NAT for Overlapping Networks
NAT for Overlapped Private IP Addresses
Intranet hosts proactively access extranet hosts. In this scenario, for example, if intranet hosts with the same IP address need to access a server on the public network simultaneously, configure dynamic NAT and VPNs. This method is called dynamic NAT associated with VPNs.
Extranet hosts proactively access intranet hosts. In this scenario, for example, if a host on the public network needs to access intranet servers with the same IP address, configure static NAT and VPNs. This method is called static NAT associated with VPNs.
Dynamic NAT Associated with VPNs
Dynamic NAT associated with VPNs allows intranet users with the same IP address in different VPNs to access a server on the public network simultaneously. Figure 5-8 shows the networking for dynamic NAT associated with VPNs.
Dynamic NAT associated with VPNs is implemented as follows:
Both the IP addresses of host A in VPN A and host B in VPN B are 10.1.1.1. Host A and B want to access the server on a public network.
Hosts A and B send packets to the Router for accessing the server on the public network. After receiving the packets, the Router performs dynamic NAT on the packets, and records the VPN information about the hosts in the NAT mapping table. The Router translates the source IP address of the packet sent from host A in VPN A into 1.1.1.1 and the source IP address of the packet sent from host B in VPN B into 1.1.2.1.
After receiving the packets sent from hosts A and B to the extranet server, the Router searches for NAT mapping entries based on the source IP address and VPN. The Router translates the source IP address 10.1.1.1 of the packet sent from host A in VPN A into 1.1.1.1, and then sends the packet to the extranet server. In addition, the Router translates the source IP address 10.1.1.1 of the packet sent from host B in VPN B into 1.1.2.1, and then sends the packet to the extranet server.
After receiving the response packets sent from the server on the public network to Host A and B, the Router searches NAT mapping entries based on the destination IP address. The Router translates the destination IP address 1.1.1.1 of the packet sent to host A into 10.1.1.1, and then sends the packet to host A in VPN A. In addition, the Router translates the destination IP address 1.1.2.1 of the packet sent to host B into 10.1.1.1, and then sends the packet to host B in VPN B.
Static NAT Associated with VPNs
Static NAT associated with VPNs allows hosts on a public network to access intranet servers with the same IP address in different VPNs. Figure 5-9 shows the networking for static NAT associated with VPNs.
Static NAT associated with VPNs is implemented as follows:
Both the IP addresses of server A in VPN A and server B in VPN B are 10.1.1.1. Host C on a public network wants to access the two servers.
Host C sends packets to the Router for accessing servers A and B on the private network. After receiving the packets, the Router performs static NAT on the packets, and records the VPN information about the servers in the NAT mapping table. The Router creates two mapping entries in the NAT mapping table: one records the mapping between 1.1.1.1 and 10.1.1.1 in VPN A while the other records the mapping between 1.1.2.1 and 10.1.1.1 in VPN B.
After receiving the packets sent from host C to servers A and B, the Router searches for NAT mapping entries based on the destination IP address. The Router translates the destination IP address 1.1.1.1 of the packet sent to server A into 10.1.1.1, and then sends the packet to server A in VPN A. Meanwhile, the Router translates the destination IP address 1.1.2.1 of the packet sent to server B into 10.1.1.1, and then sends the packet to server B in VPN B.
After receiving the response packets sent from server A and B on the private network to host C, the Router searches NAT mapping entries based on the source IP address and VPN. The Router translates the source IP address 10.1.1.1 of the packet sent from server A in VPN A into 1.1.1.1, and then sends the packet to host C. Meanwhile, the Router translates the source IP address 10.1.1.1 of the packet sent from server B in VPN B into 1.1.2.1, and then sends the packet to host C.
NAT for Overlapped Private and Public Addresses
Only one private IP address overlaps with a public IP address. In this scenario, configure twice NAT to allow an intranet user to access an extranet server with the same IP address using a valid public IP address.
Multiple private IP addresses overlap with public IP addresses. In this scenario, configure twice NAT associated with VPNs to allow multiple intranet users to access an extranet server with the same IP address using valid public IP addresses.
Twice NAT
Host A with IP address 1.1.1.1 on the private network wants to access host B with the same IP address on the public network. Host A sends a DNS request to the DNS server on the public network. The DNS server sends a response packet containing the IP address 1.1.1.1 of host B corresponding to the domain name. When the DNS response packet passes through the Router, the Router performs DNS application level gateway (ALG) and creates an NAT entry that records the mapping between host B's IP address 1.1.1.1 and a temporary IP address 3.3.3.1. The Router translates host B's IP address 1.1.1.1 in the response packet into the unique temporary IP address 3.3.3.1. Then, the Router forwards the response packet to host A.
Host A sends a request packet with the destination IP address as the temporary IP address 3.3.3.1 and the source IP address as itself 1.1.1.1, for accessing host B. When the request packet passes through the Router, the Router detects that the destination IP address is a temporary IP address, searches for NAT mapping entries based on the destination IP address, and translates the destination IP address into host B's real IP address 1.1.1.1. Meanwhile, the Router performs dynamic NAT and translates the source IP address of the request packet. The Router searches for NAT mapping entries based on the source IP address and port number of the response packet, translates the source IP address 1.1.1.1 into 2.2.2.2 and port number 10 into 20, and forwards the packets to host B.
Host B sends host A a response packet with the destination IP address as the address translated by dynamic NAT 2.2.2.2 and the source IP address as the IP address of host B itself 1.1.1.1. When the request packet passes through the Router, the Router detects that the source IP address is overlapped, searches for NAT mapping entries in overlapping and temporary address pools based on the source IP address, and translates the source IP address of the packet into the temporary IP address 3.3.3.1. Meanwhile, the Router searches for NAT mapping entries based on the destination IP address and port number of the response packet, translates the destination IP address 2.2.2.2 into 1.1.1.1 and port number 20 to 10, and forwards the packets to host A.
- After the preceding twice NAT operations, host B receives a packet whose source IP address is a valid public IP address 2.2.2.2 and the destination IP address is itself, while host A receives a packet whose source IP address is 3.3.3.1 and destination IP address is itself. Therefore, host A and host B can communicate with each other.
Twice NAT Associated with VPNs
The process of twice NAT associated with VPNs is similar to that of twice NAT. The difference is that the intranet VPN information is added when the NAT ALG for DNS is configured. In this way, when the NAT mapping relationship between the overlapping and temporary address pools is established, NAT mapping entries carry intranet VPN information. In step 1 of twice NAT, when a response packet passes through the Router, the Router performs DNS ALG and creates NAT entries that record the mappings between IP addresses in the overlapping and temporary address pools, that is, from 3.3.3.1 into 1.1.1.1 in VPN A, and from 4.4.4.1 into 1.1.1.1 in VPN B. In this way, the Router translates the IP address in the DNS response packet sent to host A in VPN A into a temporary IP address 3.3.3.1 and the IP address in the DNS response packet sent to host B in VPN B into a temporary IP address 4.4.4.1. The other steps are similar to those in twice NAT. For details, see the twice NAT process.