No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding NAT

Understanding NAT

Introduction to NAT

NAT translates the IP address in an IP datagram header to another IP address, allowing users on private networks to access public networks. Basic NAT implements one-to-one translation between one private IP address and one public IP address, whereas Network Address and Port Translation (NAPT) implements one-to-many translation between one public IP address and multiple private IP addresses.

Basic NAT

Basic NAT implements one-to-one IP address translation. In this mode, only the IP address is translated, whereas the TCP/UDP port number remains unchanged. Basic NAT cannot translate multiple private IP addresses to the same public IP address.

Figure 7-87  Networking diagram for basic NAT

As shown in Figure 7-87, the basic NAT process is as follows:

  1. The AP receives a request packet sent from the host on the private network for accessing the server on the public network. The source IP address of the packet is 10.1.1.100.

  2. The AP selects an idle public IP address (162.105.178.65) from the IP address pool, and sets up forward and reverse NAT entries that specify the mapping between the source IP address of the packet and the public IP address. The AP translates the packet's source IP address to the public IP address based on the forward NAT entry, and sends the packet to the server on the public network. After the translation, the packet's source IP address is 162.105.178.65, and its destination IP address is 211.100.7.34.

  3. After receiving a response packet from the server on the public network, the AP queries the reverse NAT entry based on the packet's destination IP address. The AP translates the packet's destination IP address to the private IP address of the host on the private network based on the reverse NAT entry, and sends the packet to the host. After the translation, the packet's source IP address is 211.100.7.34, and its destination IP address is 10.1.1.100.

NOTE:

Basic NAT cannot solve the problem of public IP address shortage because it cannot implement address reuse. Therefore, basic NAT is seldom used in practice.

The number of public IP addresses owned by the NAT device is far less than the number of hosts on private networks because not all the hosts on private networks access public networks at the same time. The number of public IP addresses needs to be determined based on the number of hosts on private networks that access public networks during peak hours.

NAPT

In addition to one-to-one address translation, NAPT allows multiple private IP addresses to be mapped to the same public IP address. It is also called many-to-one address translation or address reuse.

NAPT translates the IP address and port number of a packet so that multiple users on a private network can use the same public IP address to access the public network.

Figure 7-88  Networking diagram for NAPT

As shown in Figure 7-88, the NAPT process is as follows:

  1. The AP receives a request packet sent from the host on the private network for accessing the server on the public network.For example,the packet is sent from Host A to AP, its source IP address is 10.1.1.100, and its port number is 1025.

  2. The AP selects an idle public IP address and an idle port number from the IP address pool, and sets up forward and reverse NAPT entries that specify the mapping between the source IP address and port number of the packet and the public IP address and port number. The AP translates the packet's source IP address and port number to the public IP address and port number based on the forward NAPT entry, and sends the packet to the server on the public network.For example, after the translation is performed on the packet of Host A, the packet's source IP address is 162.105.178.65, and its port number is 16384.

  3. After receiving a response packet from the server on the public network, the AP queries the reverse NAPT entry based on the packet's destination IP address and port number. The AP translates the packet's destination IP address and port number to the private IP address and port number of the host on the private network based on the reverse NAPT entry, and sends the packet to the host.For example, after the translation is performed on the packet sent from the server to Host A, the packet's destination IP address is 10.1.1.100, and its destination port number is 1025.

Implementation of NAT

Basic NAT and NAPT translate private IP addresses to public IP addresses by using NAT devices. Basic NAT implements one-to-one address translation, and NAPT implements many-to-one address translation. On existing networks, NAT is implemented based on the principles of basic NAT and NAPT. NAT implements multiple functions such as Easy IP, NAT address pool, NAT server, and static NAT/NAPT.

NAT address pool and Easy IP are implemented in similar ways. This section describes only Easy IP. For the implementation of NAT address pool, see NAPT in Introduction to NAT.

Easy IP

Easy IP uses access control lists (ACLs) to control the private IP addresses that can be translated.

Easy IP is applied to the scenario where hosts on small-scale LANs access the Internet. Small-scale LANs are usually deployed at small and medium-sized cybercafes or small-sized offices where only a few internal hosts are used. The temporary public IP address is used by the internal hosts to access the Internet. Easy IP allows the hosts to access the Internet using this temporary public address.

Figure 7-89  Networking diagram for Easy IP

As shown in Figure 7-89, the Easy IP process is as follows:

  1. The AP receives a request packet sent from the host on the private network for accessing the server on the public network. The packet's source IP address is 10.1.1.100, and its port number is 1540.
  2. The AP sets up forward and reverse Easy IP entries that specify the mapping between the source IP address and port number of the packet and the public IP address and port number of the port connected to the public network. The AP translates the source IP address and port number of the packet to the public IP address and port number based on the forward Easy IP entry, and sends the packet to the server on the public network. After the translation, the packet's source IP address is 162.10.2.8, and its port number is 5480.
  3. After receiving a response packet from the server on the public network, the AP queries the reverse Easy IP entry based on the packet's destination IP address and port number. The AP translates the packet's destination IP address and port number to the private IP address and port number of the host on the private network based on the reverse Easy IP entry, and sends the packet to the host. After the translation, the packet's destination IP address is 10.1.1.100, and its port number is 1540.
NAT Server

NAT can shield hosts on private networks from public network users. When a private network needs to provide services such as WWW and FTP services for public network users, servers on the private network must be accessible to public network users at any time.

The NAT server can address the preceding problem by translating the public IP address and port number to the private IP address and port number based on the preset mapping.

Figure 7-90  Networking diagram for NAT server implementation

As shown in Figure 7-90, the address translation process of the NAT server is as follows:

  1. Address translation entries of the NAT server are configured on the AP.
  2. The AP receives an access request sent from a host on the public network. The AP queries the address translation entry based on the packet's destination IP address and port number. The AP translates the packet's destination IP address and port number to the private IP address and port number based on the address translation entry, and sends the packet to the server on the private network. The destination IP address of the packet sent by the host on the public network is 209.102.1.68, and its port number is 80. After the translation by the AP, the destination IP address of the packet is 192.168.1.68, and its port number remains unchanged.
  3. After receiving a response packet sent from the server on the private network, the AP queries the address translation entry based on the packet's source IP address and port number. The AP translates the packet's source IP address and port number to the public IP address and port number based on the address translation entry, and sends the packet to the host on the public network. The source of the response packet sent from the host on the private network is 192.168.1.68, and its port number is 80. After translation by the AP, the source IP address of the packet is 209.102.1.68, and its port number remains unchanged.
Static NAT/NAPT

Static NAT indicates that a private IP address is statically bound to a public IP address when NAT is performed. Only this private IP address can be translated to this public IP address.

Static NAPT indicates that the combination of a private IP address, protocol number, and port number is statically bound to the combination of a public IP address, protocol number, and port number. Multiple private IP addresses can be translated to the same public IP address.

Static NAT/NAPT can also translate host IP addresses in the specified private address range to host IP addresses in the specified public address range. When an internal host accesses the external network, static NAT or NAPT translates the IP address of the internal host to a public address if the IP address of the internal host is in the specified address range. An external host can directly access an internal host if the private IP address translated from the IP address of the external host is in the specified internal address range.

NAT ALG

NAT and NAPT can translate only IP addresses in IP datagram headers and port numbers in TCP/UDP headers. For some special protocols such as FTP, IP addresses or port numbers may be contained in the Data field of the protocol packets. Therefore, NAT cannot translate the IP addresses or port numbers. A good way to solve the NAT issue for these special protocols is to use the application level gateway (ALG) function. As a special translation agent for application protocols, the ALG interacts with the NAT device to establish states. It uses NAT state information to change the specific data in the Data field of IP datagrams and complete other necessary work, so that application protocols can run across private and public networks.

For example, when an FTP server with a private IP address sets up a session with a host on the public network, the server may need to send its IP address to the host. NAT cannot translate this IP address because the IP address is carried in the Data field. When the host on the public network attempts to use the received private IP address, it finds that the FTP server is unreachable.

DNS, FTP, SIP, PPTP and RTSP support the ALG function. Table 7-55 lists the NAT fields supported by different protocols.

Table 7-55  Fields supported by different protocols

Application Protocol

Field

DNS

IP and Port fields in a response packet

FTP

  • IP and Port fields in the payload of a Port request packet
  • IP and Port fields in the payload of a Passive response packet

PPTP

There are two scenarios:
  • PPTP client on the private network and PPTP server on the public network: Client-Call-ID field
  • PPTP server on the private network and PPTP client on the public network: Server-Call-ID field

RTSP

Port field in a setup/reply OK packet

DNS Mapping

In practice, users on a private network need to access internal servers on the same private network using domain names, but the DNS server is located on a public network. Usually, a DNS response packet carries the public IP address of an internal server. If the NAT device does not replace the public IP address resolved by the DNS server with the private IP address of the internal server, users on the private network cannot access the internal server using the domain name.

DNS mapping can solve the problem by configuring a table that specifies the mapping between domain names, public IP addresses, public port numbers, and protocol types. In this manner, the mapping between domain names of servers on the private network and public network information is established.

Figure 7-91 describes the implementation of DNS mapping.

Figure 7-91  Networking diagram for DNS mapping



As shown in Figure 7-91, the host on the private network needs to access the web server using the domain name, and the AP functions as a NAT server. After receiving a DNS response packet, the AP searches the DNS mapping table for the information about the web server based on the domain name carried in the response packet. Then, the AP replaces the public IP address carried in the DNS response packet with the private IP address of the web server. In this manner, the DNS response packet received by the host carries the private IP address of the web server. Then, the host can access the web server using the domain name.

NAT Filtering and NAT Mapping

NAT filtering allows an NAT device to filter the traffic from a public network to a private network. NAT mapping enables the IP addresses of a group of hosts on a private network to be mapped to the same public IP address using the NAT mapping table.

NAT Filtering
A NAT device filters the traffic from external network to internal network. NAT filtering includes the following modes:
  • Endpoint-independent filtering

  • Endpoint-dependent filtering

  • Endpoint and port-dependent filtering

Figure 7-92 shows the NAT filtering applications.

Figure 7-92  NAT filtering applications

As shown in the preceding figure, PC-1 on the private network communicates with PC-2 and PC-3 on the public network using a NAT device. Datagram 1 is sent from PC-1 to PC-2. The source port number of the datagram is 1111 and the destination port number is 2222. The NAT device translates the source IP address to 202.169.10.1.

After PC-1 sends an access request to a PC on the public network, the PC on the public network transmits traffic to PC-1, and the NAT device filters the traffic destined for PC-1. Datagram 2', datagram 3', and datagram 4' are sent in three scenarios corresponding to the preceding three NAT filtering modes.

  • Datagram 2' is sent from PC-3 to PC-1. The destination address of datagram 2 is different from that of datagram 1, and the destination port number is 1111. Datagram 2 can pass through the NAT device only when endpoint-independent filtering is used.
  • Datagram 3' is sent from PC-2 to PC-1. The destination address of datagram 3 is the same as that of datagram 1, and the destination port number is 1111. The source port number of datagram 3 is 3333, which is different from that of datagram 1. Datagram 3 can pass through the NAT device only when endpoint-dependent filtering or endpoint-independent filtering is used.
  • Datagram 4' is sent from PC-2 to PC-1. The destination address of datagram 4 is the same as that of datagram 1, and the destination port number is 1111. The source port number of datagram 4 is 2222, which is the same as that of datagram 1. In this case, endpoint and port-dependent filtering is used, which is the default one. Datagram 4 can pass through the NAT device no matter whether a filtering mode is configured or no matter which filtering mode is configured.
NAT Mapping

After NAT mapping is enabled on a public network, it seems that all flows from a private network come from the same IP address because hosts on the private network share the same public IP address. When a host on the private network initiates a session request to a host on the public network, the NAT device searches the NAT translation table for the related session record. If the NAT device finds the session record, it translates the private IP address and port number and forwards the request. If the NAT device does not find the session record, it translates the private IP address and port number and meanwhile adds a session record to the NAT translation table. NAT mapping includes the following modes:

  • Endpoint-independent mapping: The NAT uses the same IP address and port mapping for packets sent from the same private IP address and port to any public IP address and port.
  • Endpoint and port-dependent mapping: The NAT uses the same port mapping for packets sent from the same private IP address and port to the same public IP address and port if the mapping is still active.
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 116509

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next