NAT protocol. NAT - What is it? Instructions for setting up NAT. Selection of Zyxel Routier Redirection Object

You may need to assign a permanent, static IP address on PlayStation 4 to establish the NAT Type connection 2. Installing a permanent IP address ensures that your console will always have the same internal IP, even after rebooting the console. Some routers make it possible to manually assign an IP address, so first you need to check whether such an option is possible in your router. If not, then you can configure the static IP through the PS4 console menu.

This manual is divided into two parts. Read everything from the beginning to the end.

How to manually configure the static IP address on PlayStation 4 through the router

Lay in your router the path for manual setting of the IP address. Not all routers support this feature. The configuration process will differ depending on the router model you use. If your modem allows you to hold a manual setting of the IP address, then just assign permanent IP for PlayStation 4. In this case, no changes in the settings of the console itself do not have to do. The router will independently assign internal IP for PS4, the functions of which are identical to the static.

In case your router does not support manual IP configuration, you will have to do the settings through the PS4 console. To do this, follow the instructions below:

1. You can try forever tie PS4 to the IP address that you use now. To find this IP, turn on the PS4 and do the following:

Record this IP and Mac address PS4 on a piece. In addition, you will need to remember the IP address of your router, which is specified as the default gateway (Default Gateway). How to do this, described in the next paragraph of our leadership.

1. Through the computer, go to the router settings (this is done via the browser, by entering the IP router, for example, 192.168.1.1. Or 192.168.1.0. / 192.168.0.1). You will need to permanently assign the PS4 IP address that you recorded before, when executing the first item.

Below the screenshot with an example of a modem that allows you to manually assign IP.

In this router from ASUS, there are strings to enter an IP address, after which the MAC address is selected in the drop-down menu. Use the numbers of the addresses that you recorded when executing the first item of this manual. In our example, after recording numbers, you must click the Add button (Add).

In some routers, it is not possible to assign IP addresses that are included in the DHCP range of the router (the range of addresses that is automatically assigned by the router to various devices on your network). If this is your case, you will need to select the IP address outside the DHCP range of the router. How to do this, see paragraphs 2-4 of the next section of this manual (" How to set up staticIP-press B.PS.4 »).

1. After you tied PS4 to defined IP addressTest the console connection to make sure normal performance. To spend the connection test, do the following:

In case of successful completion of the connection check, you will see the inscription "Checking Internet Connection Successful" (Internet Connection Successful).

1. Opening ports or Port Forwarding in your router means redirecting the entire traffic to a specific internal IP address. To get the NAT Type 2 connection, you need to send the following ports to the IP address of the PS4 console.

• TCP: 80, 443, 1935, 3478-3480
• UDP: 3478-3479.

More detailed information about how to do it, there is

1. After you have assigned a permanent IP address for PS4 and redigible ports in the router, check the Internet connection. How to do this, see in paragraph 3 of this manual.

Congratulations, your connection must be installed on NAT Type 2.

If you did not manage to install the connection of Nat Type 2, check if you have done everything right. Review the data that you entered the IP address line and MAC addresses.

If the difficulties with the configuration of the NAT Type 2 are left, check whether the connection is set correctly. You may have not one router on the local network. To determine the number of routers on the network, you can take advantage free program Router Detector. It is very important that the network was only one modem, otherwise adjust the network without excess headaches hard enough.

How to set up a static IP address in PS4

If you have a router, in which you can not manually assign internal IP addresses, to configure the permanent IP in PS4, follow these steps:

1. Find out which IP address, subnet mask, gateway and DNS uses PS4 currently. To do this, follow the instructions below:

Record the IP address, subnet mask, gateway, main DNS and optional (Primary DNS and Secondary DNS). You will need to enter all these numbers into the console a little later.

1. Next, enter the router settings through the PC.

To enter the router settings, write its IP address in the browser string. You can find IP in the list of addresses that you recorded when executing item 1. The ip of the router is the default gateway address (Default Gateway).

If you can't figure out how to go to the modem settings, visit this page. Select the model of your router and read how to go to the settings.

You need to view the DHCP address range, which uses the modem to automatically assign IP devices on the network.

Below is a screenshot, as the row should look like this range. Used Linksys router menu. DHCP band is circled red.

1. You will need to select the number between 2 and 254, which is outside the DHCP range to assign the IP to your console.

In the example above, the Linksys router uses the range from 100 to 149 to assign IP addresses for devices in the internal network. In this case, you can choose, for example, the number 31, then the full IP address for PS4 will look like this: 192.168.0.31. Here are some more examples so that you're better figured out:

• If the DHCP 200-254 range, you can choose numbers from 2 to 50
• If the router uses the range of 50-200, then from 2 to 49

1. To check if your chosen IP can be used, do the following:

• Through the "Start" menu, open "Run"
• Enter the "CMD" command without quotes and press ENTER
• After that, a black window should appear
• Next, in the input row, enter: "Ping IP". For example: Ping 192.168.1.54
• Press ENTER.

If the IP address is not ping, that is, packets leave for it, but there is no answer, then such an IP suits you, it is free. If packets come with answers, this means that the IP is currently used, so you need to choose another, free address. Below is an example of an IP address that is already used.

1. Next you need PS4 to set the IP address you selected.

• In the main menu, select "Settings"
• Next - Network
• Configure Internet Connection (Set Up Internet Connection)
  
  
• Select Wi-Fi or LAN connection, depending on how the console is connected to the Internet.
  
  
• On the screen "How do you want to configure the Internet connection" (How Do You Want to Set Up the Internet Connection), select "Normal Setup" (Custom)
  
  
• On the "SETTING IP Address" screen, select Manual (MANUAL)
  
  
• Select IP Address
  

Now do the following:

If you exactly performed all the actions described above, the static IP will be configured correctly. If any problems arise, check the correctness of the information entry, in particular, check the numbers you entered into the IP address, gateway, DNS string. To double-check it out, open the main menu PS4, select Settings \u003d\u003e Network \u003d\u003e View network status.

Looked: 41179.

1 If you read this document, then most likely you are connected to the Internet, and use network address broadcast ( Network Address Translation, Nat) right now! The Internet has become so huge than anyone could imagine. Although the exact size is unknown, the current estimate is approximately 100 million hosts and more than 350 million users actively working on the Internet. In fact, the growth rate is such that the Internet is effectively doubled in the amount of each year.

Introduction

For a computer to communicate with other computers and Web servers on the Internet, it must have an IP address. IP address (IP means Internet protocol) is a unique 32-bit number that identifies the location of your computer on the network. It mainly works in the same way as your street address: the way to find out exactly where you are and deliver you information. Theoretically, you can have 4,294,967,296 unique addresses (2 ^ 32). The actual number of available addresses is smaller (somewhere between 3.2 and 3.3 billion) due to the method to which addresses are divided into classes and needs to take some of the addresses for multicast, testing or other specific needs. With an increase in home networks and business networks, the number of available IP addresses is no longer enough. The obvious solution is to re-project the address format to take into account more possible addresses. Thus, the IPv6 protocol is developing, but this development will take several years, because it requires the modification of the entire Internet infrastructure.

This is where NAT comes to saving. Basically, the network broadcasting of addresses allows the only device, such as a router, to act as an agent between the Internet (or "public network") and a local (or "private") network. This means that only the only unique IP address is required to represent the entire group of computers anywhere outside their network. Lack of IP addresses is only one reason to use NAT. Two other major reasons are security and administration.

You will learn how to benefit from NAT, but first, let's get acquainted with NAT closer and see what he can do.

Disguise

Nat is similar to the secretary of the Big Office. For example, you left the instructions to the secretary, so as not to redirect you any calls, until you ask about it. Later, you call potential customer And leave a message for him so that he call you back. You say the secretary that you expect a call from this client and the call must be translated. The client is calling on the main number of your office, which is the only number he knows. When the customer says the secretary, whom he is looking for, the secretary checks his employee list to find the name of the name and its expansion number. The secretary knows that you have requested this call, so he translates the caller on your phone.

Developed by Cisco technology, the broadcast of network addresses is used by the device (firewall, router or computer), which is located between the internal network and the rest of the world. NAT has many forms and can work in several ways:

Static Nat.- Displays an unregistered IP address on a registered IP address based on one to one. Especially useful when the device must be available outside the network.

In a static NAT, a computer with an address 192.168.32.10 will always be broadcast to the address 213.18.123.110:

Dynamic Nat. - Displays an unregistered IP address to the registered address from the group of registered IP addresses. Dynamic NAT also sets directly displaying between an unregistered and registered address, but the mapping may vary depending on the registered address available in the address pool during communication.

In a dynamic NAT, a computer with an address 192.168.32.10 is broadcast to the first accessible address in the range from 213.18.123.100 to 213.18.123.150

Overload (Overload) - Dynamic NAT form, which displays several unregistered addresses to a single registered IP address using different ports. Known as well as PAT (Port Address Translation)

Overloaded, each computer on a private network is broadcast to the same address (213.18.123.100), but with a different port number

Overlapping - When the IP addresses used in your internal network are also used on another network, the router must keep the table of searching for these addresses so that it can intercept and replace them with registered unique IP addresses. It is important to note that the NAT router must broadcast the "internal" addresses in registered unique addresses, and must also broadcast "external" registered addresses in the addresses that are unique to the private network. This can be done either through a static NAT, or you can use DNS and implement a dynamic NAT.

Example:
The internal IP range (237.16.32.xx) is also a registered range used by another network. Therefore, the router translates the addresses to avoid potential conflict. It will also broadcast registered global IP addresses back to unregistered local addresses, when packets are sent to the internal network

The internal network is usually LAN (local network), most often called tupikov domain. A dead-end domain is LAN, which uses internal IP addresses. Most network traffic in such a domain is local, it does not leave the limits of the internal network. The domain may include both registered and unregistered IP addresses. Of course, any computers that use unregistered IP addresses should use NAT to communicate with the rest of the world.

NAT can be configured in various ways. In the example below, the NAT router is configured to broadcast unregistered IP addresses (local internal addresses) that are constantly in private (internal) network to registered IP addresses. This happens whenever the device on the inside with an unregistered address must communicate with the external network.

ISP assigns an IP address range of your company. The appointed block of addresses is unique registered IP addresses and are called internal Global Addresses (Inside Global). Unregistered private IP addresses are divided into two groups, a small group, external Local Addresses (Outside Local)will be used by NAT routers and the main one to be used in the domain, is known as internal Local Addresses (Inside Local). External local addresses are used to broadcast unique IP addresses known as external Global Addresses (Outside Global)devices on the public network.
NAT broadcasts only the traffic that passes between the internal and external network and is defined for the broadcast. Any traffic that does not correspond to the broadcast criteria or the one that passes between other interfaces on the router is never translated, and is sent as it is.

IP addresses have various designationsbased on whether they are on a private network (domain) or on a public network (Internet) and whether traffic is incoming or outgoing:

• Most computers in the domain communicate with each other using internal local addresses.
• Some computers in the domain interact with the external network. These computers have internal global addresses, which means that they do not require broadcasts.
• When a computer in a domain that has an internal local address, wants to interact with the external network, the package goes to one of the NAT routers by usual routing.
• The nat-router checks the routing table to see if it has an entry for the end address. If the receiver's address is not in the routing table, the package is discarded. If the record is available, the router checks whether a package from the internal network is underway to external, as well as whether the package corresponds to the criteria defined for the broadcast. Then the router checks the address translation table to find out if there is an entry for the internal local address and the corresponding internal global address. If the record is found, it broadcasts the package using the internal global address. If only static NAT is configured, and no record is found, the router sends a packet without broadcast.
• Using the internal global address, the router forwards the package to its addressee.
• the computer on the public network sends a package to a private network. The source address in the package is an external global address. The address of the receiver is an internal global address.
• When the package arrives in the external network, the NAT router looks into the broadcast table and defines the receiver address displayed on the computer in the domain.
• The NAT router broadcasts the internal global address of the package to the internal local address and then checks the routing table before sending the package to the final computer. Whenever recording is not found for the address in the broadcast table, the package is not translated and the router continues to verify the routing table to search for the receiver address.

NAT overload (overloading) uses the TCP / IP protocol feature, such as multiplexing, which allows the computer to support multiple parallel connections with remote computerUsing various TCP or UDP ports. The IP package has a header that contains the following information:

• The source address is the IP address of the source computer, for example, 201.3.83.132.
• The source port is the TCP or UDP port number assigned to a computer source for this package, for example, port 1080.
• Appointment address - IP address of the receiver computer. For example, 145.51.18.223.
• A destination port is a TCP number or UDP port, which is asked to open a computer source at the receiver, for example, port 3021.

The IP addresses define two machines on each side, while the port numbers ensure that the connection between these two computers has a unique identifier. The combination of these four numbers defines the only TCP / IP connection. Each port number uses 16 bits, which means that 65,536 (2 ^ 16) of possible values \u200b\u200bis suited. In fact, since various manufacturers display ports a little different ways, you can expect approximately 4,000 available ports.

Examples of dynamic NAT and NAT with overload

Below in the picture shows how dynamic NAT works.

Click one of the green buttons to send a successful package either in or from the internal network. Press one of the red buttons to send a package that will be discarded by the router due to an unacceptable address.

• the internal network was established with IP addresses that were not specifically assigned to this IANA company (addresses assignment authority on the Internet), the Global Bureau, which distributes IP addresses. Such addresses should be considered non-maritious, as they are not unique. This is internal local addresses.
• the company establishes a router with NAT. The router has a range of unique IP addresses issued by the company. This is internal global addresses.
• the computer on the LAN is trying to connect to the computer outside the network, such as a web server.
• the router receives a package from a computer on LAN.
• After checking the routing table and the check process for the broadcast, the router saves the non-hostable computer address in the address translation table. The router replaces the non-primary sender's computer's address by the first available IP address from the range of unique addresses. The broadcast table now has the display of a non-hostable IP address of the computer, which corresponds to one of the unique IP addresses.
• When the packet returns from the addressee's computer, the router checks the address of the receiver in the package. Then he looks into the address broadcast table to find which computer in the domain belongs current Package. It changes the address of the receiver to the one that has been saved earlier in the broadcast table and sends a package. the desired computer. If the router does not find a match in the table, it destroys the package.
• The computer receives a package from the router and the entire process is repeated until the computer communicates with the external system.

• The internal network was installed with non-hostable IP addresses that were not specifically assigned to the company.
• the company establishes a router with NAT. The router has a unique IP address that issued IANA
• the computer in the domain is trying to connect to the computer outside the network, such as a Web server.
• the router receives a package from the computer in the domain.
• After routing and checking a package to perform a broadcast, the router saves a non-hostable IP address of the computer and the port number in the broadcast table. The router replaces the low-passized IP address of the sender's computer IP address of the router. The router replaces the source port of the sender's computer to a certain random port number and saves it in the address translation table for this sender. The broadcast table has the display of a non-hostable IP address of the computer and the port number along with the IP address of the router.
• When the packet returns from the destination, the router checks the port apply in the package. It then looks into the broadcast table to find how the computer has a package in the domain. Next, the router changes the address of the receiver and the receiver port in those values \u200b\u200bthat were previously saved in the broadcast table and sends the package to the end node.
• the computer receives a package from the router and the process is repeated
• Since the NAT router now has the source of the computer and the source port saved to the broadcast table, it will continue to use the same port number for subsequent connections. Each time the router appeals to the record in the broadcast table, the timer of the life of this entry is reset. If the record does not appeal before the timer expires, it is removed from the table

The number of simultaneous broadcasts that the router will support is determined mainly by the amount of DRAM (the dynamic memory of random access). Since a typical record in the broadcast table occupies approximately 160 bytes, a router with 4 MB RAM can theoretically process 26214 simultaneous connections, which is more than enough for most applications.

Security and Administration

The implementation of the dynamic NAT automatically creates firewall between your internal network and external networks or the Internet. Dynamic NAT allows only connections that are generated on the local network. Essentially, this means that the computer on the external network cannot connect to your computer if your computer has not started the connection. Thus, you can work on the Internet and connect with the site, and even unload the file. But no one else can simply eat on your IP address and use it to connect to the port on your computer.

Static NAT, also called Inbound Mapping, allows connectivity, initiated external devices Computers in LAN under certain circumstances. For example, you can display the internal global address to a specific internal local address that is assigned to your Web server.

Static NAT allows a computer to support a specific address in the LAN, communicating with the devices outside the network:

Some NAT routers provide extensive filtering and traffic logging. Filtering allows your company to control which sites on the network are attending workers, preventing them from viewing the dubious material. You can use traffic registration to create a log which sites are visited and on the basis of this generate various reports.

Sometimes network broadcast addresses are confused with proxy servers, where there are certain differences. Nat is transparent to source and receiver computers. None of them know that it deals with the third device. But the proxy server is not transparent. The source computer knows what kind of proxy request. A recipient computer thinks proxy server is source computer And it deals with him directly. In addition, proxy servers usually work at 4 (Transport) models OSI or higher, while NAT is a level 3 protocol (Network). Work at higher levels makes proxy servers slower than NAT devices in most cases.

The real NAT benefit is obvious in network administration. For example, you can move your Web server or fTP server To another computer, without worrying about torn connections. Simply change the input mapping to the new internal local address in the router to reflect the new host. You can also make changes to your internal network as any of your external IP address either belongs to the router or a pool of global addresses.

The broadcast of network addresses (NAT) is a method for reassigning one address space to another by changing information that is, packet headers are changed at a time when they are on the path through the traffic routing device. This method was originally used to simply redirect traffic in IP networks without reburdening each host. It has become a popular and important tool for saving and distributing the global address space in conditions of lack of IPv4 addresses.

NAT - What is it?

The original use of network address broadcast consists of displaying each address from one address space to the appropriate address in another space. For example, this is necessary if the Internet service provider has changed, and the user does not have the opportunity to publicly declare a new route to the network. In the conditions of foreseeable global exhaustion of IP address space, NAT technology is increasingly used since the end of the 1990s in combination with IP encryption (which is a method for switching multiple IP addresses into one space). This mechanism is implemented in a routing device that uses the translation tables to save the status to display "hidden" addresses into one IP address, and redirects outgoing IP packets at the output. Thus, they are displayed out of the routing device. In reverse responses are displayed in the source IP address using the rules stored in the translation tables. The rules of the translation table, in turn, are cleaned after a short period, if the new traffic updates its state. Such is the main mechanism of NAT. What does it mean?

This method allows communication through the router only when the connection occurs in the encrypted network, as it creates the translation tables. For example, a web browser inside such a network can view the site beyond it, but, being installed outside it, it cannot open the resource located in it. Nevertheless, most NAT devices today allow you to configure translation table entries for permanent use. This function is often referred to as static NAT or port redirection, and it allows traffic outgoing in the "external" network to achieve assigned hosts in an encrypted network.

Because of the popularity of this method used to preserve the address space IPv4, the term NAT (this is what is actually indicated above) has become practically synonymous with the encryption method.

Since network address translation changes information about the IP packet addresses, it has serious consequences for the quality of connecting to the Internet and requires close attention to the details of its implementation.

NAT use methods differ from each other in their specific behavior in various cases relating to the effect on network traffic.

Basic Nat.

The simplest Type of Network Address Translation (NAT) provides the broadcast of "one-to-one" IP addresses. RFC 2663 is the main type of this broadcast. In this type, only IP addresses and check sum IP headlines. Main broadcast types can be used to connect two IP networks that have incompatible addressing.

Nat is that in the connection "one-to-many"?

Most NAT varieties are able to compare several private hosts to one publicly indicated IP address. In a typical configuration, the local network uses one of the designated "private" subnet IP addresses (RFC 1918). The router in this network has a private address in this space.

The router also connects to the Internet using a "public" address assigned by the provider. Since traffic passes from the local network of the source in each package is translated on the fly from the private address to the public. The router monitors the basic data on each active connection (in particular, the address and port of destination). When the answer returns to it, it uses these connections that are saved during the field stage to determine the private address of the internal network to which the answer should be sent.

One of the advantages of this functionality is that it serves as a practical solution to the impending exhaustion of the address space IPv4. Even large networks can be connected to the Internet using one IP address.

All package datagrams on IP networks have 2 IP addresses - source and destination. Typically, packages passing from a private network to the network common usewill have the address of the source of the packages, changing during the transition from the public network back to the private. More complex configurations are also possible.

Features

Setting NAT may have some features. In order to avoid difficulties in how to translate returned packages, their further modifications are required. The overwhelming majority of Internet traffic goes through the TCP and UDP protocols, and their port numbers are changed in such a way that the combination of the IP address and the port number during the reverse direction of the data begins to compare.

Protocols not based on TCP and UDP require other methods of translation. The messaging protocol in (ICMP), as a rule, correlates the transmitted data with the existing compound. This means that they should be displayed using the same IP address and numbers established initially.

What should I consider?

Setting up NAT in the router does not give it the possibility of connecting "from end to the end." Therefore, such routers cannot participate in some Internet protocols. Services that require initiation of TCP connections from an external network or users without protocols may not be available. If the NAT router does not make much effort to support such protocols, incoming packets can not get to the destination. Some protocols can accommodate in one broadcast between the participating hosts ("Passive FTP mode", for example), sometimes using the application-level gateway, but the connection will not be installed when both systems are separated from the Internet using NAT. Using network address broadcast also complicates the "tunneling" protocols as IPsec, since it changes the values \u200b\u200bin the headers that interact with the integrity of requests.

Existing problem

The connection "from the end to the end" is the basic principle of the Internet, existing since its development. The current network state shows that NAT is a violation of this principle. Specialists have serious concern about the universal use in IPv6-broadcast network addresses, and the problem is raised about how to effectively eliminate it.

Due to the short-lived nature of the tables that store the status of the broadcast in the NAT routers, the internal network devices lose the IP connection, as a rule, for a very short period of time. Speaking about what NAT is in the router, you can not forget about this circumstance. This seriously reduces the operation time of compact devices operating on batteries and batteries.

Scalability

In addition, when using NAT, only ports are tracked, which can be quickly depleted by internal applications that use multiple simultaneous connections (for example, HTTP requests for web pages with a large number of built-in objects). This problem can be mitigated by tracking the destination IP address in addition to the port (thus, one local port is divided by a large number of remote hosts).

Some difficulties

Since all internal addresses are masked for one publicly available, for external hosts it becomes impossible to initiate a connection to a specific internal node without a special configuration on the firewall (which should redirect connections to a specific port). Applications such as IP telephony, video conferencing and similar services must use NAT bypass methods to function normally.

The reverse address and translation port (RAPT) allows the host, the real IP address of which is changing from time to time, to remain accessible as a server using a fixed IP address of the home network. In principle, this should allow configuring servers to save the connection. Despite the fact that it is not perfect solution Problems This can be another useful tool in the network administrator arsenal when solving the task, how to configure NAT on the router.

Port Address Translation (PAT)

The implementation of Cisco Rapt is the Port Address Translation (PAT), which displays several private IP addresses in the form of one public. Several addresses can be displayed as an address, because each of them is tracked using the port number. PAT uses unique source port numbers on internal global IP to distinguish between the direction of data transfer. Such rooms are 16-bit integers. The total number of internal addresses that can be translated into one external, theoretically can reach 65536. The real number of ports to which a single IP address can be assigned is about 4,000. As a rule, PAT is trying to save the original port of the "original". If it is already used, Port Address Translation assigns the first available port number, starting from the beginning of the corresponding group - 0-511, 512-1023 or 1024-65535. When there are no more port available and there is more than one external IP address, the PAT goes to the next to try to highlight the original port. This process continues until the data is terminated.

Displaying the address and port is carried out by the Cisco service, which combines the address of the translation port to the iPv4 tunnel tunneling data on the internal network IPv6. In fact, it is an unofficial alternative to CarrierGrade NAT and DS-Lite, which supports IP translations of addresses / ports (and, therefore, the NAT setup is supported). Thus, it avoids problems in installing and maintaining a connection, and also provides a transition mechanism for deploying IPv6.

Translation methods

There are several ways to implement the transfer of the network address and port. In some application protocols that use applications for IP addresses running in an encrypted network, it is necessary to define the external address NAT (which is used at the other end of the connection), and, moreover, it is often necessary to study and classify the type of transmission. This is usually done because it is advisable to create a direct communication channel (or save uninterrupted data transmission through the server, or to increase productivity) between the two clients, both of which are for individual NAT.

For this purpose (how to set up NAT) in 2003, a special RFC 3489 protocol was developed, providing a simple UDP bypass through Nats. To date, it is obsolete, since such methods today are insufficient to properly assess the work of many devices. New methods were standardized in the RFC 5389 protocol, which was developed in October 2008. This specification today is called SessionTraversal and is a utility for NAT.

Creating a bilateral connection

Each TCP and UDP package contains the source IP address and its port number, as well as the coordinates of the destination port.

For publicly available services such as mail servers functionality, the port number is important. For example, connects to software Web Servers, and 25 - to SMTP mail server. The IP address of the public server is also essential like a mailing address or phone number. Both of these parameters must be reliably known to all nodes that intend to establish a connection.

Private IP addresses matter only in local networks, where they are used, as well as for host ports. The ports are unique endpoints on the host, so the connection via NAT is supported using the combined port mapping and IP addresses.

RAT (Port AddResstranslation) allows conflicts that may arise between two different hosts that use the same source port number to establish unique connections simultaneously.

The rapid growth of the Internet, soon after its appearance, brought the problem of lack of addresses. Now it is partially solved by implementing the new IPv6 protocol, which will be provided with many more accessible addresses for network nodes. But one update of the protocol is not to do. NAT technology was invented, which allowed nodes from a private network, connect to the Internet using only one external IP address. Thus, the scaling of private local networks has become much easier, while trying to connect them to the Internet. Now we will analyze the NAT technology in detail.

How Nat works

Let us imagine that we have a local network that includes 3 workstations. We decided to connect the Internet. The provider allocated us 1 external, which we must register in the settings of our router. As a result, we get the following picture.

Our three computers will be combined into a local network with addressing "192.168 .."

That's how it will look like:

• Router - 192.168.1.1
• Computer 1 - 192.168.1.2
• Computer 2 - 192.168.1.3
• Computer 3 - 192.168.1.4

If you are already familiar with the basics of local networks, you should know that in the settings network cardsIn the "Default Gateway" field, the value of 192.168.1.1 should stand for our computers. Thus, all requests that do not belong to our local network, we must send to our router. Simply put, all requests on the Internet will be redirected to it.

As we have noted, the external IP we have only one. Here it begins the most interesting. How are three computers with different IP addresses, will be able to go online, if there are one external address?

Here, NAT technology will come to the aid.

As you can see, all the nodes have addresses in the same subnet. This allows them to implement data transfer. In the event that the request is sent to the Internet, it will be transferred to the internal interface of the router. Then using NAT technology, the data will be slightly changed. It will be assigned an external IP address. And after that the packages will go to the network.

Surely you already understand the principle of the technology of broadcasting network addresses. With its help, a single external address is assigned to all internal network addresses. This allows you to have a single external address, to enter a network to several computers at the same time.

What should pay attention here. First, it should not be just one external address. There may be several of them.

Secondly, the use of NAT technology imposes some limitations associated with IP blocking. This manifests itself when attempting to access the resource where you can connect only to one host from one IP. In the event that someone from your network is already connected to it, you will not be able to establish a connection.

Terminology

To understand the principle of broadcasting network addresses, let's figure it out with the main terms.

This is the first type of implementation of this technology.

In this case, each internal address of the router reels in external, focusing on the records in the routing table. Compliance must be configured in advance during the configuration of the router.

Customization on Cisco Routers

• We go to the interface settings that will be in the inside of the network, and apply the IP Nat Inside command
• Further for external interface IP Nat Outside Team
• Next, in the global configuration mode, we need to manually set compliance for addresses. We use the team iP Nat Inside Source Static Inside-Local Inside-Global. Where "Inside-Local" is an internal local address, "Inside-Global" - internal global

Dynamic Nat.

This implementation is similar to static broadcast. The difference is that the address conversion process occurs in a dynamic mode, based on previously configured parameters. Now there is no static routing table. The table includes conformations that are activated at the time of passing packets. In the event that all configured parameters match.

To configure, you need to set the pool of external addresses that will be used for translation. And also set the pool of internal addresses by creating a new one for them.

Setting

• Specify IP Nat Inside for internal interfaces
• IP Nat Outside for external
• Create an ACL with a list of internal addresses that should participate in broadcast
• Create a pool of external addresses. In global configuration mode, apply the command iP Nat Pool Name First-Address Last-Address Mask Subnet Mask. Where "name" is a name for the pool, "first-address" the initial address, "Last-Address" - the last address, "Subnet Mask" - the subnet mask
• Turn on the dynamic broadcast of NAT addresses. iP NAT SOURCE LIST ACL-NUMBER POOL POOL-NAME. Where "ACL-Number" - a previously created access control list, "Pool-Name" - address pool.

PAT - Based on ports

In any case, the number of available external addresses is limited. How else to scale a large local network to get the opportunity to enter the Internet of all its nodes? It is already clear that the static and dynamic NAT will require a large number of external addresses for this. But this option is not suitable for us.

Here, the third implementation of NAT is coming to the rescue - broadcast on the PAT ports. Its essence is that in addition to the "Address - address" bundle, a bunch of "Address - Port" is added. Thus, the router can activate the connection not only using the IP address, but also using unique number port.

With the fact that 16-bit is used to number the ports, then more than 65 thousand connections can be active.

Setting

The entire configuration process is similar to configuring dynamic routing. In the event that we want to include PAT, we need to add keyword Overload to the setup command. In the end, it will look like this:

iP Nat Source List ACL-Number Interface Interface Name / Number Overload

Video to the article:

Conclusion

Using NAT technology allows you to implement Internet access for any local network. If you need only one external IP address. This is the most frequently used option - often providers offer precisely such tariffs for home users, or small offices.

Why look for information on other sites, if everything is collected from us?

• Stephal

This is absolutely different technologies. Do not confuse them.

What is NAT.

NAT is a collective term, refers to the technology of broadcasting network addresses and / or protocols. NAT devices produce over passing transformation packages with replacing addresses, ports, protocols, etc.

There are a narrower concept of SNAT, DNAT, masquerading, PAT, NAT-PT, etc.

why do NAT need, how to use it

To display online internal network

• through pool of external addresses
• through one external address

For substitution of external IP address to others (traffic redirection)

For load balancing between identical servers with different IP addresses.

To combine two local networks with intersecting internal addressing.

how the NAT is arranged

s + D NAT (Branch Merging - Evil!)

port-mapping, port burning

Advantages and disadvantages

Incompatible with some protocols. The specific implementation of NAT should support the inspection of the required protocol.

Nat has the property "screen" internal network from external worldBut it is impossible to use it instead of a firewall.

Cisco IOS Setup

Cisco routers and firewalls support different types NAT, depending on the set of options by software. The most used is the NAT method with the binding of internal local addresses to various ports of one external address (PAT in Cisco terminology).

To configure the NAT on the router, it is required: o Determine traffic that needs to be transmitted (using access-lists or route-map);

IP Access-List Extended Local Permit IP 10.0.0.0 0.255.255.255 Any

ROUTE-MAP INT1 MATCH IP ADDRESS LOCAL MATCH INTERFACE FASTERNET0 / 1.1

Aksss leaf Local chooses all traffic from 10 networks.

RUT-MAP int1 selects the Local Axes-Sheet Traffic, leaving the Sabeneface FA 0 / 1.1

o Determine what external addresses to conduct broadcast. Select pool external addresses. For PAT enough single address.

IP Nat Pool Global 212.192.64.74 212.192.64.74 NetMask 255.255.255.0

Setting the pool of external addresses with the name Global. In the pool of just one address.

o Enable NAT for selected internal and external addresses.

IP Nat Inside Source Route-Map Int1 Pool Global Overload

Enabling NAT to broadcast source addresses on the internal interface. Only traffic will be broadcast under the conditions of Rout-Map int1. The external address will be taken from the Pula Global.

IP Nat Inside Source Static TCP 10.0.0.1 23 212.192.64.74 23 EXTEND

Static "port of port" or "Publication of the Service". In the traffic going inside to the address 212.192.64.74, the address of 10.0.0.1 and port 23 will be replaced with the TCP 23 port 23.

o Assign internal and external interfaces.

Interface FastetherNet0 / 0 IP Nat Inside Interface Fastethernet0 / 1.1 IP Nat Outside

The FA 0/0 interface is assigned internal for NAT.

FA 0 / 1.1 Sabrider is assigned to external for NAT.

O Debugging and diagnostics:

SH IP Nat Translations - viewing table of current broadcasts; Clear IP Nat Translations - Delete all current broadcasts; Debug IP NAT - Enable debugging messages (Undebug All - Off debugging).

Examples

We give several demonstration examples for Cisco Packet Tracer emulator.

A simple diagram of the output of a small network to the Internet through the pool of external addresses

Simple network output circuit in the Internet through one external address

Mounting scheme with intersecting addressing

Operation of NAT.

The procedure for applying NAT rules differs from various manufacturers and on various equipment. We give the procedure for applying NAT policies for routers on Cisco iOS:

Inside-to-Outside

If IPSec then check input access list decryption - for CET (Cisco Encryption Technology) or IPSec check input access list check input rate limits input accounting redirect to web cache policy routing routing NAT inside to outside (local to global translation) crypto (check map and Mark for Encryption) CHECK OUTPUT ACCESS LIST INSPECT (CONTEXT-BASED ACCESS CONTROL (CBAC)) TCP Intercept Encryption Queueing

OUTSIDE-TO-INSIDE

If IPSec then check input access list decryption - for CET or IPSec check input access list check input rate limits input accounting redirect to web cache NAT outside to inside (global to local translation) policy routing routing crypto (check map and mark for encryption) check OUTPUT ACCESS LIST INSPECT CBAC TCP Intercept Encryption Queueing

Internet channel from one provider via Nat

Simple NAT implementation scheme with one provider

Reservation of the Internet channel from two providers with NAT, IP SLA

Danar: We get for several Internet computers from ISP1 provider. He allocated us address 212.192.88.150. The Internet access is organized from this IP address via NAT.

Task: Connect the backup provider - ISP2. He will allocate us address 212.192.90.150. Arrange traffic balancing: Web traffic can be allowed through ISP1, other traffic - via ISP2. In case of failure of one of the providers - to start all traffic on the living channel.

What is the complexity of the task? Clear IP Nat Translations?

Scheme

Config

1 Clear IP Nat Translations *

Found, such a piece of EEM is tested. Not on all versions of iOS generated an event. It is necessary to clarify.

! Event Manager Applet Nat-Track Event Syslog Pattern "Tracking-5-State" Action 0.1 CLI Command "Enable" Action 0.2 Wait 3 Action 0.3 CLI Command "Clear IP Nat Translation *" Action 0.4 Syslog MSG "Nat Translation Cleared After Track State Change "!

2 when the interface falls on the provider, the chances are that his gateway will kick through the second

! UserName Password name 0 Password Enable Secret 0 Parolconfiga! ! Control input to the Line VTY router 0 4 Login Local! ! DHCP IP DHCP POOL LAN NETWORK VIETING MASK DEFAULT-ROUTER GATE DNS-Server 10.11.12.13! DNS - fictitious invented - not from our local network! ! ! Ping Monitor to Provider-1 Gateway! Wait for a reply 100 ms! Pinging with a frequency of 1 second IP SLA Monitor 1 Type Echo Protocol Ipicmpecho Gaters1 Source-Interface Interfaces1 Timeout 100 Frequency 1! ! Ping Monitor on Provider-2 IP SLA Monitor 2 Type Echo Protocol Ipicmpecho Gaters2 Source-Interface Interfaces2 TimeOut 50 Frequency 1! ! Starting Pingovakov 1 and 2, Now And Forever IP SLA Monitor Schedule 1 Life Forever Start-Time Now IP Sla Monitor Schedule 2 Life Forever Start-Time Now! ! Tracks 10 and 20 - tracking of the penny state! Reacts to the state of DOWN or UP with a delay of 1 sec. Track 10 RTR 1 REACHABILITY DELAY DOWN 1 UP 1! Track 20 RTR 2 REACHABILITY DELAY DOWN 1 UP 1! ! ! Routes for all external networks on both providers! Routes are tied to tracks! and will be activated only if the track is in the Up state! those. If the gateway on the corresponding provider is available IP Route 0.0.0.0 0.0.0.0 Gaters1 Track 10 IP Route 0.0.0.0 0.0.0.0 Gaters2 Track 20! ! ! Int Fa 0/0 No shut! ! Sub-interfaces towards external providers! marked as Outside for Nat Interface Fastetersnet0 / 0.1 Description ISP1 ENCAPS DOT1Q Number 1 IP Address iPnaps1 IP NAT OUTSIDE Mask! Interface Fastetersnet0 / 0.2 Description ISP2 Encapsulation Dot1Q Number2 IP Address iPNAPs2 IP Nat Outside Mask! ! Internal Network Interface! marked as inside for NAT! PRBR INTERFACE FASTERNET0 / 1 IP Address Routing Policy Privacy Policy IP Nat Inside IP POLICY ROUTE-MAP PBR NO SHUT! ! Aksess-sheets from the network outside! On web traffic and on everything else IP Access-List Extended Local Permit IP Insit Any! IP Access-List Extended Web Permit TCP Interior Any EQ WWW Permit TCP Innode Any EQ 443! IP Access-List Extended All Permit ip Any Any! ! ! Sly Ruth Map PBR! If traffic from LAN on the web! That appoint him to the first provider's gateway! Otherwise, other traffic from LAN! Assign a second provider gateway. ! When you assign a gateway, the tracks are checked by Route-Map PBR Permit 10 Match IP Address Web Set IP NEXT-HOP Verify-Availability Gaters1 1 Track 10! ROUTE-MAP PBR PERMIT 20 MATCH IP Address All Set IP Next-Hop Verify-Availability Gaters2 1 Track 20! ! ! Sunny root-map isp1! Works if traffic from LAN! Attempts to exit the FA0 / 0.1 ROUTE-MAP ISP1 PERMIT 10 MATCH IP Address Local Match Interface Fastethernet0 / 0.1! ! Sunny root-mapp ISP2! Works if traffic from LAN! Trying to exit the FA0 / 0.2 Route-Map ISP2 Permit 10 Match IP Address Local Match Interface Fastethernet0 / 0.2! ! ! Finally, Nat ;-)! ! Traffic from LAN in the first provider Watch through the first IP Nat Inside Source Route-Map ISP1 Interface Fastetersnet0 / 0.1 Overload! ! Traffic from LAN in the second provider to nat through the second IP Nat Inside Source Route-Map ISP2 Interface Fastetersnet0 / 0.2 Overload! ! The traffic on the fictitious DNS is to overpower to Google DNS IP Nat Outside Source Static 8.8.8.8 10.11.12.13 No-Alias! ! Internal port 3389 forward on the external port 1111 IP Nat Inside Source Static TCP Extrogous 3389 Outer 1111 Extendable IP Nat Inside Source Static TCP Extrogous 3389 Outer 1111 EXTENDABLE! !

miscellanea

CGN (CARRIER GRADE NAT) with a special pool of private addresses

NAT Like ALG (Application Layer Gateway), (Plain Text Protocols E.G. SIP)