Suppose there are file servers, OA servers, mail servers, etc. in the enterprise now. And companies also want these servers to be accessible to users on the outside network. For example, the company may have a sales office in a different place, or some employees often need to travel. In order to facilitate their work, it is necessary to allow these employees to access these application servers within the enterprise. But the reality is that most businesses probably only have one or more legitimate IP addresses. To allow external users to access the application server within the enterprise, the first condition is that the enterprise has a sufficient number of legal IP addresses. What the author wants to introduce here is how to use the router’s own NAT function to achieve a legal IP address binding to multiple application servers at the same time.
First, choose the appropriate NAT type
NAT, also known as network address type translation, mainly has three types, namely static NAT, dynamic NAT and port address mapping. It is important to note here that there is a big difference between these three types. When network administrators use this technology, they must understand the differences between them, and then choose the appropriate implementation method according to the actual situation of the enterprise.
The first type is static network address translation. Its main feature is one-to-one. That is, this type of network address translation is designed for a one-to-one mapping between local and global addresses. This requires that every host in the network has a real and legitimate IP address. Combined with the above case, if all three servers in the enterprise need to be accessed by external users, then at least three IP addresses are required. Obviously, this method cannot achieve the purpose of saving IP addresses. Generally speaking, the main purpose of static NAT is to hide the IP address of the internal server of the enterprise, so as to achieve the purpose of protecting the server.
The second type is dynamic NAT. This type of network address translation maps an internal corporate IP address to a legitimate IP address. While this is also a one-to-one relationship, it is very different from static NAT. The former requires that the internal server of the enterprise must also have a public IP address. The dynamic NAT does not have this requirement, that is, the server within the enterprise can use the internal address. However, at this time, a public IP address can only solve the access problem of one internal server. This is different from the requirements we mentioned above.
The third type is port address mapping. Port address mapping goes one step further on dynamic NAT. Simply put, its working mode is many-to-one. You can map multiple internal IP addresses (intranet addresses) to one public IP address. Specifically, the intranet address + port number corresponds to the public network address. Using this port address mapping, the enterprise network administrator can place the application server within the enterprise (even if it does not have a legal public network address) on the external network for access by external network users.
It can be seen that in the process of implementing NAT network address translation, it is the most critical content to understand these three different working modes, and then choose the appropriate implementation method based on the actual situation of the enterprise. Generally speaking, if the enterprise has enough public network addresses, but only for security reasons, it is better to use static NAT to hide internal services. Conversely, if the enterprise has multiple servers, and legitimate IP addresses are not enough. In this case, it is necessary to use port address mapping to map multiple internal IP addresses to public network IP addresses through the port parameter.
Second, the configuration of port NAT
For NAT technology, configuration is actually one of the easiest links. The author generally divides NAT into four parts, namely design, configuration, verification and troubleshooting. The key to the design is the above-mentioned “choose the appropriate NAT type”. The configuration is the specific implementation of the configuration. The main commands used here are IP NAT related commands. Its main job is to map the address and port number used by the internal server with the public network address. Because the configuration is relatively simple, the author will not explain it too much. The author will focus on the follow-up verification and troubleshooting.
3. Verification of NAT configuration
After the NAT network address translation is configured, the related configuration needs to be verified. Instead of waiting until the user reports the problem and cannot access it normally, you go to verify. In the Cisco network environment, to verify the validity of the NAT configuration, two commands are mainly used.
The first is to view the relevant configuration information. When looking at messages, it’s important to have direction. That is, which are internal hosts and which are external hosts. Sometimes a set of internal IP addresses may correspond to a public IP address, and network administrators will see many translations from different hosts to the same destination host. In the mode of port address translation, it can be judged according to the type of IP address. Under normal circumstances, the IP addresses used by the internal servers of the enterprise are all private network IP addresses, such as those starting with 192. If you want to view the specific configuration information, you can use the following command.
Show ip nat translation
The second is to judge its connectivity. That is, whether this configuration actually works. At this point, the network administrator can use the debug ip nat command to verify the NAT configuration. After using this command, the output will Display the sender’s IP address, destination address, port information, etc.
Through these two commands, you can basically judge whether there is a problem with the NAT configuration. However, it should be noted that this can only determine whether there is a problem with its configuration. However, it cannot provide effective information about whether this configuration is reasonable, whether it needs to be optimized in performance, and so on.
4. Analysis and elimination of NAT faults
In this section, the author divides it into two parts. Part of it is the configuration problem of NAT itself, and the other part is the failure of NAT application caused by problems other than NAT technology. In practical work, we may pay more attention to the latter. Because as long as the NAT design and configuration are appropriate at the beginning, then the NAT itself will not have much problems.
For the configuration of NAT itself, the author believes that network administrators only need to pay attention to the following five rules. As long as there are no problems with these five rules, then the configuration of NAT itself is OK. The five rules are as follows:
One is access list related. When configuring, you need to ensure that the access list specifies the correct translation address. It is very important to note this. Because this error is more difficult to find in subsequent investigations. Therefore, it is necessary to take relevant control measures when setting it to ensure that it can be properly configured.
The second is to check whether the internal and external interfaces are correctly defined. In fact, NAT technology, in the final analysis, is the connection between interfaces. If an error occurs when the interfaces are connected, the information flow cannot flow normally. At this point, the user will not be able to access it normally. In this interface definition, the key is whether there is a problem with the port parameter. For example, the port used by the internal server is port 5150, and port 515 is accidentally entered during configuration. At this point there will be a problem. Another thing to note is that generally a certain protocol will have a default port, for example, the FTP protocol uses ports 20 and 21. But sometimes for security reasons, network administrators often change this default port. At this point, it is necessary to additionally check whether the port information is set correctly.
The third is the address pool. When examining this address pool, network administrators mainly focus on two aspects. One is whether the fourth line of the IP used by the dynamic address pool is composed of the correct address range. The second is to check whether the addresses in the dynamic address pool are duplicated. As long as there is a problem with one of the above two rules, there is a possibility of access failure.
Fourth, it is necessary to pay attention to whether there are conflicts between different types. For example, the enterprise may enable dynamic port address mapping and static mapping at the same time for some consideration. At this point, it is necessary to pay special attention to the fact that the addresses used for static mapping and the addresses in the dynamic address pool cannot be duplicated. Otherwise, it will lead to a more serious conflict.
Fifth, it is necessary to pay attention to confirm that the addresses that should appear in the list are not omitted, and that there should not be large addresses that have not been added. This principle can be said to be a summary of the above four principles. Simply put, it is to ensure the integrity and accuracy of the relevant IP addresses. One less is not enough, and one more is not enough.
Normally, as long as any of the above rules are not violated in the NAT configuration, there is no problem with the configuration of the NAT itself. At this point, if the user cannot normally access the application server within the enterprise, other reasons need to be considered. Such as routing problems and so on.