Implementation of NAT
Intranet Hosts Accessing Extranet Servers
Dynamic NAT is applied for intranet users to access extranet servers, and is implemented in address pool mode or Easy IP mode.
Dynamic NAT in Address Pool Mode
When there are two or more available public IP addresses, they are stored in an address pool. The NAT device selects an address from the address pool and creates an NAT mapping between a private address and the public address. Figure 5-5 describes the implementation of dynamic NAT in address pool mode.
The process of dynamic NAT in address pool mode is as follows:
Host A on the private network sends a packet to the Router for accessing the server on a public network. The packet's source IP address is 10.1.1.1, and its port number is 10.
After receiving the packet, the Router searches the NAT mapping table based on the source IP address and port number of the packet and checks whether an NAT mapping entry (10.1.1.1:10 to 1.1.1.1:30) exists. If so, the Router translates the source IP address 10.1.1.1 into 1.1.1.1 and the port number 10 into 30 based on the NAT mapping entry, and then forwards the packet to the server on the public network. If no NAT mapping entry is available, the Router selects a pair of idle public IP address and port number from the address pool and sets up forward and reverse NAT entries that record the mapping between the source IP address and port number of the packet and the public IP address and port number. The Router then adds the entries to the NAT mapping table and translates the source IP address and port number into the public IP address and port number.
The server on the public network sends a response packet to the translated public IP address 1.1.1.1 of host A. After receiving a response packet from the server on the public network, the Router searches NAT mapping entries based on the destination IP address and port number, translates the destination IP address 1.1.1.1 into 10.1.1.1 and port number 30 into 10, and forwards the packet to host A.
- The process for host B on the private network to access the server on the public network is similar. The Router selects another pair of idle public IP address and port number from the address pool and sets up forward and reverse NAT mapping entries for host B.
Dynamic NAT in Easy IP Mode
When there is only one available public IP address, you can set this address to the outbound interface IP address of the NAT device and configure dynamic NAT in Easy IP mode. The NAT device uses the outbound interface IP address to implement address translation. Figure 5-6 describes the implementation of dynamic NAT in Easy IP mode.
The process of dynamic NAT in Easy IP mode is as follows:
Host A on the private network sends a packet to the Router for accessing the server on a public network. The packet's source IP address is 10.1.1.1, and its port number is 10.
After receiving the packet, the Router searches the NAT mapping table based on the source IP address and port number of the packet and checks whether an NAT mapping entry (10.1.1.1:10 to 1.1.1.1:30) exists. If so, the Router translates the source IP address 10.1.1.1 to 1.1.1.1 and the port number 10 to 30, and then forwards the packet to the extranet server. If no NAT mapping entry is available, the Router sets up forward and reverse entries that record the mapping between the source IP address and port number of the packet and the IP address 1.1.1.1 of GE1/0/0 and an idle port number. The Router then adds the entries to the NAT mapping table and translates the source IP address and port number.
The server on the public network sends a response packet to the translated public IP address 1.1.1.1 of host A. After receiving a response packet from the server on the public network, the Router searches NAT mapping entries based on the destination IP address and port number, translates the destination IP address 1.1.1.1 into 10.1.1.1 and port number 30 into 10, and forwards the packet to host A.
- The process for host B on the private network to access the server on the public network is similar. Since the IP address of the outbound interface GE1/0/0 is a fixed value, the Router selects another idle port number and creates NAT mapping entries for host B. Host A and host B can use the same IP address but different port numbers to access the server on the public network.
Extranet Hosts Accessing Intranet Servers
Static NAT enables private network servers provide service to public network hosts. Figure 5-7 shows the implementation of static NAT.
The process of static NAT is as follows:
Host C on the public network needs to access the server on the private network. A static NAT entry that records the mappings between the public IP address and port number of the server and the private IP address and port number of the server is configured on the Router, and added to the NAT mapping table.
Host C sends a packet to the Router. The packet's destination IP address is 1.1.1.1, and its port number is 20. After receiving the packet, the Router searches the NAT mapping table based on the packet's destination IP address and port number for the mapped private IP address and port number. The Router then translates the destination IP address 1.1.1.1 into 10.1.1.1 and the port number 20 into 10, and then forwards the packet to the server on the private network.
The server sends a response packet to host C using the private IP address and port number. After receiving the response packet, the Router searches the NAT mapping table based on the packet's source IP address and port number for the mapped public IP address and port number. The Router then translates the source IP address 10.1.1.1 into 1.1.1.1 and the port number 10 into 20, and then forwards the packet to host C.