NAT技术白皮书-5W101-整本手册

目录 1.1产生背景··············································································································································· 21.2技术优点··············································································································································· 2 2NAT技术实现··········································································································································12.1 NAT基本概念······································································································································· 12.2 NAT基本原理······································································································································· 12.3 NAT实现方式······································································································································· 12.3.1静态方式···································································································································· 12.3.2 NO-PAT方式····························································································································· 12.3.3 PAT方式···································································································································· 22.3.4 NAT Server方式························································································································ 32.3.5 Easy IP方式······························································································································ 42.3.6 NAT hairpin································································································································ 42.4 NAT ALG机制······································································································································ 62.4.1 NAT ALG机制简介···················································································································· 62.4.2基本概念···································································································································· 72.4.3 FTP协议的ALG处理················································································································ 72.4.4 DNS协议的ALG处理··············································································································· 92.4.5 ICMP协议的ALG处理············································································································ 102.4.6 DNS Mapping方式·················································································································· 102.5 NAT支持端口复用······························································································································ 112.6 NAT支持多VPN实例························································································································ 12 3.1私网主机访问公网服务器······················································································································ 13.2公网主机访问私网服务器······················································································································ 13.3私网主机通过域名访问私网服务器······································································································· 23.4不同VPN的主机使用相同的私网地址访问公网··················································································· 2 4参考文献··················································································································································1 1概述 1.1产生背景 随着Internet的发展和网络应用的增多，IPv4地址枯竭已成为制约网络发展的瓶颈。尽管IPv6可以从根本上解决IPv4地址空间不足问题，但目前众多网络设备和网络应用大多是基于IPv4的，IPv6在实际引入上进展缓慢。在IPv6广泛应用之前，即IPv4向IPv6过渡期间，使用NAT（NetworkAddress Translation，网络地址转换）能够提高IPv4地址的利用率，保证业务的平滑过渡，为IPv6的部署争取时间。 1.2技术优点 作为一种过渡方案，NAT通过地址重用的方法来满足IP地址的需要，可以在一定程度上缓解IP地址空间枯竭的压力。它具备以下优点： •对于内部通讯可以利用私网地址，如果需要与外部通讯或访问外部资源，则可通过将私网地址转换成公网地址来实现。•通过公网地址与端口的结合，可使多个私网用户共用一个公网地址。•通过静态映射，不同的内部服务器可以映射到同一个公网地址。外部用户可通过公网地址和端口访问不同的内部服务器，同时还隐藏了内部服务器的真实IP地址，从而防止外部对内部服务器乃至内部网络的攻击行为。•方便网络管理，如通过改变地址映射表就可实现私网服务器的迁移，内部网络的改变也很容易。 2NAT技术实现 2.1 NAT基本概念 NAT基本概念如下： •NAT设备：配置了NAT功能的连接内部网络和外部网络的边缘设备。•NAT规则：用于进行地址转换的NAT配置称为NAT规则。•NAT地址：用于进行地址转换的公网IP地址，与外部网络路由可达，可静态指定或动态分配。•NAT表项：NAT设备上用于记录网络地址转换映射关系的表项。•Easy IP功能：NAT转换时直接使用设备上接口的IP地址作为NAT地址。设备上接口的地址可静态指定或通过DHCP协议动态获取。 2.2 NAT基本原理 当内部网络访问外部网络的报文经过NAT设备时，NAT设备会用一个合法的公网地址替换原报文中的源IP地址，并对这种转换进行记录；之后，当报文从外网侧返回时，NAT设备查找原有的记录，将报文的目的地址再替换回原来的私网地址，并转发给内网侧主机。这个过程对于私网侧或公网侧设备透明。基于这种基本的地址转换原理，数量庞大的内网主机就不再需要公网IP地址了。 2.3 NAT实现方式 2.3.1静态方式 静态方式的地址转换是指外部网络和内部网络之间的地址映射关系由配置确定，即一个公网IP地址唯一对应一个内部主机。该方式适用于内部网络与外部网络之间存在固定访问需求的组网环境。静态地址转换支持双向互访：内网用户可以主动访问外网，外网用户也可以主动访问内网。 2.3.2 NO-PAT方式 NO-PAT方式属于一对一的地址转换，在这种方式下只转换IP地址，而对TCP/UDP协议的端口号不处理，一个公网IP地址不能同时被多个用户使用。 如图2-1所示，NO-PAT方式的处理过程如下： (1)NAT设备收到私网侧主机发送的访问公网侧服务器的报文。(2)NAT设备从地址池中选取一个空闲的公网IP地址，建立与私网侧报文源IP地址间的NAT转换表项，并依据查找NAT表项的结果将报文转换后向公网侧发送。(3)NAT设备收到公网侧的回应