - It means a mask 255.255.255.255 - that is, one only specified address.
So, the first rule: Allow access to all by port 80


MSK-Arbat-GW1 (Config-Ext-NaCl) # Remark Web
ANY HOST 172.16.0.2 EQ 80

Let me ( permit.) TCP traffic from any node ( any.) on the host ( host. - It is one address) 172.16.0.2 addressed to the 80th port.
We try to hang this list of access to the FE0 / 0 interface:

MSK-Arbat-GW1 (Config-Subif) # ip access-group servers-out out.

Check from any of our connected computers:

As you can see the page opens, but what about us with ping?

And so from any other node?

The fact is that after all the rules in the Ciskovsky ACL at the end, implicit dENY IP Any Any (implicit deny). What does this mean for us? Any package entitled from the interface and does not respond to any rule from the ACL falling under Implicit Deny and discarded. That is, at least ping, even though FTP, at least anything here will no longer be.

We go further: you need to give full access to the computer from which control will be made. This will be the computer of our admin with the address of 172.16.6.66 from the Other network.
Each new rule is added automatically to the end of the list, if it already exists:

mSK-Arbat-GW1 (Config)
MSK-Arbat-GW1 (Config-Ext-NaCl) # Permit TCP Host 172.16.6.66 Host 172.16.0.2 Range 20 FTP
MSK-ARBAT-GW1 (Config-Ext-NaCl) # Permit TCP Host 172.16.6.66 Host 172.16.0.2 EQ Telnet

That's all. We check from the desired node (since the servers in the RT are not supported by the caller, check on FTP):

That is, the FTP message came to the router and should go from the FE0 / 0.3 interface. The router checks and sees that the package is suitable for the rule added by us and skips it.

And from an outsider

The FTP package does not fall under one of the rules except the implicit Deny IP Any Any and discarded.

b) access to the file server

It would be necessary first of all to decide on who will be a "resident" who need to be available. Of course, these are those who have an address from the network 172.16.0.0/16 - only them and give access.
Now S. common folders. In most modern Systems The SMB protocol is already used for this that you need a TCP 445 port. On older versions, NetBIOS was used, which was fed after three ports: UDP 137 and 138 and TCP 139. Agreed with our admin, we will configure the 445 port (truth to check within the RT, Of course, it will not work). But besides this, we will need ports for FTP - 20, 21, and not only for internal hosts, but also for connections from the Internet:
mSK-ARBAT-GW1 (Config) # IP access-list extended server-out
MSK-Arbat-GW1 (Config Ext-NaCl) # Permit TCP 172.16.0.0 0.0.255.255 HOST 172.16.0.3 EQ 445
MSK-Arbat-GW1 (Config Ext-NaCl) # Permit TCP any. HOST 172.16.0.3 Range 20 21

Here we re-applied the design range 20 21. - In order for multiple ports in one line. For FTP, generally speaking, not enough of the 21st port. The fact is that if you open it only, you will pass authorization, and there is no transfer of files.

0.0.255.255 - Reverse mask (Wildcard Mask). About what it is, let's talk a little later

c) access to the mail server

We continue to work out practice - now with the mail server. As part of the same access list, add new records we need.
Instead of port numbers for widely prompted protocols, you can specify their names:
mSK-ARBAT-GW1 (Config) # IP access-list extended server-out
MSK-Arbat-GW1 (Config-Ext-NaCl) #permit TCP Any Host 172.16.0.4 EQ POP3
MSK-Arbat-GW1 (Config-Ext-NaCl) #permit TCP Any Host 172.16.0.4 EQ SMTP

d) DNS server

mSK-ARBAT-GW1 (Config) # IP access-list extended server-out
MSK-Arbat-GW1 (Config-Ext-NaCl) # permit uDP. 172.16.0.0 0.0.255.255 HOST 172.16.0.5 EQ 53

d) ICMP.

It remains to correct the situation with ping. There is nothing terrible in adding the rules to the end of the list, but somehow aesthetically more pleasant to see them first.
We use a simple cheat for this. For this you can use text editor, eg. Copy there from Show Run piece about ACL and add the following lines:
nO IP Access-List Extended Servers-Out
IP Access-List Extended Servers-Out
Permit ICMP Any Any
REMARK WEB.



REMARK FILE


REMARK MAIL.


REMARK DNS.

We remove the existing list to the first line, then create it again and list all the new rules in the order we need. The team in the third line we allowed the passage of all ICMP packets from any hosts to any hosts.

Next, simply copy everything with a scope and insert into the console. The interface interprets each string as a separate command and performs it. So we replaced the old list of new.
Check that ping is:

Perfectly.

This "cheat" is good for the initial configuration or if you know exactly what you are doing. On the working network, when you configure the remote ACL, you risk staying without access to the adjustable piece of iron.

To insert the rule at the beginning or at any other right place, you can resort to such a reception:
iP Access-List Extended Servers-Out
1 Permit ICMP Any Any

Each rule in the list is numbered with a definite step and if you put a number before the PERMIT / DENY word, the rule will be added not to the end, but in the place you need. Unfortunately, such a feature does not work in the Republic of Tajikistan.
If it is suddenly necessary (busy all contracts running between rules) You can always renumbers the rules (in this example, the first rule number 10 is assigned (first) and increment 10):
iP Access-List Resequentce Servers-Out 10 10

As a result, Access List on the server network will look like this:
iP Access-List Extended Servers-Out
Permit ICMP Any Any
REMARK WEB.
Permit TCP ANY HOST 172.16.0.2 EQ WWW
Permit TCP HOST 172.16.6.66 Host 172.16.0.2 Range 20 FTP
Permit TCP HOST 172.16.6.66 Host 172.16.0.2 EQ Telnet
REMARK FILE
Permit TCP 172.16.0.0 0.0.255.255 Host 172.16.0.3 EQ 445
Permit TCP ANY HOST 172.16.0.3 RANGE 20 21
REMARK MAIL.
Permit TCP Any Host 172.16.0.4 EQ POP3
Permit TCP Any Host 172.16.0.4 EQ SMTP
REMARK DNS.
Permit UDP 172.16.0.0 0.0.255.255 Host 172.16.0.5 EQ 53

Now our admin has access only to the Web server. Discover it full access to the entire network. This is the first homework.

e) user rights from the OTHER network

So far we needed do not inlets Someone somewhere, so we paid attention to the destination address and the access list hung on the traffic outgoing from the interface.

Now we need do not release: No requests from computers from the OTHER network should not go beyond. Well, of course, except those that we specifically solve.

mSK-Arbat-GW1 (Config) # IP Access-List Extended Other-in

MSK-ARBAT-GW1 (Config-Ext-NaCl) # Permit IP Host 172.16.6.61 Any



Here we could not first ban everything, and then resolve the elected, because absolutely all packages would be a rule dENY IP Any Any and permit. I would not have triggered at all.
Apply to the interface. This time on the entrance:
mSK-Arbat-GW1 (Config) #Int FA0 / 0.104
MSK-Arbat-GW1 (Config-Subif) #IP Access-Group Other-in iN.

That is, all IP packets from the host with the address 172.16.6.61 or 172.16.6.66 are allowed to transmit wherever they are intended. Why do we use an extended access list here too? After all, it would seem, we check only the address of the sender. Because admins we gave full access, but the guest of the company "Lift Mi AP", for example, which will fall into the same network at all to anything else, except on the Internet.

e) network management

Nothing difficult. The rule will look like this:
mSK-Arbat-GW1 (Config) # IP access-list extended management-out
MSK-Arbat-GW1 (Config-Ext-NaCl) # REMARK IAM
MSK-ARBAT-GW1 (Config-Ext-NaCl) # Permit IP Host 172.16.6.61 172.16.1.0 0.0.0.255
MSK-ARBAT-GW1 (Config-Ext-NaCl) # REMARK ADMIN
MSK-ARBAT-GW1 (Config-Ext-NaCl) # Permit IP Host 172.16.6.66 172.16.1.0 0.0.0.255

This ACL is applied to OUT on the Fe 0 / 0.2 interface:
mSK-Arbat-GW1 (Config) # INT FA0 / 0.2
MSK-ARBAT-GW1 (Config-Subif) #IP Access-Group Management-Out Out

g) no longer restrictions

Ready

Mask and reverse mask

So far, we have given a strange parameter of the form 0.0.255.255, suspiciously resembling a subnet mask.
A little difficult for understanding, but it is it that the return mask is used to determine the hosts that fall a rule.
To understand what a reverse mask is, you should know what is common.

Let's start with the simplest example.

Normal network at 256 addresses: 172.16.5.0/24, for example. What does this entry mean?
But it means exactly the following

IP address. Decimal record 172 16 5 0
IP address. Binary recording 10101100 00010000 00000101 00000000
11111111 11111111 11111111 00000000
255 255 255 0

The IP address is a parameter of 32 bits long, divided into 4 parts that you are used to see in decimal form.
The subnet mask also has a length of 32 bits - it is actually a template, stencils, according to which the subnet address is identified. Where in the mask there can be units, the meaning cannot change, that is, part 172.16.5 is completely unchanged and it will be the same for all hosts of this subnet, but the one where zeros - varies.
That is, in the example, we take 172.16.5.0/24 - this is the address of the network, and the hosts will be 172.16.5.1-172.16.5.254 (the last 255 is broadcast), because 00000001 is 1, and 11111110 - 254 (speech about the last ostet address ). / 24 means that the length of a 24-bit mask, that is, we have 24 units - a constant part and 8 zeros.
Another case when we have a mask, for example, 30 bits, and not 24.
For example, 172.16.2.4/30. Cut it like this:

IP address. Decimal record 172 16 2 4
IP address. Binary recording 10101100 00010000 00000010 00000100
Subnet mask. Binary recording 11111111 11111111 11111111 11111100
Subnet mask. Decimal record 255 255 255 252

As you can see, only the last two bits may vary for this subnet. The last octet can take the following 4 values:
00000100 - Subnet address (4 in decimal system)
00000101 - node address (5)
00000110 - Node address (6)
00000111 - Broadcast (7)
All that outside of this is another subnet

That is, now you should have a little clearly, that the subnet mask is the sequence of 32-bit, where the units mean the address of the subnet first go, then go zeros meaning the host address. At the same time, alternate zeros and units in a mask cannot alternate. That is, mask 11111111.11100000.11110111.00 billion impossible

And what is the return mask (WildCard)?
For the overwhelming majority of admins and some engineers, it is nothing more than inversion of the usual mask. That is, zeros first set the address of the part that must be coincided, and the units on the contrary is free.
That is, on the first example taken by us, if you want to filter all hosts from the subnet 172.16.5.0/24, then you will specify the rule in the Access List:
…. 172.16.5.0 0.0.0.255
Because the return mask will look like this:

00000000.00000000.00000000.11111111

In the second example with the network 172.16.2.4/30, the return mask will look like this: 30 zeros and two units:

Reverse mask. Binary recording 00000000 00000000 00000000 00000011
Reverse mask. Decimal record 0 0 0 3

Accordingly, the parameter in the Access list will look like this:
…. 172.16.2.4 0.0.0.3
Later, when you eat a dog on the calculations of masks and return masks, you will remember the most used numbers, the number of hosts in a particular mask will understand that in the situation described, the last octet of the reverse mask is obtained by subtracting out of 255 digits of the last octet of the usual mask (255-252 \u003d 3), etc. In the meantime, you need to work a lot and count)

But in fact, the return mask is a slightly richest tool, here you can combine the addresses inside the same subnet or even combine subnets, but the most important difference, you can alternate zeros and units. This allows you, for example, to filter a specific node (or group) in several subnets of one line.

Example 1.

Given: Network 172.16.16.0/24
It is necessary: Filter the first 64 addresses (172.16.16.0-172.16.16.63)
Decision: 172.16.16.0 0.0.0.63

Example 2.

Given: Network 172.16.16.0/24 and 172.16.17.0/24
It is necessary: Filter addresses from both networks
Decision: 172.16.16.0 0.0.1.255

Example 3.

Given: Network 172.16.0.0-172.16.255.0.
It is necessary: Filter the host with an address 4 of all subnets
Decision: 172.16.16.0 0.0.255.4

ACL work in pictures

Hypothetical network:

1) On the RT1 router on the FE0 / 1 interface, everything except ICMP is allowed to enter.

2) On the RT2 router on the Fe0 / 1 interface, SSH and Telnet are prohibited

Tests
clickable
1) Ping from PC1 computer1

2) Telnet from a PC1 computer to the server1

3) SSH from PC1 computer on server2

4) Ping from Server2 on PC1

Supplements

1) The rules acting on the outbound traffic (OUT) will not filter the traffic of the device itself. That is, if you need to prohibit the tie to the access somewhere, then you will have to filter the incoming traffic on this interface (respond from there, where it is necessary to prohibit access).

2) C ACL must be careful. With a small error in the rule, incorrectly order setting or generally poorly thought-out list, you can stay without access to the device.
For example, you want to close access anywhere for the network 172.16.6.0/24, except for its address 172.16.6.61 and asked the rules like this:

deny IP 172.16.6.0 0.0.0.255 Any
Permit IP Host 172.16.6.61 Any

As soon as you apply ACL to the interface, you will immediately lose access to the router, because you get under the first rule and the second is not even checked.
The second unpleasant situation that can happen to you: the traffic will fall under ACL, which should not have hit.
Imagine such a situation: we have a FTP server in passive mode in the server. To access it, you opened the 21st port in ACL Servers-Out.. After the initial establishment of the connection, the FTP server reports the client of the port on which it is ready to transmit / receive files, for example, 1523. The client is trying to install a TCP connection to this port, but stumps on the ACL Servers-Out, where there is no such resolution - the fairy tale about a successful transfer ends. In our example above, where we set up access to the file server, we opened access only to 20 and 21st, because for example, it is enough. In real life will have to tinker. Some examples of ACL configuration for common cases.

3) from the 2nd point it follows a very similar and interesting problem.
Different with you, for example, hang on the interface on the Internet Such ACLs:

access-list Out Permit TCP HOST 1.1.1.1 Host 2.2.2.2 EQ 80
Access-List in Permit TCP Host 2.2.2.2 Any EQ 80

It would seem: the host with the address 1.1.1.1 is allowed access to the 80th port to server 2.2.2.2 (first rule). And back from the server 2.2.2.2 compounds inside.
But the nuance here is that computer 1.1.1.1 establishes a connection to the 80th port, but from some other, for example, 1054, that is, the response package from the server comes to socket 1.1.1.1:1054, does not fall into a rule ACL on IN and discarded due to implicit Deny IP Any Any.
To avoid such a situation, and do not open the ports to the entire beam, you can resort to such tricks in ACL per in:
permit TCP HOST 2.2.2.2 Any Established.

Details of such a solution in one of the following articles.

4) speaking about modern worldYou can not get around such a tool as object groups (Object-Group).

Suppose it is necessary to create an ACL, which issues three specific addresses on the Internet in three identical ports with the prospect of expanding the number of addresses and ports. How it looks without knowing object groups:

iP Access-List Extended To-Internet
Permit TCP HOST 172.16.6.66 Any EQ 80
Permit TCP HOST 172.16.6.66 ANY EQ 8080
Permit TCP HOST 172.16.6.66 Any EQ 443

Permit TCP HOST 172.16.6.67 ANY EQ 80
Permit TCP HOST 172.16.6.67 ANY EQ 8080
Permit TCP HOST 172.16.6.67 ANY EQ 443

Permit TCP HOST 172.16.6.68 ANY EQ 80
Permit TCP HOST 172.16.6.68 Any EQ 8080
Permit TCP HOST 172.16.6.68 Any EQ 443


With an increase in the number of parameters, accompany such ACL is becoming increasingly harder and more difficult to make a mistake when setting up.
But if you contact the object groups, it acquires the following form:
object-Group Service Inet-Ports
Description Ports Allowed for Some Hosts
TCP EQ www.
TCP EQ 8080.
TCP EQ 443.

Object-Group Network Hosts-to-Inet
Description Hosts Allowed to Browse The Net
Host 172.16.6.66
Host 172.16.6.67
Host 172.16.6.68

IP Access-List Extended Inet-Out
Permit Object-Group inet-Ports Object-Group Hosts-to-Inet Any


At first glance, it looks somewhat threatening, but if you figure it out, it is very convenient.

4) Very useful information for trablchuting information can be obtained from the output of the command show IP Access-Lists% name ACL%. In addition to the actual list of the rules of the specified ACL, this command shows the number of matches for each rule.

mSK-ARBAT-GW1 # SH IP Access-Lists Nat-Inet
Extended IP Access List Nat-Inet





(4 Match (ES))



And adding at the end of any rule log., We will be able to receive messages about each coincidence in the console. (the latter does not work in pt)

NAT.

Network Address Translation - the mechanism of farming is absolutely necessary since 1994. Many sessions about it are broken and packages are lost.
It is most often needed to connect your local network to the Internet. The fact is that theoretically there is 255 * 255 * 255 * 255 \u003d 4 228 250 625. 4 billion addresses. Even if every resident of the planet had only one computer, the addresses would not have enough. And then except the irons to the Internet are not connected. Smart people realized this in the early 90s and as a temporary decision was proposed to divide the space of addresses to public (white) and private (private, gray).
The latter includes three ranges:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

You can use them freely in your private network, and therefore, of course, they will be repeated. How to be with uniqueness? Who will answer the Web server to which the request came from the return address 192.168.1.1? Rostelecom? Tatneft companies? Or your roommate long? In a large Internet, no one knows anything about private networks - they are not routing.
Here and goes to the scene NAT. By and large, this is a hoax, a stand. On the applying device, your private address, roughly speaking, simply replaces the white address, which will appear further in the package while it travels to the Web server. But the white addresses are very well routing, and the package will definitely return back to the rolling device.
But how will it in turn understand what to do with him next? Here and deal with it.

Types nat.

Static

In this case, one internal address is converted to one external. And at the same time, all requests coming to the external address will be broadcast on the internal. As if this host and is the owner of this white IP address.

Configured by the following command:

Router (Config) # IP Nat Inside Source Static 172.16.6.5 198.51.100.2

What's happening:
1) Node 172.16.6.5 addresses the Web server. He sends an IP packet where 192.0.2.2, and the sender 172.16.6.5.

2) By corporate network, the package is delivered to the gateway 172.16.6.1, where the NAT is configured

3) According to the configured command, the router removes the current IP header and changes it to a new one, where white address 198.51.100.2 already appears as the sender's address.


4) On the Bolshoi Internet, the updated package reaches the server 192.0.2.2.

5) He sees that the answer should be sent for 198.51.100.2 and prepares the response IP packet. As a sender's address, the address of the server 192.0.2.2, the destination address - 198.51.100.2


6) The package is flying back via the Internet, and not the fact that the same way.

7) On the stating device it is indicated that all requests to the address 198.51.100.2 need to be redirected by 172.16.6.5. The router again strips hidden inside the TCP segment and sets a new IP title (the address of the sender does not change, the address of the destination 172.16.6.5).


8) On the internal network, the package is returned to the initiator, which is even not good, which miracles have been going on on the border.
And so it will be with each.
In this case, if the connection is initiated from the Internet, the packets automatically passing through the stating device fall on the inner host.

Such an approach is useful when you have a server inside your network to which full access is needed. Of course, you can not use this option if you want three hundred hosts to release online through one address. This NAT option will not help save the white IP addresses, but nevertheless it is useful.

Dynamic

You have a pool of white addresses, for example, the provider allocated you a network of 198.51.100.0/28 with 16 addresses. Two of them (first and last) - the address of the network and broadcast, two more addresses are assigned to the equipment to provide routing. 12 The remaining addresses you can use for NAT and produce through them their users.
The situation is similar to a static NAT - one private address is broadcast to one external, but now the external is not clearly fixed, but will be chosen dynamically from the specified range.
It is configured so:
Router (Config) #IP NAT POOL LOL_POOL 198.51.100.3 198.51.103.14

Specified pool (range) of public addresses, from which the address will be selected for
Router (Config) # Access-List 100 Permit IP 172.16.6.0 0.0.0.255 Any

We specify the list of access that skips all packages with the source address 172.16.6.x, where h.various 0-255.
Router (Config) #IP Nat Inside Source List 100 Pool Lol_pool

With this command we kill the created ACL and pool.

This option is also not universal, you can also not be able to release our 300 users if you do not have 300 external addresses. As soon as the white addresses are exhausted, no one else can access the Internet. At the same time, those users that have already time to grab their external address will work. Throw off all current broadcasts and release the external address will help you clear IP Nat Translation *
In addition to the dynamic allocation of external addresses, this dynamically NAT differs from static in that without a separate port forwarding setting, an external connection to one of the pool addresses is no longer possible.

MANY-TO-ONE

The following type has several names: Nat Overload, Port Address Translation (PAT), IP Masquerading, Many-to-One Nat.
The latter name speaks for itself - through one external address it goes into the world a lot of private. This allows you to solve the problem with a lack of external addresses and release all those wishing to the world.
It would be necessary to give an explanation as it works. How two private addresses are broadcast to one can be represented, but as the router understands who needs to send a package that returned from the Internet to this address?
Everything is very simple:
Suppose that from two hosts from the internal network come packages on a filling device. Both with a request to the Web Server 192.0.2.2.
Data from hosts look like this:

The router discovers the IP packet from the first host, extracts a TCP segment from it, prints it and finds out that the connection is installed from which port. He has an external address 198.51.100.2, to which the address from the internal network will change.
Next, he chooses a free port, for example, 11874. And what does he do next? All application level data is packaged in a new TCP segment, where 80 remains as the destination port (it is waiting for a web server connections), and the sender's port is changing from 23761 to 11874. This TCP segment is encapsulated in a new IP A package of the sender's IP address from 172.16.6.5 on 198.51.100.2.
The same thing happens for the package from the second host, only the next free port is selected, for example, 11875. "Free" means that it is not yet engaged in other compounds.
The data that is sent to the Internet will now look like this.

In his nat-table, he brings data from senders and recipients

For a Web server, these are two completely different requests that it must process each individually. After that, he refers to the answer, which looks like this:

When one of these packages comes to our router, it matches the data in this package with its records in the NAT table. If the coincidence is found, there is a reverse procedure - package and TCP segment returns its initial parameters only as a destination:

And now packages are delivered along the internal network of computer-initiators, which even the unclean even, that somewhere with their data so hard on the border.

Each your appeal is a separate connection. That is, you tried to open the Web page - this is an HTTP protocol that uses port 80. To do this, your computer must install a TCP session with a remote server. Such a session (TCP or UDP) is determined by two sockets: Local IP address: local port and remote IP address: remote port. In the usual situation, you are installed one computer-server connection, in the case of the NATA connection will be like two:, the router server and the computer thinks that he has a computer server session.

The setting is quite insignificant: an extension word overload:

Router (Config) # Access-List 101 permit 172.16.4.0 0.0.0.255
Router (Config) #IP Nat Inside Source List 101 Interface FA0 / 1 overload

At the same time, of course, it is saved to configure the pool of addresses:
Router (Config) #IP NAT POOL LOL_POOL 198.51.100.2 198.51.103.14
Router (Config) # Access-List 100 permit 172.16.6.0 0.0.0.255
Router (Config) #IP Nat Inside Source List 100 Pool Lol_pool overload

Loading ports

Otherwise, the ports of ports or mapping also say.
When we just started talking about NAT, the broadcast we had one-in-one and all requests coming from the outside were automatically redirected to the internal host. Thus, it would be possible to put the server outside the Internet.
But if you do not have such an opportunity - you are limited in white addresses, or do not want to put it out to all the ports to the ports, what to do?
You can specify that all requests coming to a specific white address and a specific port of the router must be redirected to required port The desired domestic address.
Router (Config) #IP Nat Inside Source Static TCP 172.16.0.2 80 198.51.100.2 80 Extendable

The application of this command means that the TCP request coming from the Internet to the address 198.51.100.2 by port 80 will be redirected to the internal address 172.16.0.2 on the same 80th port. Of course, you can move and UDP and make redirect from one port to another. This, for example, may be useful if you have two computers to which you need access via RDP from outside. RDP uses port 3389. The same port you cannot arouse on different hosts (when using one external address). Therefore you can do this:
Router (Config) # IP Nat Inside Source Static TCP 172.16.6.61 3389 198.51.100.2 3389
Router (Config) # IP Nat Inside Source Static TCP 172.16.6.66 3389 198.51.100.2 3398

Then to get to the computer 172.16.6.61, you launch the RDP session to port 198.51.100.2:3389, and at 172.16.6.66 - 198.51.100.2:3398. The router himself spreads everything where it is necessary.

By the way, this team is a special case of the very first: IP Nat Inside Source Static 172.16.6.66 198.51.100.2. Only in this case we are talking about the transaction of all traffic, and in our examples - the specific ports of the TCP protocol.

This is how NAT funciquet. About his features, pluses / cons sayed a bunch of articles, but not to mention them.

Weakness and Salty Nat

+

- First of all NAT saves public IP addresses. Actually for this, he was created. After one address, you theoretically, you can release more than 65,000 gray addresses (by number of ports).
- Secondly, PAT and dynamic NAT is to some extent a firewall, preventing external connections to reach end computers, which may not be their firewall and antivirus. The fact is that if the package comes from the outside, which is not expected here or not allowed, it is simply discarded.
For the package to be missed and processed, the following conditions must be followed:
1) The NAT table should be recorded for this external address specified as the address of the sender in the package
AND
2) The port of the sender in the package must match the port for this white address in the record
AND
3) The destination port in the package, coincides with the port in the record.
OR
Configured ports of ports.
But you do not need to consider NAT as a firewall is no more than an additional bun.

- Thirdly, NAT hides from prying eyes internal structure Your network - when tracing the route from the outside you will not see anything further of the stuffing device.

-

NAT has and cons. The most tangible of them, perhaps the following:
- Some protocols cannot work through NAT without crutches. For example, FTP or tunneling protocols (despite how I simply configured the FTP in the laboratory, in real life it can create a bunch of problems)
- Another problem lies in one address, there are many requests for one server. Many witnessed this when you go to some Rapidshare, and he says that with your IP has already had a connection, you think "lying, dog", and this is your neighbor already sucks. For the same reason, there were problems with ICQ when the servers refused to register.
- Not very relevant. Now the problem: the load on the processor and rAM. Since the amount of work is quite large compared to simple routing (this should not just look at the IP header, you need to remove it, take the TCP header, to put it in the table, fasten new headers) in small offices there are problems with this.
I came across such a situation.
One of possible solutions - Release the NAT function to a separate PC or a specialized device, such as Cisco ASA.
For large players who have routers turn on 3-4 BGP Full-View, now it is not problems.

What else do you need to know?
- NAT is used mainly to provide access to Internet hosts with private addresses. But there is also a different application - the relationship between two private networks with intersecting address spaces.
For example, your company buys a branch in Aktyubinsk. You have a addressing 10.0.0.0-10.1.255.255, and they have 10.1.1.0-10.1.10.255. The ranges are clearly intersect, the routing cannot be configured, because the same address may be in Aktyubinsk and you have in headquarters.
In this case, NAT is configured on the place of the joint. Since we do not measure gray addresses, it is possible to highlight, for example, the range 10.2.1.0-10.2.10.255 and to do one-in-one broadcast:
10.1.1.1-10.2.1.1
10.1.1.2-10.2.1.2

10.1.10.255-10.2.10.255

In large toys for adults, NAT can be implemented on a separate board (and often it is) and it does not work without it. And on the office glands, on the contrary, there is almost always.

With the widespread introduction of IPv6, the need for NATE will go to no. Already, big customers begin to be interested in the NAT64 functionality - this is when you have a way into the world through IPv4, and the internal network is already on IPv6

Of course, this is just a superficial look at NAT and there is still a sea of \u200b\u200bnuances, not to drown in which self-education will help you.

Practice nat.

What does reality require from us?
1) The control network does not have Internet access at all
2) Hosts from the PTO network have access to only profile sites, for example, LinkMeup.ru
3) Pretty ladies from the accounting must be cut down the window to the world of client banks.
4) FEO do not release anywhere, with the exception of the financial director
5) On the Other network, our computer and the administrator of the admin - they will give them full access to the Internet. All other can be opened on a written request.
6) Do not forget about branches in St. Petersburg and in Kemerovo. For simplicity, we will set up full access for Enicaers from these subnets.
7) Single song servers. For them, we will configure port redirection. All we need:
a) Web server must be available on the 80th port
b) mail server for the 25th and 110th
c) File Server is available from the world in FTP.
8) Admin computers and our must be available from the Internet by RDP. Actually, this is the wrong way - for remote connection You need to use a VPN connection and is already on the local network to use RDP, but this is the topic of a separately different article.

First prepare the test area:

Internet connection will be organized through the existing link, which provides the provider.
He goes to the provider's network. We remind you that everything in this cloud is an abstract network that can actually consist of dozens of routers and hundreds of switches. But we need something managed and predictable, so we will get the router here. On the one hand it is a link from the switcher, on the other server on the Internet.

Servers We need the following:
1. Two client bank for accountants (Sperbank.ru, Mmm-bank.ru)
2. LinkMeup.ru for Petshnikov
3. Yandex (Yandex.ru)

For such a connection, we will raise another Vlan on MSK-Arbat-GW1. His number, of course, is consistent with the provider. Let it be VLAN 6
Suppose the provider provides us subnet 198.51.100.0/28.. The first two addresses are used to organize a link (198.51.100.1 and 198.51.100.2), and the remaining we use, as a pool for NAT'A. However, no one completely prevents us from using the address 198.51.100.2 for the pool. And do it: pool: 198.51.100.2-198.51.100.14
For simplicity, suppose that public servers are located on the same subnet:
192.0.2.0/24 .
How to set up a link and addresses you are already up to date.
Since we have only one router in the provider's network, and all networks are connected directly to it, then there is no need to adjust the routing.
But our MSK-Arbat-GW1 should know where to send packets on the Internet, so we need the default route:

mSK-ARBAT-GW1 (Config) # IP Route 0.0.0.0 0.0.0.0 198.51.100.1

Now in order

First we configure the pool of addresses

mSK-ARBAT-GW1 (Config) # IP Nat Pool Main_pool 198.51.100.2 198.51.100.14 NetMask 255.255.255.240

Now collect ACL:
mSK-Arbat-GW1 (Config) # ip access-list extended nat-inet

1) control network

does not have access to the Internet in general
Ready

2) hosts from the PTO network

Have access only to profile sites, for example, LinkMeup.ru
mSK-ARBAT-GW1 (Config-Ext-NaCl) # Permit TCP 172.16.3.0 0.0.0.255 Host 192.0.2.2 EQ 80

3) Accounting

We give access to all hosts on both servers.
mSK-Arbat-GW1 (Config-Ext-NaCl) # Permit IP 172.16.5.0 0.0.0.255 Host 192.0.2.3
MSK-Arbat-GW1 (Config-Ext-NaCl) # Permit IP 172.16.5.0 0.0.0.255 Host 192.0.2.4

4) FEO

Let us give permission only to the Financial Director is only one host.
mSK-ARBAT-GW1 (Config-Ext-NaCl) # Permit IP Host 172.16.4.123 Any

5) Other

Our computers with full access
mSK-ARBAT-GW1 (Config-Ext-NaCl) # Permit IP Host 172.16.6.61 Any
MSK-ARBAT-GW1 (Config-Ext-NaCl) # Permit IP Host 172.16.6.66 Any

6) branches in St. Petersburg and Kemerovo

Let Eicin's addresses be the same: 172.16.x.222
mSK-ARBAT-GW1 (Config-Ext-NaCl) # Permit IP Host 172.16.16.222 Any
MSK-ARBAT-GW1 (Config-Ext-NaCl) # Permit IP Host 172.16.17.222 Any
MSK-ARBAT-GW1 (Config Ext-NaCl) # Permit IP Host 172.16.24.222 Any

This is how ACL looks like now:
iP Access-List Extended Nat-Inet
REMARK PTO.
Permit TCP 172.16.3.0 0.0.0.255 Host 192.0.2.2 EQ WWW
REMARK ACCOUNING.
Permit IP 172.16.5.0 0.0.0.255 Host 192.0.2.3
Permit IP 172.16.5.0 0.0.0.255 Host 192.0.2.4
REMARK FEO.
Permit IP Host 172.16.4.123 Any
REMARK IAM
Permit IP Host 172.16.6.61 Any
REMARK ADMIN.
Permit IP Host 172.16.6.66 Any
REMARK SPB_VSL_ISLAND.
Permit IP Host 172.16.16.222 Any
REMARK SPB_OZERKI.
Permit IP Host 172.16.17.222 Any
REMARK KMR.
Permit IP Host 172.16.24.222 Any

Run:

mSK-Arbat-GW1 (Config) # IP Nat Inside Source List Nat-Inet Pool Main_Pool Overload

But happiness will not be full without configuring interfaces:
On the external interface you need to give a command iP Nat Outside
On the internal: iP Nat Inside
mSK-Arbat-GW1 (Config) # INT FA0 / 0.101
MSK-Arbat-GW1 (Config) # INT FA0 / 0.102
MSK-Arbat-GW1 (Config-Subif) # ip nat inside
MSK-Arbat-GW1 (Config) # INT FA0 / 0.103
MSK-Arbat-GW1 (Config-Subif) # ip nat inside
MSK-Arbat-GW1 (Config) # INT FA0 / 0.104
MSK-Arbat-GW1 (Config-Subif) # ip nat inside

MSK-Arbat-GW1 (Config) # INT FA0 / 1.6
MSK-Arbat-GW1 (Config-Subif) # ip nat outside

This will allow the router to understand where to wait for the packages to be processed and where to send them.

To servers on the Internet are available on domain nameWe would not badly get a DNS server in our network:


Naturally, it must be prescribed on those devices from which we will check access:

Show Must GO ON!

Everything is available from the admin computer:

From the Network of PTO, there is access only to the site linkmeup.ru to the 80th port (HTTP):



On the network of FEO, only 4.123 (Phonde-director) comes to the world



Only client banking sites work in accounting. But, since the resolution is given completely to the IP protocol, you can ping them:


7) servers

Here we need to configure the ports of the ports so that you can contact them from the Internet:

a) web server

mSK-Arbat-GW1 (Config) # IP Nat Inside Source Static TCP 172.16.0.2 80 198.51.100.2 80

Immediately check, for example, we can do it from a test PC with ARES 192.0.2.7.
Now nothing will work, because for the network servers we do not have a configured interface on MSK-Arbat-GW1:
mSK-Arbat-GW1 (Config) # INT FA0 / 0.3
MSK-Arbat-GW1 (Config-Subif) # ip nat inside

And now:

b) file server

mSK-Arbat-GW1 (Config) # IP Nat Inside Source Static TCP 172.16.0.3 20 198.51.100.3 20
MSK-Arbat-GW1 (Config) # IP Nat Inside Source Static TCP 172.16.0.3 21 198.51.100.3 21

Here for this in the ACL Servers-Out we also opened the 20-21th ports for all

c) mail server

mSK-Arbat-GW1 (Config) # IP Nat Inside Source Static TCP 172.16.0.4 25 198.51.100.4 25
MSK-Arbat-GW1 (Config) # IP Nat Inside Source Static TCP 172.16.0.4 110 198.51.100.4 110

Check is also not difficult. Follow the instructions:
First set up mail server. We specify the domain and create two users.

Configure a computer from our network:

From external:

Preparing a letter:

On the local host click Receive:

8) RDP access to Admin computers and our

MSK-Arbat-GW1 (Config) # IP Nat Inside Source Static TCP 172.16.6.61 3389 198.51.100.10 3389
MSK-Arbat-GW1 (Config) # IP Nat Inside Source Static TCP 172.16.666 3389 198.51.100.10 3398

Safety

For the last one comment. Most likely the stuffing device, you look at your IP NAT OUTSIDE interface outside - on the Internet. Therefore, this interface would not hinder the ACL, where you prohibit, allow you what you need. On this issue, we will not stop already in this article.

On this, the first acquaintance with NAT technology can be considered completed.
As another DZ, answer the question why there is no access to the Internet from Enicaev's computers in St. Petersburg and in Kemerovo. After all, we added them already to the access list.

IP addresses are a scarce resource. The provider may have / 16-address (former class B), which gives you the ability to connect 65,534 hosts. If customers are becoming more, problems begin to arise. Hosts connecting to the Internet from time to time along the usual telephone line, you can highlight the IP addresses dynamically only for the connection time. Then one / 16-address will serve up to 65,534 active users, and this may be enough for a provider who has several hundred thousand customers. When the communication session is completed, the IP address is assigned to a new compound. Such a strategy can solve the problems of providers that have a not very large number of private clients connecting on the telephone line, but will not help providers, most of whose clientele of which are organizations.

The fact is that corporate clients prefer to have a permanent connection with the Internet, at least during the working day. And in small offices, such as tourist agencies, consisting of three employees, and in large corporations there are local networks consisting of a certain number of computers. Some computers are employee workstations, some serve web servers. In the general case, there is a LAN router connected to a dedicated line provider to provide a permanent connection. Such a solution means that one IP address is associated with each computer. In fact, even all together combined computers that have corporate clients cannot block the IP address provider. For the length of the length / 16, this limit is equal to, as we have already noted, 65 534. However, if the provider of Internet service provider the number of corporate clients is calculated tens of thousands, then this limit will be achieved very quickly.

The problem is aggravated by the fact that all more Private users want to have an ADSL or cable connection with the Internet. The features of these methods are as follows:

a) users get a permanent IP address;

b) There is no timeless payment (only the monthly subscription fee is charged).

Users of this kind of service have a permanent connection to the Internet. Development in this direction leads to an increase in the deficit of IP addresses. Assign IP addresses "on the fly", as is done when telephone connection, it is useless, because the number of active addresses at every moment of time can be many times more than the provider.

Often the situation is even more complicated due to the fact that many ADSL users and cable Internet Have houses two or more computers (for example, one for each family member) and want all cars to have access to the Internet. What to do - after all, there is only one IP address issued by the provider! This solution: You must install the router and combine all computers to the local network. From the point of view of the provider, in this case the family will act as an analogue of a small company with several computers. Welcome to Pupkin Corporation!

The problem of the deficit of IP addresses is not theoretical and does not apply to the remote future. She is already relevant, and it comes to fight here and now. The long-term project involves the total translation of the entire Internet to the IPv6 protocol with a 128-bit addressing. This transition is indeed gradually happening, but the process is so slow, which is delayed for years. Seeing this, many realized that it is urgent to find some decision at least for the near future. Such a solution was found in the form of a network address broadcast method, NAT (Network Address Translation)described in RFC 3022. The essence of it we will look later, and more detailed information can be found in (Butcher, 2001).

The main idea of \u200b\u200bthe broadcast of the network address is to assign each company of one IP address (or at least a small number of addresses) for Internet traffic. Inside the company, each computer receives a unique IP address used to routing internal traffic. However, as soon as the package leaves the limits of the company's building and is sent to the provider, the address is being broadcast. For the implementation of this scheme, three ranges of so-called private IP addresses were created. They can be used within the company at its discretion. The only restriction is that packages with such addresses in no case should appear on the Internet. These are these three reserved range:

10.0.0.0 - 10.255.255.255/8 (16,777,126 hosts)

172.16.0.0 - 172.31.255.255/12 (1,048,576 hosts)

192.168.0.0 -192.168.255.255 / 16 (65,536 hosts)

The work of the method of broadcasting network addresses is shown on the prolonged scheme. Within the territory of the company, each machine has its own unique address of the form 10.x.y.z. Nevertheless, when the package goes beyond the ownership of the company, it passes through the NAT block translating the internal IP address of the source (10.0.0.1 in Figure) to the real IP address obtained by the company from the provider (198.60.42.12 for our example) . NAT block is usually single device With a firewall providing security by strictly tracking the incoming and outgoing-sensitive company. The NAT block can be integrated with the company router.

We still managed one small detail: when it comes to a request (for example, from a web server), it is addressed to 198.60.42.12. How does the NAT block find out what domestic address is to replace the company's general address? This is the main problem of using network addresses broadcast. If the header of the IP package was a free field, it could be used to memorize the address of the one who sent a request. But in the title remains unused only one batch. In principle, it would be possible to create such a field for the true address of the source, but it would require changes to the IP code on all machines throughout the Internet. This is not the best way out, especially if we want to find a quick solution to the problem of lack of IP addresses.

Actually happened that's what. The NAT developers noted that most of the useful load of IP packets is either TCP or UDP. Both formats have headlines containing source and receiver ports. The port numbers are 16-bit integers showing where the TCP connection ends and where it ends. The storage location of port numbers is used as a field needed to work NAT.

When the process wants to install a TCP connection with a remote process, it binds to a free TCP port on its own computer. This port becomes a source port that tells the TCP code information about where to direct the packages of this connection. The process also defines the destination port. Through the destination port, it is reported to whom to give the package on the remote side. Ports from 0 to 1023 reserved for well-known services. For example, the 80th port is used by web servers, respectively, they can navigate remote clients. Each Outgoing TCP message contains information about the source port and port of the destination. Together they serve to identify processes at both ends using a compound.

We will draw an analogy that will somewhat clarify the principle of using ports. Suppose the company has one common telephone number. When people are gaining it, they hear the voice of the operator, who asks who exactly they would like to connect, and connect them to the appropriate email telephone number. The main telephone number is an analogy of the company's IP address, and the addition at both ends is similar to the ports. To address ports, a 16-bit field is used, which identifies the process receiving the incoming package.

Using the source port field, we can solve the address mapping problem. When the outgoing package comes to the NAT block, the source address of the source of the form is 192.168.c.c.d is replaced by this IP address. In addition, the TCP source port is replaced by the index of the NAT-block translation table containing 65,536 entries. Each entry contains the original IP address and source port number. Finally, the checksum sums of TCP and IP headers are recalculated and inserted into the package. It is necessary to replace the source port field, because machines with local addresses 10.0.0.1 and 10.0.0.2 may accidentally wish to use the same port (5000 minutes, for example). So, for unambiguous identification of the sender process of one field, the port of the source is not enough.

When the package arrives at the NAT block from the provider, the field value of the TCP header source is retrieved. It is used as the NAT block display table index. According to the record found in this table, the internal IP address and this port of the TCP source are determined. These two values \u200b\u200bare inserted into the package. Then the TCP and IP checksums are re-counted. The package is transmitted to the main route of the company for normal delivery with the address of the view of 192.168.y.z.

If an ADSL or cable Internet is applied, network address transmission can be used to facilitate the fight against the shortage of addresses. Assigned to users addresses have a view of 10.x.y.z. As soon as the package leaves the limits of the provider's possessions and goes online, it falls into the NAT block that converts the internal address to the real IP address of the provider. On the way back the reverse operation is performed. In this sense, for the rest of the Internet, the provider with its customers using ADSL and cable: interview is presented in the form of one large company.

Although the scheme described above partially solves the problem of lack of IP addresses, many IP adherents consider NAT as some kind of infection spreading on the ground. And they can be understood.

First, the principle of broadcasting addresses does not fit into the IP architecture, which implies that each IP address uniquely identifies only one machine in the world. All software structure The Internet is built on the use of this fact. When broadcasting network addresses, it turns out that thousands of machines may (and so happens in reality) to have address 10.0.0.1.

Secondly, NAT turns the Internet from the network without establishing a connection into something similar network-oriented network. The problem is that the NAT block must support the display table for all connections passing through it. Storing the connection status is a connection oriented networks, but not networks without establishing connections. If the NAT block breaks and its display tables lose, then about all TCP connections passing through it can be forgotten. If there is no broadcast of network addresses, the failure of the router does not have any effect on TCP operation. The sending process simply seals a few seconds and sends all unconfirmed packages. When using NAT, the Internet becomes as susceptible to failures as a network switched channels.

Thirdly, NAT disrupts one of the fundamental rules for constructing multi-level protocols: the level K should not build any assumptions about what the level K + 1 placed in the payload field. This principle determines the independence of the levels from each other. If a TCR-2 ever comes to replace TCP, which will have a different header format (for example, 32-bit port addressing), then the broadcast of network addresses will be in fiasco. The whole idea of \u200b\u200bmulti-level protocols is that changes in one of the levels could not affect the remaining levels. Nat destroys this independence.

Fourth, the processes on the Internet are not at all obliged to use only TCP or UDP. If the user of the machine A decides to come up with a new protocol transport level To communicate with the user of the machine in (this can be done, for example, for some multimedia application), then it will have to somehow deal with the fact that the NAT block will not be able to correctly process the TCP source port correctly.

Fifth, some applications insert IP addresses to the message text. The recipient extracts them from there and then processes. Since NAT does not know anything about such a way of addressing, he will not be able to correctly process packages, and any attempts to use these addresses with a remote party will lead to failure. File Transfer Protocol, FTP (File Transfer Protocol) uses this method that can also be refused to work when broadcasting network addresses, unless special measures are taken. The Internet telephony protocol H.323 also has a similar property. You can improve the NAT method and make it work correctly with H.323, but it is impossible to refine it whenever a new application appears.

Sixth, since the source port field is 16-bit, then approximately 65,536 local machines can be displayed on one IP address. In fact, this number is somewhat less: the first 4096 ports are reserved for service needs. In general, if there are several IP addresses, each of them can support up to 61,440 local addresses.

These and other problems associated with broadcasting network addresses are discussed in RFC 2993. Usually opponents of using NAT say that the solution to the problem of lack of IP addresses by creating a temporary patch only interferes with the process of real evolution, which consists in going to IPv6. But if you return to reality, we will see that in most cases NAT is just an indispensable thing, especially for small offices with the number of computers from several pieces to several dozen. NAT can be implemented own forces in OS Linux using

Our apartments are more and more different digital devices - laptops, tablets and smartphones. While the computer in the apartment was alone and connected directly to the provider's network - did not arise. And now, when you got a problem - how to connect a new laptop or tablet to the Internet. Here to help and comes nAT technology. What is the essence of NAT technology?
NAT.Network Address Translation - In translating to Russian, it sounds like this: "Convert network addresses." NAT. - This is a mechanism in TCP / IP networks that allows you to convert IP addresses of transit packages.
If you are expressed by a simple language - then there are several computers on the local network, then thanks to the technology NAT. they can all go to external network Internet using one external ip address (IP).

What is the IP address?

Routerrouter - Works at the third level oSI systems, respectively, used iP protocol - The TCP / IP network layer router protocol. An integral part of the protocol is to address the network. In accordance with the existing rules - all devices on the network are assigned IP addresses (Ai-Pi addresses) - Unique network identifiers of the node address. Used 2 types of IP addresses - gray and white. Gray addresses - This is part of the address space allocated for a local network - subnet IP addresses 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 . All other subnets are used on the Internet and are white IP addresses.

How to provide shared Internet access for devices on the network.

In order to connect to the Internet all devices on the local network you need router. Router - This is a device that can connect through the provider's network to the Internet and distribute it to the connected devices due to the fact that it has at least 4 LAN-Port and Wi-Fi Module. Do not confuse a router with a simple Ethernet switch, which is essentially a stupid "splitter" of the network. Due to the fact that the router is installed operating Unix-like system, you can raise the device various services, including service NAT.. To do this, when configuring a router put a tick Enable nat. .

So what is next router For each request, which passes through it, puts a specific label containing the data on the sender on the local network. When the answer comes to this request, router By a label determines which IP address on the local network to send the package. Here's actually all the principle of operation of NAT technology in a nutshell.

  • 01.02.2010

Today we will consider the organization of the organization of general access to the Internet and automatic setting Networks on the Windows platform. Despite the fact that this is a more expensive solution, its application will be justified when close integration with the network infrastructure is deployed on the basis Windows Server.

As a working platform, we used Windows Server 2008 R2, as the most relevant platform today, but all of the above-mentioned amendments applies to the previous windows versions Server 2003/2008.

Initially, you need to configure network interfaces. In our case, the interface that looks to the provider's network receives settings for DHCP, we renamed it to EXT. The internal interface (LAN) has a static IP address 10.0.0.1 and a mask 255.255.255.0.

Setting up NAT.

The simplest way to organize general access The Internet will include the appropriate option in the network connection settings. However, with all the simplicity, this method is extremely inflexible and acceptable only if there will be no other routing tasks before the server. It is better to go more difficult, at first glance, the way, but to get a very powerful and flexible tool in your own hands, allowing you to solve much more complex network tasks.
Let's start, as it should be, with the addition of the new server role: Network Policy Services and Access.

In the roles of roles Routing service I. remote access , everything else is not interested in us now. After a successful installation role, you can go to the routing settings.

IN Calls We find the routing service and through the menu Actions Choose Configure and enable routing and remote access. The setting is made using a wizard that step by step will take us through all the settings. Choose as a configuration Network Address Transformation (NAT)Any other features can be configured later manually.

Here you need to specify the interface that our server is connected to the Internet, if necessary, you can create it (for example, when using PPPoE or VPN connections).

The remaining settings are left by default and after clicking on the button is ready to launch the routing and remote access service, our server is ready to maintain customers from the internal network. You can check the performance by the client machine IP address from the internal network band and specifying as a gateway and DNS Server Address of our server.

Setting up DHCP.

To automatically configure network settings on client machines, well, not to run from place to place manually prescribing IP addresses, you should add the role of the DHCP server.

To do this, choose Add a role in Server Manager And celebrate the option you need.

Now we have to answer a number of simple questions. In particular, to choose for which internal networks should use DHCP, if necessary, you can configure various parameters for different networks. Then sequentially specify the parameters of DNS and WINS servers. The latter, with its absence, you can not specify. If your network does not have old workstations running OS other than Windows NT 5 and above (2000 / XP / Vista / Seven), then there is no need for WINS server.

The addition of the DHCP region needs to be treated with increased attentiveness, the error here can lead to the inability to the entire network. There is no difficult thing here, just carefully enter all the necessary network parameters carefully, following the IP range allocated to overlap the already selected for other devices and do not forget to correctly specify the mask and the gateway.

Separately, attention should be paid to such a parameter as the lease term. After half of the rental period, the client sends a request to the server to extend the lease. If the server is not available, the request will be repeated after half the remaining time. In wired networks, where computers do not move within the network, you can set a sufficiently large lease period, if there are many mobile users (for example, Public Wi-Fi dot In the cafe) the lease period can be limited to several hours, otherwise the timely release of leased addresses will not happen and in the pool may not be free addresses.

The next step refuse to support IPv6 and after installing the DHCP role, the server is ready for work without any additional settings. You can check the operation of client machines.

IP addresses issued can be viewed in Leased addressesrelated to the area you are interested in. Here you can configure the backup of a specific client of a specific address (tied by name or MAC address), if necessary, you can add or change the parameters of the area. Filters Allow you to create permissive or prohibiting rules based on customer MAC addresses. A more complete consideration of all the features of the Windows Server 2008 R2 DHCP server is beyond the scope of this article and most likely we will devote to them a separate material.

  • Tags:

Please Enable JavaScript to View The Comments Powered by Disquus.

Trekbek

In our past material, we reviewed the NAT setting for windows platforms Server. As the reader response has shown, certain difficulties occur when using switched Internet connections: VPN or PPPoE. Today we will look at the order ...