CISCO IOS NETWORK ADDRESS TRANSLATIONWhite paper

fengyunmus
0 ℃
2019-01-16

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

AllcontentsareCopyright©1992–2004CiscoSystems,Inc.Allrightsreserved.ImportantNoticesandPrivacyStatement.Page1of11WHITEPAPERCISCOIOSNETWORKADDRESSTRANSLATIONOVERVIEWInitssimplestconfiguration,theNetworkAddressTranslator(NAT)operatesonarouterconnectingtwonetworkstogether;oneofthesenetworks(designatedasinside)isaddressedwitheitherprivateorobsoleteaddressesthatneedtobeconvertedintolegaladdressesbeforepacketsareforwardedontotheothernetwork(designatedasoutside).Thetranslationoperatesinconjunctionwithrouting,sothatNATcansimplybeenabledonacustomer-sideInternetaccessrouterwhentranslationisdesired.UseofaNATdeviceprovidesRFC1631-stylenetworkaddresstranslationontherouterhardware.ThegoalofNATistoprovidefunctionalityasiftheprivatenetworkhadgloballyuniqueaddressesandtheNATdevicewasnotpresent.RFC1631representsasubsetofCiscoIOSNATfunctionality.CiscoIOSNATsupports“bi-directionaltranslation”throughthesimultaneoususeof“insidesource”and“outsidesource”translations.TERMINOLOGYFigure1NATConceptsInsideThesetofnetworksthataresubjecttotranslation.OutsideAllotheraddresses.UsuallythesearevalidaddresseslocatedontheInternet.©2004CiscoSystems,Inc.Allrightreserved.Importantnotices,privacystatements,andtrademarksofCiscoSystems,Inc.canbefoundoncisco.comPage2of11Figure2NATTerminology«InsideAddressing»InsideLocalConfiguredIPaddressassignedtoahostontheinsidenetwork.Addressmaybegloballyunique,allocatedoutoftheprivateaddressspacedefinedinRFC1918,ormightbeofficiallyallocatedtoanotherorganizationInsideGlobalTheIPaddressofaninsidehostasitappearstotheoutsidenetwork,“TranslatedIPAddress”.Addressescanbeallocatedfromagloballyuniqueaddressspace,typicallyprovidedbytheISP(iftheenterpriseisconnectedtotheglobalInternet)Figure3NATTerminology“OutsideAddressing”OutsideLocalTheIPaddressofanoutsidehostasitappearstotheinsidenetwork.TheseaddressescanbeallocatedfromtheRFC1918spaceifdesired.©2004CiscoSystems,Inc.Allrightreserved.Importantnotices,privacystatements,andtrademarksofCiscoSystems,Inc.canbefoundoncisco.comPage3of11OutsideGlobalTheconfiguredIPaddressassignedtoahostintheoutsidenetwork.SimpleTranslationEntryAtranslationentrywhichmapsoneIPaddresstoanother.ExtendedTranslationEntryAtranslationentrywhichmapsoneIPaddressandportpairtoanother.MAINFEATURES•StaticAddressTranslation—Telnet207.33.94.1Theusercanestablishaone-to-onemappingbetweenlocalandglobaladdressesUserscanalsoconfigureStaticaddresstranslationstotheportlevel,andusetheremainderoftheIPaddressforothertranslations.TypicallywhereyouareperformingPortAddressTranslation(PAT).•DynamicAddressTranslationTheusercanestablishdynamicmappingbetweenthelocalandglobaladdresses.Thisisdonebydescribingthelocaladdressestobetranslatedandthepoolofaddressesfromwhichtoallocateglobaladdresses,andassociatingthetwo.•MatchHostTheabilitytoconfigureNATtoassignthesameHostportionofanIPAddressandonlytranslatetheNetworkprefixportionoftheIPAddress.Usefulwhereyouareusingthehostportionasameanstoidentifyornumberusersuniquely.PortAddressTranslation(PAT)Figure4BasicConceptsofPAT©2004CiscoSystems,Inc.Allrightreserved.Importantnotices,privacystatements,andtrademarksofCiscoSystems,Inc.canbefoundoncisco.comPage4of11Figure5UniqueSourcePortperTranslationEntrySeveralinternaladdressescanbeNATedtoonlyoneorafewexternaladdressesbyusingafeaturecalledPortAddressTranslation(PAT)whichisalsoreferredtoas“overload”,asubsetofNATfunctionality.PATusesuniquesourceportnumbersontheInsideGlobalIPaddresstodistinguishbetweentranslations.Becausetheportnumberisencodedin16bits,thetotalnumbercouldtheoreticallybeashighas65,536perIPaddress.PATwillattempttopreservetheoriginalsourceport,ifthissourceportisalreadyallocatedPATwillattempttofindthefirstavailableportnumberstartingfromthebeginningoftheappropriateportgroup0-5111,512-1023or1024-65535.IfthereisstillnoportavailablefromtheappropriategroupandmorethanoneIPaddressisconfigured,PATwillmovetothenextIPaddressandtrytoallocatetheoriginalsourceportagain.ThiscontinuesuntilitrunsoutofavailableportsandIPaddresses.DestinationAddressRotaryTranslationAdynamicformofdestinationtranslationcanbeconfiguredforsomeoutside-to-insidetraffic.Onceamappingissetup,adestinationaddressmatchingoneofthoseonanaccesslistwillbereplacedwithanaddressfromarotarypool.Allocationisdoneinaround-robinbasis,performedonlywhenanewconnectionisopenedfromtheoutsidetotheinside.Allnon-TCPtrafficispasseduntranslated(unlessothertranslationsareineffect).Thisfeaturewasdesignedtoprovideprotocoltranslationloaddistribution.ItisnotdesignednorintendedtobeusedasasubstitutetechnologyforCisco’sLocalDirectorproduct.Destinationaddressrotarytranslationshouldnotbeusedtoprovidewebserviceloadbalancingbecause,likevanillaDNS,itknowsnothingaboutserviceavailability.Asaresult,ifawebserverweretobecomeoffline,thedestinationaddressrotarytranslationfeaturewouldcontinuetosendrequeststothedownedserver.:•Groupstartsat0forICMP,but1forallotherapplications•AsofDDTSCSCdm05636thenumberofPortgroupschangedfrom4tothe3outlinedabove•AsofDDTSCSCed