As shown, many companies have two ISP export, such as A and B. Within the company deployed internal server for the external network users accessing. It demands the internal server’s private network address 10.1.1.1 respectively configures two NAT Server in the firewall according to the A users and B users, for different users access to, namely NAT Server double export function.
After the configuration has been completed, found the A users can through the public network address X.X.2.2 visit internal server, B users can also through the public network address X.X.3.3 visit internal server, but B users cannot access A public network server address X.X.2.2, B user cannot access netcom public network server address X.X.3.3 either.
In the process of configuring NAT Server double export, usually uses the following two ways:
1, Configuring based on different safety area, respectively designating the telecommunications users and netcom users into different safety area to provide different public IP address.
Under this mode, internal server active accesses external network based on different security region to choose corresponding reverse table do address mapping.
[sysname] nat server zone zone1 global 220.127.116.11 inside 10.1.1.1
[sysname] nat server zone zone2 global 18.104.22.168 inside 10.1.1.1
Zone1 is corresponded the safety area of telecom users; Zone2 is corresponded the safety area of netcom users.
2, configure no-reverse parameters, cancel to establish the reverse table.
Under this mode, usually do not allow internal server active accesses to the external network, if internal server need to access the external network, should according to this server additional configure the NAT function based on the source IP address.
[sysname] nat server global 22.214.171.124 inside 10.1.1.1 no-reverse
[sysname] nat server global 126.96.36.199 inside 10.1.1.1 no-reverse
After complete the above configuration, the A users can through the 188.8.131.52 address access internal server, B users can through the X.X.3.3 address access internal server.
When the A user access B server’s address 184.108.40.206, message arrived, according to positive map convert the X.X.3.3 to 10.1.1.1, and send the message to the internal server; After the internal server’s reply message arrived, hit session table, through searching routing, found it is to be sent to the A user's message, the message will be send out directly from the near A user namely message arrived from B user interface, but was sent out from the A user interface.
At this point, if there are other firewall equipments between the A users, and the firewall configured the link state detection function, to the return path does not consistent message, not allowed to pass, and finally lead to message discarded.
Usually when the internal server uses public network address provides access, we are through configuring global NAT Server to achieve. Every time after configured a NAT Server will generate two global map, one is positive map, which is used for the external network users access to the internal server’s address conversion mapping; The other is the inverse mapping table, which is used for internal server active access the network address mapping.
When internal server’s one personal network IP address is mapped into two public IP address, will establish two inverse mapping table, under this kind of circumstance when internal server active accesses to the external network, there will be two mapping relationship, this is not allowed.
Configure NAT Server double exports main function is to realize the external network users visit nearby, suggest B users through B's public IP address access internal server, tA user through the telecommunication public IP address access internal server, so as to achieve rapid access, try to avoid cross access, so as not to affect the normal business.