NAT Server

In a NAT networking scenario, servers on a private network are invisible to hosts on a public network. However, in real-world situations, a server on a private network may be required to provide services, such as WWW or FTP services, for hosts on a public network.

To meet such a requirement, enable the NAT server function on a NTA device and configure mappings between a private network server's IP address+port number and a public network IP address+port number on the NAT server. For example, on the network shown in Figure 2-4, the NAT server function is enabled on a NAT device, and a private network server's IP address+port number (192.168.0.2:80) are mapped to a public network IP address+port number (10.105.178.2:100). When a public network host requires to access the server 192.168.0.2, the NAT device converts 10.105.178.2:100 to 192.168.0.2:80, so that the service request can reach the server 192.168.0.2 on the private network. Such a conversion operation will not be performed if the host 192.168.0.3 requires to access the server 192.168.0.2 on the same private network.

NOTE:

After the mapping is specified, a UNR is generated on the device. The UNR is used to select an outbound interface for the packets that have been translated by the NAT device.

Figure 2-4 NAT server application

The following uses the network shown in Figure 2-4 as an example to describe the implementation of the NAT server function.

• Static NAT conversion is configured on the NAT device. The NAT device generates a static NAT entry and a UNR.
• A public network host sends a request for accessing a private network server, and the NAT server receives the service request.
• The NAT server searches for a NAT entry that matches the request packet's destination IP address+port number, and converts the destination IP address+port number to the private network IP address+port number recorded in the matching entry. Then, the NAT server sends the packet to the target private network server.
• After receiving a response packet from the private network, the NAT device searches the flow table based on the quintuple of the packet, converts the packet based on the table query result, and sends the packet to the public network.

The address conversion function can easily enable private network servers to provide services for public network hosts. For example, you can enable a web server 10.110.10.10 or an FTP server 10.110.10.11 to provide services for public network hosts.

The NAT internal server function can be classified as address-level and port-level internal servers based on whether both IP addresses and port numbers are translated.

• Address-level NAT for internal servers: During NAT, the IP address alone is translated, and the port number is not translated. In this mode, one public IP address is used only by one internal server.
• Port-level NAT for internal servers: During NAT, both the IP address and port number in each packet are translated. In this mode, one public IP address can be allocated to multiple internal servers, and different servers can be distinguished by port numbers.