Professional Documents
Culture Documents
2
3
NAT (Network Address Translation) is a protocol for IP address
translation in an IP packet header. When the IP packets pass through a
security appliance or router, the appliance or router will translate the source IP
address and/or the destination IP address in the IP packets. In practice, NAT
is mostly used to allow the private network to access the public network,
or vice versa.
NAT has the following advantages:
• Helps to solve the problem of IP address resources exhaustion by using a
small number of public IP addresses to represent the majority of the private
IP addresses.
• Hides the private network from external networks, for the purpose of
protecting private networks.
4
You can use those IP addresses in an enterprise network freely without
requesting them from an ISP or registration center. There are two types of NAT
rules, which are source NAT rules and destination NAT rules., thereby hiding
the internal IP addresses or sharing the limited public IP addresses.
4
NAT (Network Address Translation) is a protocol for IP address
translation in an IP packet header. When the IP packets pass through a
security appliance or router, the appliance or router will translate the source IP
address and/or the destination IP address in the IP packets. In practice, NAT
is mostly used to allow the private network to access the public network,
or vice versa.
NAT has the following advantages:
• Helps to solve the problem of IP address resources exhaustion by using a
small number of public IP addresses to represent the majority of the private
IP addresses.
• Hides the private network from external networks, for the purpose of
protecting private networks.
6
7
Normally, SNAT is from LAN to WAN (Intranet to Internet)
• It will change the source IP address of the packet
• It will allow multiple PCs to access the Internet at the same time
• It will hide the real IP address of LAN PCs
There are 3 translation mode can be selected: Static mode; Dynamic IP mode and Dynamic port mode.
Dynamic port: can achieve Internet access for multiple Intranet ip addresses by using only 1 or limited
public ip addresses. Normally for such scenario we use dynamic port NAT.
Track: when there are multiple public ip available, tracking the usability of public ip to avoid the translation
of no usable ip.
• You can also enable the Sticky function, if Sticky is enabled, all sessions from the same source IP
address will be mapped/translated to a fixed public IP address.
Special server: Mail server.
Static translation refers to converting the private IP address of the internal
network to a public IP address. The IP address pair is one-to-one and immutable.
A private IP address is only converted to a public IP address. With the help of
static conversion, the external network can access some specific devices (such as
servers) in the internal network, which cannot solve the problem of IP exhaustion.
10
All private IP addresses authorized to access the Internet can be randomly
converted to any specified legal IP address.
Dynamic conversion means that when the private IP address of the internal
network is converted to a public IP address, the corresponding IP address is
random, and all private IP addresses authorized to access the Internet can be
randomly converted to any specified legal IP address.
When the legitimate IP address provided by the ISP is slightly less than the
number of computers inside the network. Dynamic conversion can be used.
11
If Round-robin is enabled, all sessions from an IP
address will be mapped to the same fixed IP address.
If Sticky and Round-robin are not enabled, the first
address in the address entry will be used first; when the
port resources of the first address are exhausted, the
second address will be used.
If Track is enabled, the system will track whether the
translated public address is valid, i.e., use the translated
address as the source address to track if the destination
website or host is accessible. The configured track object
can be a Ping track object, HTTP track object, TCP track
object.
12
NAT rule should be configured under VRouter . Under global configuration
mode, use below command to enter Vrouter configuration mode:
ip vrouter vrouter-name
♦ vrouter-name – specify the name of VRouter
If configure NAT for default VR: trust-vr , you can use NAT mode as well. (under
global configuration mode, use command nat to enter NAT configuration mode)
When using dynamicport SNAT mode, you can enable the PAT port pool
function to expand the network address port resources after NAT. By default this
function is disabled. Use below command to enable this PAT function under
global configuration mode:
expanded-port-pool
Only some of Hillstone models support the expanded PAT port pool, and the
supported port resources also vary from different platforms.
The function is only applicable to the SNAT rules that have not been enabled
yet; if the SNAT rule is already enabled, reboot the system to make the function
take effect
14
Ø DNAT translates destination IP addresses in packet, usually translating IP
addresses of internal servers (such as the WWW server or SMTP server)
protected by the device to public IP addresses.
There are two types of DNAT mapping mode: Port mapping and IP mapping.
• Port mapping means one-to-multiple mapping. The different ports of
one specified Public IP address will be mapped to different ports of
different Private IP addresses. We can take this picture as an example,
there is only one public IP address, available, and we try to publish a
Mail server and a Web server as different LAN servers at the same time,
Port-based DNAT mapping should be used
• IP mapping means one-to-one mapping, there is no port translation needed.
We normally use this mode when we have enough Public IP addresses
DNAT configuration is normally used for Internet user to visit the internal server that
protected by Security appliance.
• We select the source address as Any to allow access from all the external users.
• The destination address is the Public IP address that all Internet users can visit, also
known as the mapping address of internal server.
• You need select the mapping service as well. For example, the HTTP service (Port
mapping-TCP 80 port). If the service is selected as Any, that means this DNAT is an IP
mapping.
• After that, select the action to be NAT and the translated to IP address which is the
server real IP address.
DNAT is supporting Load balance as well, if multiple internal servers with same service
are mapped to one Public IP address, traffic will be balanced to all these severs. For
example, both 10.1.1.2 and 10.1.1.3 is HTTP web server, we can configure:
202.100.0.2 translated to 10.1.1.2/32 and 10.1.1.3/32 in load balance for server.
The server load balancing algorithms supported by the system include: weighted
hash algorithm, weighted minimum number of connections algorithm and weighted
round robin algorithm. By default, weighted hashing algorithm is used weighted hash
weighted-hash-加权散列算法。
weighted-round-robin-加权轮询算法。
weighted-least-connection-加权最小连接数算法。
You can configure DNAT via CLI in the Vrouter configuration mode.
Under the global configuration mode, using the below command to VRouter
configuration mode:
ip vrouter vrouter-name
If you configure NAT for default VR (trust-vr), you can use the NAT mode to
configure (Under the global configuration mode, using command nat to nat
configuration mode)
22
In StoneOS, NAT also has its’ matching sequence, matching sequence for NAT
is same as Policy. (From Top to Bottom of the NAT list ).
After the destination NAT is completed, the corresponding access policy needs
to be created to realize the access to the publishing server.
The destination address of the policy needs to specify the virtual address
mapped by the server, usually the public IP address.
27
28
29
31