In most network environments, we need NAT to access the Internet.
NAT is Network Address Translation. This is a protocol that provides a way for multiple computers on a public network to share a single connection to the Internet.
Before going into more detail about NAT, let’s talk about what is the public address and private address.
Public IP address and Private IP address
The public network refers to the Internet, and the public IP address refers to the globally planned IP address on the Internet. The network segments cannot overlap. Routers on the Internet can forward packets whose destination address is a public network address.
In the IP address space, some IP addresses of Class A, Class B, and Class C are reserved as private IP addresses. Private IP addresses cannot be used on the public network but can only be used on the intranet. Routers on the Internet do not have routes to private addresses.
The ranges of reserved class A, class B, and class C private addresses are as follows:
Class A IP address: 10.0.0.0 – 10.255.255.255.
Class B IP address: 172.16. 0.0 – 172.31. 255.255.
Class C IP address: 192.168. 0.0 – 192.168. 255.255.
Static NAT, dynamic NAT, NAPT, and Easy IP enable users to access the public network from a private network.
The NAT server implements access from the public network to the private network.
Static NAT is configured on the router that connects the private network to the public network. Each private network address has a fixed public network address. That is, the mapping between private network addresses and public network addresses is one-to-one. This type of NAT does not save public network IP addresses.
Static NAT supports bidirectional communication.
1. As shown in the above figure, the ISP assigns three public addresses 12.x.x.1, 12.x.x.2, and 12.x.x.3 to the enterprise. You can configure static NAT on the border router of the enterprise to map the private address 192.168.1.2 of PC1 to the public address 12.x.x.2. Map the private address 192.168.1.3 of PC2 to the public address 12.x.x.3, and then generate a static address mapping table on the router.
2. PC1 and PC2 access the web server on the Internet. When the data packet passes through the router, the private IP addresses of PC1 and PC2 are replaced by the corresponding public IP address. When the data packet from the Web Server is returned, the data packet is also Similarly, the data is first sent to the router, and then the router searches the static address mapping table, converts the public address into a private address, and finally sends the data to the terminal device corresponding to the private address.
3. PC3 cannot access the Internet because static NAT is not configured on PC3.
Note that Static NAT maps private addresses to public addresses in one-to-one mode. As a result, the corresponding public addresses are still in use even if an intranet host is offline for a long time or does not send data. Therefore, static NAT does not save IP addresses.
To avoid address waste, dynamic NAT proposes an address pool. All available public addresses from an address pool.
1. After dynamic NAT is configured, the edge router of the enterprise generates a public IP address pool based on the available public IP addresses. When the PC of the enterprise accesses the Internet, the data packet passes through the router. The router replaces the private IP address of the PC with an idle public IP address and then accesses the Internet.
2. However, after PC1, PC2, and PC3 access the Internet, the public IP address pool of the company does not have an idle public IP address. In this case, PC4 cannot access the Internet.
After dynamic NAT is used, the mapping between public addresses and private addresses is still one-to-one, which cannot improve the utilization of public addresses.
Note that the one-to-one mapping between public addresses and private addresses is temporarily established. The public IP address translated by the PC through the router is a temporarily idle public IP address in the public address pool. Therefore, dynamic NAT supports only unidirectional access and can only access the public network from the intranet.
Network Address and Port Translation (NAPT) translates not only IP addresses but also port numbers when selecting addresses from the address pool. In this way, one-to-many mapping between public addresses and private addresses is implemented, which effectively improves public address utilization.
1. As shown in the preceding figure, after NAPT is enabled, the router generates a dynamic address and port mapping table. The public IP address pool of the edge router has only two public IP addresses. When PC1 accesses the web server on the Internet, the data packet carries the source port, destination port, source address, and destination address parameters to the router. Then, the router performs public address translation and source port translation. In addition, the translated port number and public IP address are recorded in the dynamic address and port mapping table. Finally, PC1 accesses the Internet.
2. When the WEB Server returns data, the data packet also carries these parameters to the router. Then, the router queries the dynamic address and port mapping table and sends the data packet to PC1.
NAPT translates transport-layer port numbers to differentiate terminals on the intranet and enables multiple private IP addresses to share one public IP address, thereby saving IP addresses.
The implementation principle of Easy IP is the same as that of NAPT. It translates IP addresses and transport-layer ports at the same time. The difference is that Easy IP does not have the concept of an address pool and uses interface addresses as public IP addresses for NAT.
Easy IP applies to scenarios where no fixed public IP address is available, for example, the network egress that obtains an IP address through DHCP or PPPoE dialup, and the obtained dynamic IP address can be directly used for translation.
NAT server refers to port mapping.
When the server on the private network needs to provide services for the public network, you need to configure the NAT server on the router and specify the one-to-one mapping between [public IP address: port] and [private IP address: port] to map the intranet server to the public network. The public network host accesses the [public IP address: port] to access the intranet server.
As shown in the preceding figure, the Web Server on the enterprise intranet needs to be accessed by computers on the Internet. To implement this, you need to configure the NAT server on the edge router of the enterprise.
1. Mapping the IP address and service port number of the Web Server (192.168.0.2:80) to the public IP address and port number of the edge router (12.x.x.8:43333).
2. When a computer on the Internet accesses the web service on the intranet, the destination IP address and port number of the data packet are the IP address and port number (12.x.x.8:43333) mapped on the NAT server.
3. After receiving the packet, the edge router of the enterprise looks up the NAT mapping table and translates the destination IP address and port number to the IP address and port number of the Web Server (192.168.0.2:80).
4. In this way, services on the private network can be accessed through the public network.
Advantages and Disadvantages of NAT
1. The enterprise intranet uses private IP addresses, which reduces the occupation of public IP addresses. NAT is generally applied to border routers, for example, routers connected to the Internet.
By using the NAPT technology, enterprises can use public IP addresses to access the Internet from private networks, saving public IP addresses.
If different enterprises or schools do not need to communicate with each other, their private addresses can overlap.
If the intranets of different schools or enterprises communicate with each other through VPNs or leased lines, the private addresses used by different schools or enterprises cannot overlap.
2. After the ISP is changed, the intranet address does not need to be changed, which enhances the flexibility of the Internet connection.
3. The private network cannot be directly accessed on the Internet to enhance the security of the intranet.
1. When NAT or NAPT is performed on a router, the network layer and transport layer of data packets need to be modified, and the mapping between port and address translation needs to be retained and recorded in the router. Routing data packets causes a large switching delay and consumes a large number of resources on the router.
2. A private IP address is used to access the Internet. The source IP address is replaced with a public IP address. If a student of a school publishes a message on the forum, the forum can only record the public IP address of the publisher and cannot trace the intranet IP address. That is, end-to-end IP tracing cannot be performed.IP tracing.
3. The public network cannot access the private network. To access the private network, you need to perform the port mapping.
4. Some applications cannot run on the NAT network. For example, IPSec does not allow intermediate packets to be modified.