Keywords:NAT; PAT; Campus Network; IP Address Management
0 Introduction
With the rapid development of campus networks, the scale is increasing and the number of application departments increases. The abundant resources on the Internet have created huge attractiveness, which has led to a rapid increase in access users. Network management is becoming increasingly complex: there is an increasing shortage of registered legal IP addresses, multiple users can only share IP addresses at the same time, and some departments do not want external network users to know the structure of their internal network, etc. To solve these problems, many solutions have emerged. The most effective methods commonly used in campus network environments are address translation (NAT) and port translation (PAT).
1 NAT/PAT
NAT (address translation) is to convert the IP address used in the internal network into the IP address used in the external network, convert the non-routable IP address into a routable IP address, save the IP address registered by the NIC, and conceal the internal network structure from the external network. PAT (port translation) is a special NAT, also known as NAT multiplexing, which maps many internal network IP addresses to one or a few external network IP addresses, so that internal network users can publicly use an external IP address, saving the IP address registered by NIC.
NAT functions are usually integrated into routers, firewalls, ISDN routers, or separate NAT devices. NAT devices maintain a status table that maps the IP addresses of the internal network to the IP addresses of the external network. Each packet is converted in the NAT device and sent to the next level. NAT itself does not provide security similar to firewalls, packet filtering, tunneling and other technologies. It only changes the IP address at the outermost layer of the packet, so that external network users do not know the address structure of the internal network to prevent illegal access to the internal network by general external network users.
There are three ways to apply NAT: static NAT, dynamic NAT (pooled NAT) and PAT (port multiplexing NAT). Static NAT uses a fixed allocation method to map the IP addresses of internal and external networks. Dynamic NAT uses dynamic allocation to map the IP addresses of internal and external networks. PAT maps multiple internal network IP addresses to different ports of the same IP address on the external network.
2 NAT/PAT application
Static NAT
Static Network Address Translation is the simplest application method in NAT. The internal network IP address and the external network IP address can only be a fixed mapping method one by one, and it is necessary to specify which address to convert. If there are E-mail servers, FTP servers, WEB servers, etc. in the internal network to provide services to external network users, the IP addresses of these servers must be translated statically so that external network users can use these services.
Dynamic NAT Pool
Dynamic NAT Pooled NAT is a dynamic allocation method that maps the IP addresses of internal and external networks. The external network can access the services provided by the internal network, or access the external network from the internal network without the need to reconfigure the IP address in the internal network. For example, the internal subnet 192.168.0.0 assigned to the school office system has a network address belonging to a Class B reserved address. As a subnet of the campus network, its IP address is only assigned to office system user equipment. In order to enable other users of the campus network to access this internal network, the router connects the office internal network and the campus network so that they can access each other. However, since 192.168.0.0 is an internal address, it cannot directly access the external network. Therefore, a dynamic NAT pool is set up in the router to convert the address of the IP packet from the internal network and map the IP address of the packet into the external network IP address in the address pool. Therefore, the internal network can access the servers of the external network, and any host in the external network can also access the services provided by the internal network.
Using dynamic NAT can define many internal users in the intranet, and through dynamic allocation, they share few external IP addresses. Static NAT can only form a fixed mapping method that corresponds to one by one. When all external IP addresses dynamically allocated in the NAT pool are occupied, subsequent NAT translation applications will fail. Generally, routers with NAT function have timeout configuration function. For example, in Cisco7600, it can be configured to delete the current NAT process 15 minutes later, and reserve an external network IP address for subsequent NAT applications. Since the general external connection time is not very long, the connection time threshold can be set short. Different time thresholds can be used for different internal network users to meet their respective needs.
Dynamic NAT pools (Pooled Network Address Translation) provide great flexibility for campus network management, but also affects some network management functions. For example, the IP address was used to track the operation of the device. However, after using NAT, since the internal network address corresponding to the translated address changes dynamically, it is impossible to accurately understand the operation of the designated internal network equipment, which brings some trouble to the remote management of campus network equipment.
PAT
PAT (Port Address Translation) is also called NAPT. It is a dynamic address translation. It allows multiple internal local addresses to share an internal legal address and map different internal network addresses with different protocol port numbers. In theory, PAT can support 64,500 TCP/IP and UDP/IP connections, but in fact, the number of workstations that can be supported is about 4,000. Because many Internet applications such as HTTP actually consist of many small connections.
PAT is widely used in remote access, especially in devices used by remote dialers. When using PAT, all different TCP and UDP information flows seem to be from the same IP address. Although this will lead to channel congestion, due to the savings of Internet access costs, registration of IP addresses, and easy management, this conversion is extremely useful for only applying for a small number of IP addresses but often multiple users are on the external network at the same time.
3 NAT/PAT configuration examples
Take the PAT configured by Jimei University CISCO 7600 as an example to illustrate the application of NAT/PAT. The school computer room teaching network has an internal network 192.168.20.0 Since internal users have the requirement to access the external network, the public address 210.34.143.2 assigned to it is for internal network users to access the external network.
Set an address of the external network for PAT
ip nat pool mypool 210.34.143.2 210.34.143.2 prefix 30
Set the address to be converted for the internal network of the office network
access-list 1 permit 192.168.20.0 0.0.0.255
Set internal and external address conversion
ip nat inside source list 1 pool mypool overload
Set up the interface of the internal network
interface ethernet0
ip nat inside
Set up the interface of the external network
interface ethernet1
ip nat outside
Through the above configuration, all devices in the computer room can access the external network, meeting the requirements of students in the computer room to access the Internet.
4 Summary
Using NAT/PAT in campus networks has many advantages, such as not having to re-address the original internal network, reducing the use of registered IP addresses, and simplifying network management; but NAT also affects some network management functions and security facilities. NAT changes the IP address of the packet. For the firewall, because it uses the IP address, TCP port, target address and other information in the IP packet to decide whether to interfere with the network connection, the rules of the firewall will be changed after using NAT. Therefore, in specific applications, NAT should be integrated into the firewall system to provide access control and address translation functions. Don't put NAT outside the firewall, as hackers may trick NAT into entering the network.
If a VPN is used (virtual private network) in the network and IPSec is used to ensure encryption security, setting NAT incorrectly will destroy the VPN function. Since NAT changes the address of the IP packet, IPSec will consider the packet to be forged and refuse to use it. So put NAT inside a protected VPN, not in the middle.
References:
[1] Ye Jixiang, using the NAT of CISCO router to solve the problem of IP address shortage. Computer Application, 2002, (4): 43-45
[2] Huxingfeng, NAT technology and its application in firewalls. Microcomputers and Applications, 2000, (6): 32-33
Article entry: csh Editor in charge: csh