These are absolutely different technologies. Don't fool around.

What is NAT

NAT is a chosen term that denotes the technology of translation of a network address and/or protocols. NAT attachments vibrate over the packets of the transformation by changing the address, ports, protocols and other.

Learn to understand SNAT, DNAT, masquerading, PAT, NAT-PT, etc.

more needed NAT, like yogo win

For viewing on the Internet internally

• through the pool of existing addresses
• through one call address

To change the original IP address of others (redirect traffic)

To balance the challenge between the same servers with different ip addresses.

To combine two local links with internal addressing that overlap.

yak vlastovan NAT

s+d NAT (branch merging - evil!)

port-mapping

Advantages and shortcomings

Nezumіsny іz deakim protocols. A particular implementation of NAT may allow inspection of the required protocol.

NAT can have the power to "screen" the internal border in the outer world, but it is not possible to defeat the intermediary screen.

Customization on Cisco IOS

Cisco routers and interfacing screens support different types of NAT depending on the set of software options. The most successful method is NAT with binding of internal local addresses to different ports of the same external address (PAT in Cisco terminology).

To set up NAT on the router, you need: o Designate the traffic that needs to be transmitted (for the help of access-list or route-map);

IP access-list extended LOCAL permit ip 10.0.0.0 0.255.255.255 any

Route-map INT1 match ip address LOCAL match interface FastEthernet0/1.1

The LOCAL access list selects all traffic from 10 networks.

Route-map INT1 selects the traffic of the LOCAL access list to enter through the subinterface Fa 0/1.1

o Designate yakі zovnіshnі addresses to broadcast. Choose a pool of existing addresses. For PAT, one address is sufficient.

IP nat pool GLOBAL 212.192.64.74 212.192.64.74 netmask 255.255.255.0

The head of the pool is the current address of the IM'YAM GLOBAL. The bullet has less than one address.

o Enable NAT for selected internal and external addresses.

Ip nat inside source route-map INT1 pool GLOBAL overload

NAT notification for translation of the address of the gerel on the internal interface. Only traffic is transmitted, which is consumed by the mind of the INT1 route map. The address is called to be taken from the GLOBAL pool.

Ip nat inside source static tcp 10.0.0.1 23 212.192.64.74 23 extend

Static transfer to the port or publication to the service. For traffic that goes to the address 212.192.64.74 on the tcp port 23, the destination will be changed to the address 10.0.0.1 and port 23.

o Assign internal and external interfaces.

Interface FastEthernet0/0 ip nat inside interface FastEthernet0/1.1 ip nat outside

Interface Fa 0/0 assignments to internal NAT.

Subinterface Fa 0/1.1 is recognized as NAT friendly.

O Adjustment and diagnostics:

Sh ip nat translations - revision of the tables of streaming translations; clear ip nat translations – show all streaming translations; debug ip nat - enable debugging support (undebug all - disable debugging).

Apply

Let's add some applications for the cisco Packet Tracer emulator.

A simple scheme for bringing a small amount to the Internet through a pool of external addresses

A simple scheme for displaying a merezhі on the Internet through one call address

Scheme of association with the address, which is to be changed.

Order of work NAT

The order in which NAT rules are set depends on different compilers and on different settings. Let's set up the order of setting NAT policies for routers on cisco IOS:

inside-to-outside

Also IPSec will mark entry access list decryption - for CET (Cisco Encryption Technology) or IPSec check input access list check input rate limits input account redirect to web cache policy routing routing NAT inside to outside (local to global translation) mark for encryption) check output access list inspect (Context-based Access Control (CBAC)) TCP intercept encryption Queueing

Outside-to-Inside

Also IPSec will inspect inspect access list decryption - for CET or IPSec decryption access list check input rate limits input account redirect to web cache NAT outside to inside (global to local translation) output access list inspect CBAC TCP intercept encryption Queueing

Internet channel from one provider through NAT

A simple scheme for implementing NAT with one provider

Reservation of the Internet channel from two providers for the help of NAT, ip sla

Given: we are required for the number of computers on the Internet, such as the provider ISP1. Vin saw us at 212.192.88.150. Access to the Internet of organizations with given IP-addresses through NAT.

Task: connect a backup provider - ISP2. You can see us at the address 21219290150. Organize traffic balancing: let web traffic through ISP1, other traffic through ISP2. At the time of one of the providers - let all the traffic live channel.

Why has a task to be folded? clear ip nat translations?

Scheme

Config

1 clear ip nat translations*

Found, tested such a piece of EEM. Pods are not generated on all IOS versions. Need to clarify.

! event manager applet NAT-TRACK event syslog pattern "TRACKING-5-STATE" action 0.1 cli command "enable" action 0.2 wait 3 action 0.3 cli command "clear ip nat translation *" action 0.4 syslog msg "NAT translation "!"

2 When the interface drops on the provider, there are great chances that the gateway will be pinged through another

! username Username password 0 PASSWORD enable secret 0 CONFIGURATION PASSWORD! ! router login control line vty 0 4 login local! ! DHTsP ip dhcp pool LAN network Internal network Mask default-router Gateway dns-server 10.11.12.13 ! DNS - fictitious guessed - NOT from our local network! ! ! Ping monitor at the address of the provider-1 gateway! Check for confirmation 100 ms! Ping with a frequency of 1 second ip sla monitor 1 type echo protocol ipIcmpEcho GatewayWire1 source-interface InterfaceOnWire1 timeout 100 frequency 1 ! ! ISP-2 ping monitor ip sla monitor 2 type echo protocol ipIcmpEcho GatewayProv2 source-interface InterfaceOnProv2 timeout 50 frequency 1 ! ! Start pingers 1 and 2, now and again ip sla monitor schedule 1 life forever start-time now ip sla monitor schedule 2 life forever start-time now ! ! Tracks 10 and 20 - I will become a kicker! React to stun Down or Up from zatrimkoyu 1 sec. track 10 rtr 1 reachability delay down 1 up 1 ! track 20 rtr 2 reachability delay down 1 up 1 ! ! ! Routes to all international cities of both providers! Route tethered to the tracks! And only a few tracks can be activated Up ! tobto. How is the gateway available on a different ISP ip route 0.0.0.0 0.0.0.0 GatewayProv1 track 10 ip route 0.0.0.0 0.0.0.0 GatewayProv2 track 20 ! ! ! int fa 0/0 no shut! ! Sub-interfaces from the best providers! assigned as outside for NAT interface FastEthernet0/0.1 description ISP1 encaps dot1q VlanProv1 number ip address ipOnProv1 Mask ip nat outside ! interface FastEthernet0/0.2 description ISP2 encapsulation dot1Q VlanProv2 number ip address ipOnProv2 Mask ip nat outside ! ! Interface to the internal mesh! pokazhetsya as inside for NAT! Associate the routing policy PBR interface FastEthernet0/1 ip address ipInside the network mask ip nat inside ip policy route-map PBR no shut ! ! Access lists in the middle of the name chain! To web traffic and all else ip access-list extended LOCAL permit ip internal Merezha any ! ip access-list extended WEB permit tcp ext Merezha any eq www permit tcp ext Merezha any eq 443 ! ip access-list extended ALL permit ip any any ! ! ! cunning root-map PBR! How much traffic from LAN to Web! then recognize you the gateway of the first provider! Otherwise, other traffic from LAN! Recognize the gateway of another provider. ! When recognized as a gateway, Tracks route-map PBR permit 10 match ip address WEB set ip next-hop verify-availability GatewayProv1 1 track 10! route-map PBR permet 20 match ip address ALL set ip next-hop verify-availability GatewayProv2 1 track 20 ! ! ! cunning root-map ISP1! spratsovuє akshcho traffic from LAN! trying to login via Fa0/0.1 interface route-map ISP1 permit 10 match ip address LOCAL match interface FastEthernet0/0.1 ! ! cunning ISP2 root-map! spratsovuє akshcho traffic from LAN! trying to login via Fa0/0.2 interface route-map ISP2 permit 10 match ip address LOCAL match interface FastEthernet0/0.2 ! ! ! Nareshti, NAT ;-)! ! Traffic from the local area of ​​the first provider Push through the first interface ip nat inside source route-map ISP1 interface FastEthernet0/0.1 overload ! ! Traffic from another ISP's LAN Push through another interface ip nat inside source route-map ISP2 interface FastEthernet0/0.2 overload ! ! Traffic to fictitious DNS Repush to Google DNS ip nat outside source static 8.8.8.8 10.11.12.13 no-alias ! ! forwarding from inside port 3389 to outside port 1111 ip nat inside source static tcp insideHost 3389 outsideHost 1111 extendable ip nat inside source static tcp insideHost 3389 outsideHost 1111 extendable ! !

Life

CGN (carrier grade nat) with a special pool of private addresses

NAT like ALG (application layer gateway), (plain text protocols e.g. SIP)

І look over the sides of the WEB site. Great is the possibility of the fact that the very same contagion you can change the network address (NAT).

Nothing has been able to tell such a growth to the Internet, as we can expect today. Although the exact number is not known, estimates show that there are approximately 100 million active nodes on the Internet and more than 350 million corelists. The pace of the growth of the Internet is such that the world will be able to win.

What kind of stosunok can remake the merezhevyh address to the Internet? Itself without middle ground! If this computer is able to communicate with other computers and WEB servers over the Internet, it is the fault of the mother's IP address. IP addresses (IP stands for Internet Protocol) are a unique 32-bit number that identifies the location of the given computer in the array. In principle, it functions like your home address - it is a way to know exactly the location of your computer and deliver information to you.

IP addressing

If IP addressing appeared earlier, everyone thought that the address was enough to please whatever you need. Theoretically, you can use 4294967296 as a unique address (232). In fact, the number of addresses available for selection is three times smaller (approximately between 3.2 and 3.3 billion), which is explained by the peculiarities of the distribution of the address on the class and team, so the first addresses are reserved for rich address distribution, testing and other special needs.

In the minds of the growing Internet growth, the growth of home and corporate organizations, the actual IP address simply does not appear. Obviously the solution is to change the address format so that the address is bigger. Such a system is being developed (it is called IPv6), a prote for it will be needed for a few years, so that when it is necessary to modernize the entire structure of the Internet.

The NAT system (RFC 1631) comes to the rescue. The transformation of the intermediary address allows one extension, for example, a router, to perform the functions of an intermediary between the Internet (a.k.a. a “public network”) and a local (a.k.a. “private”) network. This means that only one unique IP address is needed to represent a whole group of computers.

However, a small IP address is just one of the reasons why NATs are victorious. Our article is devoted to the advantages and peculiarities of this system. Let's take a closer look at what NAT is and how the system works.

Working principle of NAT system

The NAT system is similar to the secretary at the great office. Admittedly, you gave him instructions not to call you, no matter who you called, until you let him on such a trip. Lastly, you call a potential client and deprive me of information about those who call you back. You tell the secretaries that you check for a call from a client and order you to secure the day, if that one is on the phone.

The client dials the main number to the office phone, which only gives him the same number. The client informs the secretary that he wants to call you, the secretary calls for the final table, where your name and your additional telephone number are indicated. The secretary knows that you were allowed to confuse this client, the one on the other side, who is calling, to your additional number.

Address conversion system

The system for changing the tethered address, broken up by Cisco, is changed by an attachment (either a router or a computer) that connects the internal tethering to the world. The reworking of the merging address can be done in different forms and can be worked out in different ways:

• Static conversion of a merged address - conversion of an unregistered IP address to a registered IP address following the "one to one" principle. Especially scary, if you need access to the annex because of the inter-local barriers.
• Dynamic conversion of a shared address - conversion of an unregistered IP address to a registered IP address from a group of registered IP addresses.
• Pervantage - a form of dynamic transformation that transforms a lot of unregistered IP addresses into one registered address per different ports. This procedure is also called PAT (Port Address Translation, Port Address Translation), unicast NAT or multiplexing NAT on equal ports.
• Zbіg - if the addresses that are won by your network are registered IP addresses that are won by another network, the router is responsible for maintaining a table of converting such addresses, changing them and replacing them with registered unique IP addresses. It is important that the NAT router is responsible for rewriting "internal" addresses to register unique addresses, as well as "outside" addresses registering to addresses that are unique in the private domain. Such an operation can be used to change the static merging address to a domain name service (DNS) and to perform a dynamic merging address.

An internal tier is called a local tier (LAN, Local Area Network), which is sometimes called a stub domain. A stub domain is a whole local network, in the middle of which there are IP addresses. Most of the line traffic in the dead-end domain is local and does not go beyond the inter-internal lines. A stub domain can be used for both registered and unregistered IP addresses. As you know, all computers that have been assigned an unregistered IP-address, for communication with the decision of the world, must correspond to the converted address.

NAT can be adjusted in a different way. In the example below, the NAT router is set up in such a way that it converts unregistered (internal, local) IP addresses that stop at a private (internal) network, on IP address registration. Tsya procedure vykonuєtsya dermal time, if I attach with an unregistered address at the internal line, it is necessary to contact with a zagalny koristuvannya (zvnіshnyoї) line.

• Your ISP assigns a low IP address for your company. Addresses from a fixed group and registered IP addresses are called internal global addresses. Unregistered, private IP addresses are divided into two groups. One small group (named local addresses) is overtaken by NAT routers. Another significantly larger group, which is called inside local addresses, wins in a stub domain. The known local addresses are vindicated for the formation of unique IP addresses of extensions, which are called known global addresses, for entering the public domain.
• Most computers in the stub domain exchange information one by one for additional internal local addresses.
• Deyakі computers stub domain often zv'yazyuyutsya z outbuildings outside the boundaries of the local borders. Computers can use internal global addresses, so they don't need to be rewritten.
• If a computer in a stub domain with an internal local address needs to contact a computer outside the local area, the packet is forced to one of the NAT routers.
• The NAT router looks up the routing table to determine which address is recognized. When such an entry is made, the NAT router rewrites the packet and creates an entry in the translation address table. Since there are no addresses recognized by the routing table, the packet is ignored.
• For help with the internal global address, the router forwards the packet to the destination.
• The computer at the municipality's yard manages the package at the private yard. The address of the package manager is the name of the global address. The address is recognized as an internal global address.
• The NAT router looks up the translation table with the address and determines which addresses are recognized here, which are sent to the computer at the stub domain.
• The NAT router translates the internal global address of the packet to the internal local address and forwards the packet to the external computer.

NAT targeting

NAT overriding function of the TCP/IP protocol package, multiplexing, which allows the computer to work with one or more remote computers for one-hour connections from blocking different TCP or UDP ports. An IP packet to replace the header, which contains the following information:

• Dzherel addresses - IP addresses of the computer-manager, for example, 201.3.83.132
• Manager port - TCP or UDP port number assigned by the manager computer for this packet, for example, port 1080
• otrimuvach addresses - IP addresses of the otrimuvach computer, for example, 145.51.18.223
• Acceptance port - the number of the TCP port or UDP port, which master computer will allow access to the master computer, for example, port 3021.

Addresses indicate two machines to the skin terminal, and port numbers provide a unique identifier for communication between two computers. The combination of four or more numbers represents one half of TCP/IP. The skin port number has 16 bits, which means that 65536 (216) values ​​are possible. In practice, based on the fact that different breweries make the ports vary, it can be estimated that approximately 4,000 ports will be available.

2 32 or 4 294 967 296 IPv4 address tse bagato? You know, it's like that. However, with the expansion of personal billing, mobile attachments and the rapid growth of the Internet, it has become clear that a 4.3 billion IPv4 address will not be enough. Dovgostrokov's decisions bulo IPv6, but you will need a quick decision for the adoption of a missing address. І cim decisions becoming NAT (Network Address Translation).

What is NAT

Merezhi sounds are designed with a variety of private IP-addresses. Tse addresses 10.0.0.0/8, 172.16.0.0/12 і 192.168.0.0/16 . These private addresses are victorious in the middle of the organization or maydanchiki, to allow attachments to communicate locally, and the stench is not routed to the Internet. In order to allow an extension with a private IPv4 address to reach the extensions and resources beyond the boundaries of the local border, the private address can be transferred to a globally accessible public address.

І axis itself NAT to translate private addresses, at globally accessible. Do not let me add a private IPv4 address to access resources beyond the borders of this private border. NAT on private IPv4 addresses appears to be the best way to save a publicly accessible IPv4 address. One globally available IPv4 address can be searched for hundreds, nave thousands of attachments, some of which may be private to an IPv4 address. NAT can dodatkovu evagu, as if in addition to the level of confidentiality and security in the border, shards of wine will receive internal IPv4 addresses from outside the borders.

Routers with NAT support can be configured with one or more decals with globally accessible IPv4 addresses. These globally accessible addresses are called a NAT pool. If an extension from an internal network overpowers traffic from a network of names, a router with NAT support will translate the internal IPv4 address to an externally accessible address from the NAT pool. For existing outbuildings, all traffic that enters and exits from the border can be globally accessible to an IPv4 address.

Router NAT ring out on the cordon Stub-Merezhi. Stub-merezha - the chain of a dead-end merezha, so that one can get in from the suidny merezha, one entry and exit from the merezha.

If the extensions use the Stub-network, they want to call the extension outside the boundaries of their own, the packet is forwarded to the cordon router, and the NAT process is passed, translating the internal private address of the extension to the public, external address that is routed.

NAT terminology

In the terminology of NAT, the inner line is the number of lines that are used to translate. The ringing of the line is brought up to all other lines.

With different NAT addresses, IPv4 addresses can be different, based on whether they are located in a private area or in a publicly accessible area (on the Internet), and chi є traffic is inbound or out.

NAT include chotiri tipi address:

• Inside local address;
• Inside global address;
• Outside local address;
• Outside global address;

When specifying which type of address to use, it is important to remember that the NAT terminology must always be blocked from the point of view I will attach it to the broadcast address:

• Inside address- I'll add the address that NAT is broadcasting;
• Outside address- I will add a confession to the address;
• Local address- tse be-yak addresses, as they appear at the inner part of the border;
• Global address- tse be-yak addresses, as they appear at the outer part of the border;

Let's take a look at the butt of the scheme.

On a small PC, you can have an internal local ( inside local) to the address 192.168.1.5 and from the same point of view the web server may be valid ( outside) address 208.141.17.4. When packets are sent from the PC to the global address of the web server, the internal local ( inside local) PC addresses are broadcast at 208.141.16.5 ( inside global). The addresses of the caller's building are not redirected, the shards are out with a globally accessible IPv4 address.

Please note that a PC can have different local and global addresses, just as a web server can have the same public IP address. On the other hand, the traffic that comes out of the PC comes from the internal global address 208.141.16.5. A router with NAT is a demarcation point between internal and external boundaries and between local and global addresses.

Terms, insideі outside, combined with terms localі global, to ask for specific addresses. On a small scale, the router has been forced to use NAT and may have a pool of globally accessible addresses for recognition to internal hosts.

The thumbnail shows how traffic is routed from the internal PC to the external web server, through a router with NAT support, and is forced and converted to the return link.

Internal local address ( inside local address) - addresses of the dzherel, visible from the inner border. The little address 192.168.1.5 was assigned to the PC - the same internal local address.

Internal global addresses ( inside global address) - addresses of the dzherel, visible from the outer border. For a little bit, if the traffic from the PC is sent to the web server at the address 208.141.17.4, the router translates the internal local address ( inside local address) to an internal global address ( inside global address). For some reason, the router changes the IPv4 address from 192.168.1.5 to 208.141.16.5.

Calling global addresses ( outside global address) - the address of the addressee, visible from the outer border. All IPv4 addresses that are globally routable are assigned to a host on the Internet. In the diagram, the web server is available at the address: 208.141.17.4. The most common local and the most common global addresses are the same.

Calling local addresses ( outside local address) - the address of the holder, visible from the inner border. For this application, the PC is pushing traffic to the web server at the address 208.141.17.4

Let's take a look at the entire path of the package. The PC with the address 192.168.1.5 is trying to establish a connection with the web server 208.141.17.4. If a packet arrives at a router with NAT support, it reads the IPv4 address of the packet's recognition, to determine whether the packet meets the criteria to be assigned for transfer. For this application, the address must meet the criteria and is transferred from 192.168.1.5 ( inside local address) at 208.141.16.5. ( inside global address). The router adds the local address to the global address in the NAT table and forwards the packet with the translation of the dzherel address to the destination point. The web server responds with a packet addressed to the PC's internal global address (208.141.16.5). The router accepts a packet with a destination address of 208.141.16.5 and checks the NAT table to know the address record. Win win this information and translate back the internal global address (208.141.16.5) to the internal local address (192.168.1.5), and the packet is redirected to the back PC.

Tipi NAT

There are three types of NAT translation:

• Static address translation (Static NAT)- one to one address setting between local and global addresses;
• Dynamic address translation (Dynamic NAT)- setting the address “big to big” between local and global addresses;
• Port Address Translation (NAT)- rich address set address between local and global addresses with different ports. This method is also known as NAT Overload;

Static NAT overrides local and global addresses one to one. The orders are fixed by the administrator of the measure, and they are left unchanged. If you add traffic to the Internet, your internal local addresses are converted to the adjusted internal global addresses. For zvnіshnіh merezh tsі pristroї mayyut globally available IPv4-addresses. Static NAT is especially useful for web servers or attachments that are responsible for a given address that is accessible from the Internet, such as a company's web server. Static NAT makes it possible to have a sufficient number of globally accessible addresses for satisfying the global number of one-hour sessions of a koristuvach.

A static NAT table looks like this:

Dynamic NAT wins the pool of public addresses and assigns them according to the principle of "first come, first serve". When an internal extension fails to access an outside network, dynamic NAT assigns an accessible, globally accessible IPv4 address from the pool. Similar to a static NAT, a dynamic NAT helps to make sure that there are a sufficient number of globally accessible addresses to satisfy a large number of one-hour sessions.

Dynamic NAT table looks like this:

Port Address Translation (PAT)

PAT translates a small private address to one or a small publicly accessible address. Tse those who robleat more home routers. An ISP assigns one address to a router, and a few members of the ISP can deny access to the Internet at one hour. This is the broadest form of NAT.

For the help of a PAT account, an address can be set with one or the same address, and other private addresses are also indicated by a port number. If you want to initiate a session TCP/IP, it generates the value of the port dzherela TCP or UDP for unique identification of the session If the NAT router takes the packet from the client, the port number of the port, to uniquely identify the specific NAT relay. PAT guarantees that a different TCP port number will be assigned for a skin session. When it turns from the server, the port number of the dzherel, which becomes the port number assigned back, indicates which router is forwarding the packets.

The image illustrates the PAT process. PAT adds the unique port number of the dzherel to the internal global address, so that the crossbar can be distinguished.

The oscillating router processes the skin packet, the unique port number (1331 and 1555, in which case), in order to identify the attachments, for which packet of commands.

Dzherel addresses ( source address) - the same internal local address with an additional port number, recognized by TCP/IP. Recognition addresses ( Destination address) - the name of the local address with the added number of the service port. This application has service port 80: HTTP.

For an outbound address, the router translates the internal local address to the internal global address with the given port number. The recognized addresses are not changed, but now they are called the same global IP address. If the web server is up and running, it's a turnaround.

In this case, client port numbers 1331 and 1555 were not changed on NAT routers. It's not a better scenario, so it's good that the port numbers were already attached to other active sessions. PAT is trying to save the rest of the port. However, since Gerel's outbound port is already winning, PAT assigns the first available number to the port, starting from the top of the port group. 0-511, 512-1023 or 1024-65535 . If there are no more ports, and in the pool the address is greater than one known address, PAT go to the next address to try to see the outgoing port of the dzherel. This process is trivaє, the docks will not be available ports or the same IP address.

That way, another host can choose the same port number 1444. It's fine for an internal address, because hosts can have unique private IP addresses. However, on NAT routers, the port numbers can be changed - otherwise, packets from two different hosts will appear with the same address of the dzherel. The PAT volume is assigned the next available port (1445) on a different host address.

Podіb'єmo pouch in pіvnyannі NAT і PAT. As you can see from the table, NAT translates IPv4 addresses on a 1:1 basis between private IPv4 addresses and public IPv4 addresses. However, PAT changes both the address itself and the port number. NAT redirects incoming packets to their internal address, orienting to the incoming IP address of the dzherel, assignments by the host to a globally accessible network, and with PAT, sound only one or even a little publicly declared IPv4 address, and incoming packets are redirected, op check the router's NAT table.

What about IPv4 packets, how can I check the data, vіdminnі vіd TCP chi UDP? Do not send packets to port number 4. PAT translates the widest protocols that IPv4 can carry, like TCP or UDP as a transport layer protocol. The largest extension is ICMPv4. Skin from these types of protocols is processed differently by PAT. For example, to enable ICMPv4 request, the request date and request include the request ID Query ID. ICMPv4 Victory Query ID. for the identification of the moon-approval with a good vіdpoviddu. Identifier of the request is greater than the skin on the day. PAT victorious identifier for the request to the port equal 4.

Advantages and shortcomings of NAT

NAT has no meaning, including:

• NAT preserves the registered addressing scheme, allowing intramerge privatization. With PAT, internal hosts can collectively win one globally accessible IPv4 address for all outgoing communications. For this type of configuration, it is necessary to have only a few known addresses for support of rich internal hosts;
• NAT promotes the fragility of the s'ednan іz zagalnou accessible mesh. Numerical bullets, backup bullets and balancing bullets can be implemented for the security of the most widely accessible mesh connections;

NAT ensures the security of the internal addressing schemes of the network. In a measure that does not win private IPv4 addresses and NAT, changing the global scheme of the IPv4 address will help redirect all hosts to the existing measure. Host forwarding options can be significant. NAT allows the existing private IPv4 scheme to be overridden, allowing the new public addressing scheme to be easily changed. This means that the organization can change providers and does not need to change the same for its internal customers;

• NAT secures the security of the merezhі. The shards of private networks do not advertise their addresses, but the internal topology, the stench is overwhelmed with the overhead time of vikoristannya at once from NAT to gain controlled outside access. However, be aware that NAT does not replace firewalls;

Ale NAT may be short. The fact that hosts on the Internet can interact directly with the NAT-enabled device, and not with the actual host in the middle of the private network, creates few problems:

• One of the shortest number of NAT hits due to productivity measures, especially for real-time protocols, such as VoIP. NAT zbіshuє zatrikamnija, to that transfer of skin IPv4 addresses in the headers of packets depends on the hour;
• The other shortcomings of NAT are those that use hard addressing. A lot of Internet protocols and programs lie in the open addressing from the date until the date of recognition. Deyakі programs do not work out of NAT. Programs that select physical addresses, but do not qualify domain names, do not reach recipients, as they are broadcast through a NAT router. Some problems can be solved by implementing static NAT setting;
• Also, IPv4 routing is used in depth. Fold the packets, so as to know the numerical change of the address of the packets by passing through the decals of NAT transitions, which simplifies the search and troubleshooting;
• NAT substitution also complicates tunneling protocols, such as IPsec, NAT shards change the value in the headers, so that they respect the integrity checks that IPsec and other tunneling protocols use;
• Services that require TCP initiation from the outside world, or stateless protocols such as those that override UDP, may be broken. Since the NAT router is not configured to support such protocols, incoming packets cannot reach their destination;

Chi Korisna you chia article?

Be kind, tell me why?

It’s a shame for us that the article wasn’t hard for you: (Be kind, if it doesn’t make it difficult, tell us for some reason?

Surprised: 38705

1 If you read this document, then, better for everything, you get to the Internet, and win the translation of the merezhev address ( Network Address Translation, NAT) right now! The Internet, having become majestic on the floor, be someone who could reveal himself. Wanting an accurate estimate of the number of unknowns, the current estimate is approximately 100 million hosts and more than 350 million hosts, which are actively working on the Internet. In fact, the rate of growth is such that the Internet is effectively used in the wider world.

Entry

For a computer to communicate with other computers and Web servers on the Internet, the fault is due to the mother's IP address. IP addresses (IP stands for Internet Protocol) - a unique 32-bit number that identifies your computer on the network. Basically, it works the same way as your street address: a way to accurately find out, de vie know and deliver information to you. Theoretically, there are 4,294,967,296 unique addresses (2^32). The actual number of available addresses is less (there are between 3.2 and 3.3 billion) through a method that allows you to add addresses to a class and use a new address for multimovement, testing or other needs. For more home and business bonds, the number of available IP-addresses is already insufficient. Obviously, the solution is to redesign the address format in order to recover a larger possible address. In this way, the IPv6 protocol is being developed, and the development of the loan from a few years, to the extent that it helps to modify the entire infrastructure of the Internet.

Axis de come NAT to our rescue. Basically, Merezheva Address Translation allows a single extension, type of router, to act as an agent between the Internet (or "public network") and local (or "private") network. Tse means that only one unique IP-address is needed to represent the entire group of computers in a different way. A missing IP address is only one reason to tweak NAT. Two other serious substations for security and administration

You know about those, how you can take advantage of NAT, a little more, get to know NAT a little closer and wonder what you can do.

masking

NAT is the secretary of the great office. Let's say you have blocked the secretary's instructions so that they don't forward your daily calls to you, so don't ask for it. Lastly, you call a potential client and forfeit information for the new one, calling you back. You tell the secretaries that you will check the call for the selected client and it is necessary to transfer the call. The client should call the main number of your office, which is the only number, which you know. If the client tells the secretary whom he is trying to find out, the secretary checks his list of contacts in order to know the validity of the name of that extension number. The secretary knows that you asked this call, that person should transfer the person who called to your phone.

The Cisco technology is broken, the translation of the network address is changed by an attachment (an internal screen, a router or a computer), which is located between the internal network and the other part of the world. NAT can be of many forms and can be practiced in a number of ways:

Static NAT- Transferring an unregistered IP address to a registered IP address on a one-to-one basis. It is especially corny, if the attachments can be accessible.

For static NAT, the computer at 192.168.32.10 must be translatable at 213.18.123.110:

Dynamic NAT- Displays an unregistered IP address to a registered address in a group of registered IP addresses. Dynamic NAT can also be set without mediation between an unregistered and a registered address, or it can be changed indirectly at a registered address, available in the address pool, under the hour of communication.

For dynamic NAT, a computer with the address 192.168.32.10 is translated to the first accessible address in the range 213.18.123.100 to 213.18.123.150

Overload- A form of dynamic NAT, which converts a small number of unregistered addresses into a single registered IP address, victoriously different. Vіdomy aka PAT (Port Address Translation)

When the skin is switched over, the computer on the private network is translated to the same address (213.18.123.100), but with a different port number

Perekrittya- If the IP addresses that are victorious in your internal network are also victorious in another network, the router is responsible for triaging the lookup table for their address so that you can easily change and replace them with registered unique IP addresses. It is important to note that the NAT router is responsible for translating "internal" addresses into unique address registrations, and is also responsible for translating "outside" addresses into addresses that are unique to the private network. You can either break through static NAT, or you can tweak DNS and implement dynamic NAT.

Butt:
The internal range of IP (237.16.32.xx) is also a registered range, which will be won by another measure. Therefore, the router translates addresses to avoid potential conflicts. It also translates registered global IP addresses back to unregistered local addresses if packets are superseded at the internal network

Internal tether - call LAN (Local tether), most often called, stub domain. A stub domain is a LAN, like a victorious internal IP address. Most of the intermediary traffic in such a domain is local, it does not overwhelm the internal intermediary. The domain can be included both registered and unregistered IP addresses. Obviously, be it computers, like cheating unregistered IP-addresses, it's up to you to cheat NAT, in order to communicate with the world.

NAT can be set in various ways. In the case below, the NAT-router is set up so that it can broadcast unregistered IP addresses (local internal addresses), so that it can always be in a private (internal) region in the registered IP address. Tse vydbuvaetsya shorazu, if attached to the internal part with an unregistered address can be contacted from the outside yard.

The ISP assigns a range of your company's IP address. Block address assignments - all uniquely registered IP addresses are named internal global addresses (inside global). Unregistered private IP addresses divided into two groups, small group, external local addresses (outside local), will be victorious with NAT routers and the main one, as it will be victorious in the domain, internal local addresses (inside local). Known local addresses are selected so that unique IP-addresses can be trans- lated external global addresses (outside global), outbuildings on the community fence.
NAT broadcasts less than that traffic, which is to pass between the internal and external barriers and destinations for broadcasting. Any traffic that does not meet the broadcasting criteria, or the one that passes between other interfaces on the router, will not be broadcast and retransmitted like that.

IP addresses may be different, based on whether they are located on a private area (domain) or on a large area (Internet) and whether traffic is incoming or out:

• Most of the computers at the domain are linked one by one for additional internal local addresses.
• Deyakі computers in the domain vzaєmodіyut іz zvnіshnoyu merezheyu. Computers can use internal global addresses, which means they won't require translation.
• If the computer is at the domain, which may have an internal local address, if you want to be mutually modifiable from the outside network, the packet goes to one of the NAT routers for additional stellar routing.
• The NAT router checks the routing table to see if there is a new entry for the end address. If the destination address is not found in the routing table, the packet is rejected. If the record is available, the router will check which package is going from the internal network to the outside one, and also if the package meets the criteria designated for broadcasting. Then the router checks the address translation table to find out which entry is for the internal local address and the correct internal global address. If the record is found, it will translate the packet to the internal global address. If there is no more static NAT, and no matching entry is found, then the router sends a packet without translation.
• Having changed the internal global address, the router forwards the packet to the destination.
• The computer sends a package to the public yard to the private yard. Gerel addresses in the package - these are global addresses. Acceptor addresses – internal global addresses.
• If a packet arrives at the host network, the NAT router looks at the translation table and assigns the destination address, and the computer at the domain displays it.
• The NAT router translates the internal global address of the packet to the internal local address and then rechecks the routing table first to the bottom when the packet is sent to the end computer. So, if the entry is not found for the address in the translation table, the packet is not translated and the router continues rechecking the routing table to look for the receiving address.

NAT-overloading is a feature of the TCP/IP protocol stack, such as multiplexing that allows the computer to support a parallel connection with a remote computer, a different TCP or UDP port. An IP packet may have a header that contains the following information:

• Exterior addresses – IP addresses of the dzherel computer, for example, 201.3.83.132.
• Destination Port - This is the TCP or UDP port number assigned by the computer to the server for this packet, for example, Port 1080.
• Receiving addresses - IP addresses of the receiving computer. For example, 145.51.18.223.
• Receive port - number of TCP or UDP port, which is to ask the computer to accept it on the receiver, for example, port 3021.

IP addresses are assigned to two machines from the skin side, at the same time as the port numbers guarantee that a unique identifier can be entered between the two computers. The combination of these four numbers represents a single TCP/IP connection. The leather number of the port number is 16 bits, which means that it is 65536 (2^16) possible values. In fact, the shards of different types of vibrators can sort out the ports in three different ways, you can get around 4000 available ports.

Apply dynamic NAT and NAT with vanity

Below is a small picture showing how dynamic NAT works.

Click on one of the green buttons to send a successful package either to or from the internal border. Press one of the red buttons to send a packet to a router through an invalid address.

• The internal tiering was set up with IP addresses, which were not specifically introduced for the IANA (Internet Address Assignment Authority), global bureau that distributes IP addresses. Such addresses should be considered non-routable, stink shards are not unique. All internal local addresses.
• the company installs a router from NAT. The router may have a range of unique IP addresses known to the company. Tse - internal global addresses.
• The computer on the LAN is forced to connect to the computer according to the type of Web server.
• the router takes the packet from the computer to the LAN.
• After rechecking the routing tables and the rechecking process for translation, the router saves the computer's unrouted address in the translation address table. The router replaces the unrouted address of the master computer with the first available IP address in the range of unique addresses. The translation table can now display the computer's non-routed IP address, which is one of the unique IP addresses.
• When a packet is turned over to the computer, the router rewrites the receive address in the packet. Let's look at the address translation table to find out which computer in the domain should have this package. Change the address of the recipient to those that saved earlier in the translation table and send the package to the required computer. If the router does not know the identity of the table, the fault of the packet.
• The computer accepts the packet from the router and the whole process is repeated until the computer communicates with the outgoing system.

• The internal network was installed with non-routable IP addresses, which were not specifically designed for the company
• the company installs a router from NAT. The router may have a unique IP address, as seen by IANA
• The computer at the domain is trying to connect to the computer according to the type of Web server.
• the router accepts the packet from the computer to the domain.
• After routing and rewriting the packet for translation, the router takes the computer's non-routed IP address and port number in the translation table. The router replaces the unrouted IP address of the control computer with the IP address of the router. The router replaces the external port of the driver's computer with a different port number and saves the address for that proxy in the translation table. The translation table can display the IP address of the computer that is not routable, and the port number and order of the IP address of the router.
• When a packet is turned around for a destination, the router rewires the receiver port in the packet. We'll then look at the translation table to find out which computer in the domain to put the package on. Let the router change the receiving address and the receiving port to those values, so that they saved it earlier in the translation table and sent the packet to the end node.
• the computer accepts the packet from the router and the process is repeated
• The old NAT router can now change the computer address and exit port, save to the translation table, continue to switch to the same port number for future connections. So, if the router waits for a record in the translation table, the life timer for that record is dropped. If you don’t return before recording, the next time the timer will end, you will see the vin in the table

The number of one-hour broadcasts that the router will support will be more important than the amount of DRAM (Dynamic Access Memory). Since a typical entry in the translation table takes about 160 bytes, a router with 4 MB of RAM can theoretically process 26214 one-hour calls, which is more or less sufficient for more add-ons.

Security and Administration

The implementation of dynamic NAT automatically creates a cross-border defense between your internal network and external borders or the Internet. Dynamic NAT allows only connections that originate from the local network. In essence, it means that the computer on the outside cannot connect to your computer, as long as the computer does not wake up. In this way, you can browse the Internet and connect to the site, and browse the file. And more than that, no one can just encroach on your IP address and win it over to connect to a port on your computer.

Static NAT, also known as inbound mapping, allows connecting, initiated by external devices to computers at the LAN behind the same furnishings. For example, you can map an internal global address to a single internal local address that is mapped to your Web server.

Static NAT allows a computer on the LAN to set a different address, connecting with devices across the border:

Active NAT routers provide a lot of filtering and logging traffic. Filtering allows your company to control, like the sites on Merezhya see practitioners, revisiting vague material. You can win the registration of traffic to create a magazine, as the sites are shown on the basis of generating different sounds.

Іnodi Merezhevu Translation Addresses are confused by proxy servers, de є pevnі vіdminnostі. NAT is a visionary for computers dzherela that primecha. None of them know what is right behind the third building. Ale proxy server is not a visionary. The external computer knows what to rob on the proxy. The destination computer is aware that the proxy server is the same computer and can be directly behind it. In addition, proxy servers work on level 4 (Transport) OSI model or else NAT - same protocol level 3 (Network). Work on higher levels to work with higher proxy servers, lower NAT extensions in higher altitudes.

The real benefit of NAT is obvious to the merging administrator. For example, you can move your Web server or FTP server to another computer without complaining about opening the connection. Simply change the input mapping to the new internal local address in the router to display the new host. You can also work to change your internal network, so whether or not your IP address belongs to a router or a pool of global addresses.

Garazd, let's forget this lyric for an hour.
In addition, access lists are different:

Standard
- Extensions
- Dynamic
- reflexive
- weather

We respect you for the first two years, and you can read more about everything at the cisco.

Inbound and Outbound Traffic

For the sake of argument, let's take a look at one rhyme. What do you think about incoming and outgoing traffic? Tse us at the future need to know. Input traffic - the one that comes to the calling interface.

Vihіdny - the one that violates the call interface.

The list of access can be fastened to a number on the vhiid trafic, the Todi is not indominuting to Packet not to poison on the router I vidpovo, Dali in the Merebi, Comes to the Vikhidny, Todi Packets to arrive on the router, to incur with them, to income to the cinema Flapping.

The standard access list is overridden by the address of the source. Extensions - addresses of the administrator, addresses of the owner, and navit port. The standard ACL is recommended to put the driver closer to the driver (so that you don’t hit more, lower it is necessary), and the extension is closer to the driver (so that the driver drops the bad traffic earlier).

Practice

Let's take a moment to practice. How could we arrange such a space in our little land of Lift and Ap?

a) WEB server. Allow access to all TCP port 80 (HTTP protocol). For that, I will add, for which management will be created (we have an admin) it is necessary to open telnet and ftp, and also to give me a second access. Vsіm іnhim vіdbіy.

B) File server. For the new, we are responsible for the residents of Lift mі Ap on ports for shared folders, and reshta via FTP.

U) Mail server. Here we have launched SMTP and POP3, so port TCP 25 and 110. Also, for the administrator, access to the password is allowed. We block the others.

D) For a possible DNS server, you need to open UDP port 53

E) Allow servers to allow ICMP notifications

E) Oskіlki merezha Other we have for all non-partisans, who do not reach the FEO, VET and Accounting, then we are able to get along, and for others, we have access (including admin)

f) It is necessary for the administration to start up again only the administrator, who is in love with himself.

G) Don’t be afraid to intervene between yourself and your spouse.

a) Access to the WEB server

Here we practice politics - everything that is not allowed is fenced. That’s why we need something to open up at once, but I’ll close it.
If we protect a number of servers, then the sheet will be hung on the interface that goes into them, then on FE0 / 0.3. in or on out do we need to work? As we don't want to let packets from the b_k servers, as they have already leaned on the routers, there will be free traffic. Therefore, we will have the destination addresses from the servers (from them we select the server itself for traffic), and the source addresses can be the same - both from our corporate network, and from the Internet.
One more thing to respect: we will filter the screens, including at the address of the recognition (on the WEB-server there are one rules, on the mail - in the others), then we need the access control list extensions (extended), only a few wines allow it to work.

The access list rules are reviewed in order from top to bottom, to the first step. As only one of the rules was applied, independently, in order to permit it or deny, revalidation is applied and traffic processing is performed on the basis of the rule that was applied.
If we want to steal the WEB server, then we need to give permission in the first row, so that we can do it in the first row deny ip any any- then it’s time to save time and traffic doesn’t go around. Any- this is a special word, which means the address of the link and the return mask 0.0.0.0 0.0.0.0 that means that absolutely all universities should fall under the rule. Another special word - host- it means the mask 255.255.255.255 - that is the only one given to the address.
First rule: allow access to everyone on port 80

msk-arbat-gw1(config-ext-nacl)# remark WEB
any host 172.16.0.2 eq 80

Permissible ( permit) TCP traffic from any node ( any) to host ( host- one address itself) 172.16.0.2, addressed to the 80th port.
Let's try to change the access to the FE0/0.3 interface:

msk-arbat-gw1(config-subif)# ip access-group Servers-out out

We check with any of our connected computers:

How do you keep the side open, but what do we have there with ping?

And so from some other node?

On the right, in the fact that after all the rules in the CIS ACL, for example, they are added implicitly deny ip any any(Implicit deny). What does it mean for us? Whether a packet that enters the interface and does not match the same ACL rule, falls under implicit deny and is rejected. Tobto hoch pіng, hoch ftp, hoch scho zavgodno here is no longer passable.

I've given a demo: you need to give a new access to the computer, for which you will be worried. This will be the computer of our administrator with the address 172.16.6.66 from the Other.
A new rule is added automatically to the end of the list, as it is already used:

msk-arbat-gw1(config)#
msk-arbat-gw1(config-ext-nacl)# permit tcp host 172.16.6.66 host 172.16.0.2 range 20 ftp
msk-arbat-gw1(config-ext-nacl)# permit tcp host 172.16.6.66 host 172.16.0.2 eq telnet

From i all. It is checked from the required node (the servers in the Republic of Tatarstan do not support telnet, it is checked on FTP):

That's why the FTP notification went to the router and could get power from the FE0/0.3 interface. The router verifies and checks that the packet is to be received by us, the rule is passed by us.

A from a third-party node

The FTP packet does not fall under the same rules, except for the implicit deny ip any any and is rejected.

b) File server access

Here it is necessary to appoint someone in the first place, who will be a “resident”, who needs to be given access. Obviously, if you have the address 172.16.0.0/16, you have less access.
Now from the big folders. Most modern systems already have SMB protocol, which requires TCP port 445. On older versions, NetBios has been won, which can be eaten through three ports: UDP 137 and 138 and TCP 139. mo 445 port within RT , obviously not visible). Alas, we need a port for FTP - 20, 21, and not only for internal hosts, but also for internet connections:

msk-arbat-gw1(config)# ip access-list extended Servers-out
msk-arbat-gw1(config-ext-nacl)# permit tcp 172.16.0.0 0.0.255.255 host 172.16.0.3 eq 445
msk-arbat-gw1(config-ext-nacl)# permit tcp any host 172.16.0.3 range 20 21

Here we re-damped the construction range 20 21- In order to set a sprat of ports in one row. For FTP, it seems that the 21st port is not enough. On the right, if you can only see it, then you pass authorization, but file transfer is not possible.

0.0.255.255 - wildcard mask. About those who are like that, let's talk a little more

c) Access to the mail server

We continue to practice - now from the mail server. As part of that access list, we will add new records that we need.
You can specify port numbers for wide range protocols:

msk-arbat-gw1(config)# ip access-list extended Servers-out
msk-arbat-gw1(config-ext-nacl)#permit tcp any host 172.16.0.4 eq pop3
msk-arbat-gw1(config-ext-nacl)#permit tcp any host 172.16.0.4 eq smtp

d) DNS server

msk-arbat-gw1(config)# ip access-list extended Servers-out
msk-arbat-gw1(config-ext-nacl)# permit udp 172.16.0.0 0.0.255.255 host 172.16.0.5 eq 53

e) ICMP

Lost to correct the situation from ping. There is nothing terrible about adding the rules to the end of the list, but as if it were natural to take them back.
Vikoristovuemo clumsy cheat for tsgogo. For whom you can speed up with a text editor, for example. Copy the show run stuff about ACL and add the following rows:
no ip access-list extended Servers-out
ip access-list extended Servers-out
permit icmp any any
remark WEB



remark FILE


remark MAIL


remark DNS

In the first row, we see the essential list, we create it anew and redevelop the new rules in the order we need. With a command at the third row, we allowed the passage of all ICMP packets from any hosts to any hosts.

Dali just copy everything in bulk and paste it into the console. The interface interprets the skin in a row, as I will call the command that vikonuє її. In this manner, we replaced the old list with a new one.
Verify that ping is:

Wonderful.

This "cheat" is good for the cob configuration, otherwise you know exactly what you are working on. On the working line, if you have installed ACL remotely, you risk losing without access to the download, which you can configure.

In order to put the rule on the cob, or else, if necessary, you can go as far as this approach:
ip access-list extended Servers-out
1 permit icmp any any

The skin of the rule in the list is numbered with a sing croque and put a number before the word permit / deny, the rule will be added not in the end, but in the need for you. Unfortunately, this feature does not work in RT.
It will be necessary to raptom (take all the rows that go as fast as possible, between the rules) and you can always renumber the rules (in which case the number of the first rule is assigned 10 (first number) and increment 10):
ip access-list resequence Servers-out 10 10

The result of the Access List on the server side looks like this:
ip access-list extended Servers-out
permit icmp any any
remark WEB
permit tcp any host 172.16.0.2 eq www
permit tcp host 172.16.6.66 host 172.16.0.2 range 20 ftp
permit tcp host 172.16.6.66 host 172.16.0.2 eq telnet
remark FILE
permit tcp 172.16.0.0 0.0.255.255 host 172.16.0.3 eq 445
permit tcp any host 172.16.0.3 range 20 21
remark MAIL
permit tcp any host 172.16.0.4 eq pop3
permit tcp any host 172.16.0.4 eq smtp
remark DNS
permit udp 172.16.0.0 0.0.255.255 host 172.16.0.5 eq 53

As soon as our admin can access less to the WEB-server. Give full access to the whole area. First of all, homework.

f) Rights of civil servants Other

Dosi we need Bulo keep out who cares, we sent respect to the address of the recognition and the access list were hung on the traffic that came out of the interface.

Now we need don't let go: nіyakі zachіt vіd kom'yuterіv іz merezhі Other not guilty vyhodіti for mezhі. Well, well, let's be quiet, as we are specially allowed.

msk-arbat-gw1(config)# ip access-list extended Other-in

msk-arbat-gw1(config-ext-nacl)# permit ip host 172.16.6.61 any

Here we couldn’t stop everyone, and then let’s choose, because absolutely all the packets were used under the rule deny ip any anyі permit not spratsovuvav bi vzagali.
Vikoristovuemo on the interface. This time at the entrance:

msk-arbat-gw1(config)#int fa0/0.104
msk-arbat-gw1(config-subif)#ip access-group Other-in in

so that all IP packets from the host with the address 172.16.6.61 or 172.16.6.66 are allowed to be transmitted wherever the stench was not recognized. Why do we need to expand the access list here? Adzhe, it would have been better, we are only checking the address of the executive officer. To that admin we were given a new access, and the axis of the guest company "Lift mi Up", for example, which is to spend at the same time at the same time, no matter how much access, creme like to the Internet.

f) Management measure

Nothing complicated. The rule looks like this:

msk-arbat-gw1(config)# ip access-list extended Management-out
msk-arbat-gw1(config-ext-nacl)# remark IAM
msk-arbat-gw1(config-ext-nacl)# permit ip host 172.16.6.61 172.16.1.0 0.0.0.255
msk-arbat-gw1(config-ext-nacl)# remark ADMIN
msk-arbat-gw1(config-ext-nacl)# permit ip host 172.16.6.66 172.16.1.0 0.0.0.255

The goal ACL is set to out on interface FE 0/0.2:

msk-arbat-gw1(config)# int fa0/0.2
msk-arbat-gw1(config-subif)#ip access-group Management-out out

g) More than any obmezheniya

Ready

That mask is a hell of a mask

Dosi mi, without explanation, gave a marvelous parameter to the form 0.0.255.255, which suspected a guessing mask of the future.
Descho folding for rozumіnnya, but the same won - zvorotna mask - vikoristovuetsya for vyznachennya hostіv, yakі podpadut pіd rule.
To understand that such a mask is a return, you are guilty of the nobility that it is such a powerful one.

Let's start with the simplest example.

Zvichayna merezha at 256 address: 172.16.5.0/24, for example. What does this entry mean?
And that means there is a step forward

IP addresses. Decimal entry	172	16	5	0
IP addresses. Double entry	10101100	00010000	00000101	00000000
	11111111	11111111	11111111	00000000
	255	255	255	0

IP-addresses - the whole parameter is up to 32 bits, subdivided into 4 parts, which was called bachiti in the tenth form.
The mask of the immediacy can also be 32 bits long - it is actually a template, a stencil, which indicates the validity of the immediacy address. There, where you can stand alone in masses, the value cannot be changed, so the part 172.16.5 is absolutely unchanged and will be the same for all hosts in the middle, and the axis, de zero, will vary.
So the example we took 172.16.5.0/24 will have the same addresses, and the hosts will be 172.16.5.1-172.16.5.254 (the rest 255 is wide), so 00000001 is 1, and 1111111). /24 means that the length of the mask is 24 bits, so there are 24 ones and 8 zeros.
The second step is if the mask we have, for example, is 30 bits, not 24.
For example 172.16.2.4/30. Let's write it like this:

IP addresses. Decimal entry	172	16	2	4
IP addresses. Double entry	10101100	00010000	00000010	00000100
Pdmerezhi mask. Double entry	11111111	11111111	11111111	11111100
Pdmerezhi mask. Decimal entry	255	255	255	252

Like a bachite, for the future, only two more beats can change. The remaining octet can take the next 4 values:
00000100 - addresses of the subdivision (4 for the tenth system)
00000101 - node addresses (5)
00000110 - node addresses (6)
00000111 - wide (7)
Everything beyond the borders of which is already another pidmerezha

So now you can understand a little bit, that the pdmary mask is the sequence of 32 bits, go one by one, which means the pdmary address, then go zero, which means the host address. At the same time, zeros can be drawn, and ones in masses cannot be drawn. Tobto mask 11111111.11100000.11110111.00000000 impossible

And what is a mask (wildcard)?
For the most important administrators and other engineers - no more, lower inversion of the sonic mask. Tobto zero on the back of the head to set the address of the part, so that it can be zbіgatisya obov'yazkovo, and one navpak - to the free part.
So on the first example we took, if you want to filter all hosts from the subdivision 172.16.5.0/24, then you put the rule in the Access-list:
…. 172.16.5.0 0.0.0.255
To that which the mask is voluminous, we look like this:

00000000.00000000.00000000.11111111

In another butt with 172.16.2.4/30, the return mask looks like this: 30 zeros and two ones:

Zvorotniy masks. Double entry	00000000	00000000	00000000	00000011
Zvorotniy masks. Decimal entry	0	0	0	3

The visible parameter in the access-list looks like this:
…. 172.16.2.4 0.0.0.3
For now, if you see a dog on the masks and gate masks, you remember the found numbers, the number of hosts for this number of other people, understand that in the situations described, the remaining octet of the gate mask should appear in days 255 digits of the remaining octet of the wild mask2 ( 2 =3) and so on. In the meantime, it is necessary to work hard and rahuvati)

But really, the return mask is a very rich tool, here you can add the addresses in the middle of one of the subdivisions, or you can find the address of the subdimension, or the most important one, you can draw the zeros and the ones. Tse allow you, for example, to filter the song vuzol (or a group) in a number of cases in one row.

butt 1

Given: merezha 172.16.16.0/24
Required: filter the first 64 addresses (172.16.16.0-172.16.16.63)
Solution: 172.16.16.0 0.0.0.63

butt 2

Given: 172.16.16.0/24 and 172.16.17.0/24
Required: filter addresses from both networks
Solution: 172.16.16.0 0.0.1.255

butt 3

Given: Merezhi 172.16.0.0-172.16.255.0
Required: filter host with address 4
Solution: 172.16.16.0 0.0.255.4

ACL robot in pictures

Hypothetical measure:

1) On the RT1 router on the FE0/1 interface, everything is allowed on the input, except for ICMP.

2) On the router RT2 on the interface FE0/1 for SSH and TELNET

Testi
clickable
1) Ping from PC1 to Server1

2) TELNET from PC1 to Server1

3) SSH from PC1 to Server2

4) Ping from Server2 to PC1

Additional

1) The rules that apply to outside traffic (out) do not filter the traffic of the outbuilding itself. Tobto, as it is necessary to block access to the cisco itself, then you will have to filter incoming traffic on this interface (call the call, where you need to block access).

2) With ACL, be careful. With a small militia in the rule, the wrong order of setting up, or instead of a filthy thoughtful list, you can be deprived without access to the annex.
For example, you want to close access to a destination for the 172.16.6.0/24 network, create your own addresses 172.16.6.61 and set the rules like this:

deny ip 172.16.6.0 0.0.0.255 any
permit ip host 172.16.6.61 any

As soon as you set an ACL on the interface, you will immediately gain access to the router, so that you follow the rule first and do not change the other way.
Another situation is unacceptable, as you can use it: if you use ACL, you can use traffic, which you can not use.
Let me know this situation: we have an FTP server on the server in passive mode. For access to the new view, the 21st ACL port was opened Servers out. After the first installation, the FTP server prompts the client for a port that is ready to send / receive files, for example, the 1523rd. The client tries to install a TCP-request on the whole port, and then hits the ACL Servers-out, there is no such permission - this is how the fairy tale about a successful transfer ends. Our application is better, we have gained access to the file server, we have granted access only to 20 and 21, which is sufficient for the application. Real life has some trouble. Too few ACL configurations for the widest ranges.

3) From the 2nd point, the problem is very similar.
You thought, for example, use the ACL axis on the interface on the Internet:

access-list out permit tcp host 1.1.1.1 host 2.2.2.2 eq 80
access-list in permit tcp host 2.2.2.2 any eq 80

It would be given: the host with the address 1.1.1.1 is allowed access on the 80th port to the server 2.2.2.2 (the first rule). І back view of the server 2.2.2.2 it is allowed to enter inside.
But the nuance here is that the computer 1.1.1.1 installs the connection ON the 80th port, but for example, 1054, so that the packet at the server's input type arrives on the socket 1.1.1.1:1054, does not drop down the rule in the ACL on IN is denied through the implicit deny ip any any.
In order to avoid such a situation, and not to open up the whole bunch of spoils, you can go into such a trick in ACL in:

permit tcp host 2.2.2.2 any established.

Details of such a decision in one of the upcoming articles.

4) Speaking of the current world, one cannot ignore such a tool as an Object-group.

Let's say you need to fold an ACL that allows you to enter three nl addresses on the Internet for three identical ports with the prospect of expanding the number of addresses and ports. How can I see without knowing the object groups:

ip access-list extended TO-INTERNET
permit tcp host 172.16.6.66 any eq 80
permit tcp host 172.16.6.66 any eq 8080
permit tcp host 172.16.6.66 any eq 443

Permit tcp host 172.16.6.67 any eq 80
permit tcp host 172.16.6.67 any eq 8080
permit tcp host 172.16.6.67 any eq 443

Permit tcp host 172.16.6.68 any eq 80
permit tcp host 172.16.6.68 any eq 8080
permit tcp host 172.16.6.68 any eq 443

With an increase in the number of parameters to support such an ACL, it becomes more and more important, it is easy to have mercy on it.
Natomist, as if turning to the object groups, then it’s like an offensive look:

object-group service INET-PORTS
Description Ports allowed for some hosts
tcp eq www
tcp eq 8080
tcp eq 443

Object-group network HOSTS-TO-INET
description Hosts allowed to browse the net
host 172.16.6.66
host 172.16.6.67
host 172.16.6.68

Ip access-list extended INET-OUT
permit object-group INET-PORTS object-group HOSTS-TO-INET any

at first glance, the deshcho looks menacingly, but it seems to grow up, it’s more handy.

4) Even the root for troubleshooting can be taken from the command line show ip access-lists %im'ya ACL%. If you want to list the rules of the assigned ACL, this command will show the number of changes per skin rule.

msk-arbat-gw1#sh ip access-lists nat-inet
Extended IP access list nat-inet





(4 match(es))

And having added some kind of rule log, we can take information about the leather zbіg console. (remains not available for PT)

NAT

Network Address Translation - a mechanism for the government necessary since 1994. A lot of sessions about the new one were broken and the packets were spent.
It is most needed for connecting your local network to the Internet. On the right in what theoretically is 255 * 255 * 255 * 255 = 4228250625. 4 billion address. Find a yakbi from a skin inhabitant of the planet, there was only one computer, the address was no longer available. And here it’s not good to connect to the Internet. Intelligent people have wised up on the cob of the 90s and, as a timely solution, they have propagated the distribution of the space on the public (white) and private (private, sir).
Three ranges lie before the rest:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

You can freely win at your private yard, and to that, you understand, the stench will be repeated. How to be unique? To whom should the WEB server be sent, to whom should it be requested from the return address 192.168.1.1? Rostelecom? Undertakings of Tatnafta? Or your room length? In the great Internet, nobody knows anything about private networks - stench is not routed.
Axis i enter the NAT scene. Behind the great rakhunok is deceit, pidstava. On the extension, which is rubbing, your private address, rudely seemingly, is simply replaced by the white address, as it was given in the package, while the wine will rise in price to the WEB server. And the axis of the white addresses is better routed, and the packet will definitely turn back to the attachment, which is rubbed.
Ale, like out of his black mind, what did you do with him? Axis іz tsim i razberemosya.

Tipi NAT

static

In this case, one internal address is converted to one name. And when you ask for everything that goes to the outside address, it will be transmitted to the internal address. Start your host and check your white IP address.

Nalashtovuetsya offensive team:

Router (config)# ip nat inside source static 172.16.6.5 198.51.100.2

What does it look like:
1) Vuzol 172.16.6.5 is sent to the WEB server. Vіdpravilyaє IP-packet, where the owner's address is 192.0.2.2, and the owner's address is 172.16.6.5.

2) For a corporate network, the packet is delivered to the gateway 172.16.6.1, where NAT is set

3) Once the command is set, the router takes the streaming IP header and changes it to a new one, so that the address of the right-hand man is already the address 198.51.100.2.

4) On the great Internet of updates, the package reaches server 192.0.2.2.

5) The one that needs to be sent to 198.51.100.2 and get the IP packet to get it. As the address of the wdpravnik is in the server address 192.0.2.2, the recognition address is 198.51.100.2

6) The package is to fly back via the Internet, and it’s not a fact that it’s the way itself.

7) On the extension, which you rub, it is assigned that all requests at the address 198.51.100.2 should be redirected to 172.16.6.5. The router re-arranges the middle TCP segment and sets a new IP-header (addresses of the right-hand side are not changed, destination addresses are 172.16.6.5).

8) According to the internal barrier, the package is turned to the initiator, to whom it is insane, like a diva was going on with him at the cordon.
And so be with the skin.
Whenever the connection is initiated from the Internet, the packets automatically, passing through the attachment, which are rubbed, sent to the internal host.

Such a pіdhіd є korisnim, if you have a server in the middle of your mérezhі, until you need a new access to the call. I realized that you cannot win this option, because you want to put three hundred hosts on the Internet through one address. This variant of NAT will not help to save more IP-addresses, but we will correct them.

Dynamic

You have a pool of addresses, for example, the provider saw you measure 198.51.100.0/28 with 16 addresses. Two of them (first and last) are the addresses of the area and the other two addresses are assigned to the domain for secure routing. 12 address that you have lost, you can win for NAT and send your own cards through them.
The situation is similar to static NAT - one private address is translated to one call, but now the call is not clearly fixed, but will be selected dynamically from the given range.
Change the wine like this:

Router(config)#ip nat pool lol_pool 198.51.100.3 198.51.103.14

Set a pool (range) of public addresses, from which address to select for natuvannya

Router(config)#access-list 100 permit ip 172.16.6.0 0.0.0.255 any

We set an access list that passes all packets with the address dzherel 172.16.6.x, de X varies 0-255.

Router(config)#ip nat in source list 100 pool lol_pool

By the command of mimic creations of the ACL and the pool.

This option is also not universal, as you can't let everyone into the Internet, as you don't have 300 known addresses. Since only a few addresses are being checked out, no one else can get access to the Internet anymore. With whom you have been coristuvachi, who have already caught up with your own call to the address, pracyuvatimut. Throw off all streaming broadcasts and call calling addresses for you, the team will help you clear ip nat translation*
The dynamic view of the same address, which dynamically NAT is set to a static team, which without a set port forwarding setting is already impossible to call to one of the address of the pool.

many-to-one

The next type of name can be: NAT Overload, Port Address Translation (PAT), IP Masquerading, Many-to-One NAT.
The rest of the name speaks for itself - through one call to the address, go to the richly private world. Tse allows you to solve the problem with the lack of a known address and let it go to the light of your parents.
Here it would be necessary to give an explanation, as it were. How can two private addresses be translated into one, but how can a router know who needs to send a packet, which turns from the Internet to that address?
Everything is simple:
It is acceptable that from two hosts from the internal mesh, packets arrive on the attachment, which is rubbed. Offended by a request to the WEB server 192.0.2.2.
Host data looks like this:

The router uncovers an IP packet from the first host, pulls out a new TCP segment, unpacks and recognizes which port to install from. I may call the address 198.51.100.2, to change the addresses from the internal border.
Dali vins choose the port, for example, 11874 roku. І scho vin to rob further? All data equal to the addendum is packaged in a new TCP segment, so the recognized port is 80 (itself on the new WEB server connection check), and the port of the proxy is changed from 23761 to 11874. This TCP segment is encapsulated in a new IP packet , de change VPN IP addresses from 172.16.6.5 to 198.51.100.2.
These are the same for a packet from another host, only the next valid port is selected, for example 11875. "Vilniy" means that it is not yet occupied by other such ports.
Danі, yaky vіdpravlyayutsya in the Internet, now I look like this.

In your NAT-table of wines, enter the data of the administrators and holders

For the WEB-server - there are two absolutely different requests, which are the responsibility of processing the skin individually. After whom vin vіdsilає vіdpovіd, as if looking like this:

If one of these packets reaches our router, that one puts data in that packet with its own NAT table entries. As soon as the error is found, a reverse procedure is performed - the packet and TCP segment are rotated to the same parameters and are no longer recognized:

And now the packages are delivered by internal means to computers-initiators, which is why it’s so hard to get around here with their tributes on the cordon.

The skin of your animal is the same as the day. So they tried to open the WEB-side - the same HTTP protocol, which uses port 80. For which your computer is guilty of establishing a TCP session with the remote server. Such a session (TCP or UDP) is represented by two sockets: local IP addresses: local port and remote IP addresses: remote port. In the original situation, you will have one computer server installed, and in the case of NAT, there will be two: the router server and the computer thinks that the new computer server session has it.

Nalashtuvannya vіdrіznyaєtsya zóvsіm vaguely: the additional word overload:

Router(config)#access-list 101 permit 172.16.4.0 0.0.0.255
Router (config) # ip nat inside source list 101 interface fa0/1 overload

With this, obviously, it is possible to fix the pool address:

Router(config)#ip nat pool lol_pool 198.51.100.2 198.51.103.14
Router(config)#access-list 100 permit 172.16.6.0 0.0.0.255
Router(config)#ip nat in source list 100 pool lol_pool overload

Port forwarding

Otherwise, to say more about the transfer of ports or mapping.
If we started talking about NAT for a while, we had a one-on-one broadcast and all calls that came up were automatically redirected to the internal host. In this manner, it would be possible to install a name server on the Internet.
And yet, you don’t have such a capacity - you are surrounded by different addresses, why don’t you want to put up a whole bunch of ports of your name, what are you working on?
You can specify that everything should be sent to a specific address and a specific port of the router, and will be redirected to the required port of the desired internal address.

Router(config)#ip nat inside source static tcp 172.16.0.2 80 198.51.100.2 80 extendable

Zastosuvannya tsієї command means that TCP-request, which comes from the Internet at the address 198.51.100.2 port 80, will be redirected to the internal address 172.16.0.2 on the same port 80. As you can imagine, you can pass UDP and work redirected from one port to another. For example, we can say that you have two computers, which require access to RDP calls. RDP host port 3389. One and the same port cannot be forwarded to different hosts (if the same host address is different). So you can rob it like this:

Router(config)# ip nat inside source static tcp 172.16.6.61 3389 198.51.100.2 3389
Router(config)# ip nat inside source static tcp 172.16.6.66 3389 198.51.100.2 3398

Then, to go to the computer 172.16.6.61, you start an RDP session on port 198.51.100.2:3389, and on 172.16.6.66 - 198.51.100.2:3398. The router itself rozkidaє everything, where required.

To the point, this command is the last word in the first place: ip nat inside source static 172.16.6.66 198.51.100.2. It's only in this way to talk about the transfer of all traffic, and in our butts - specific ports to the TCP protocol.

The axis is so fast functioning NAT. A bunch of articles have been written about yoga particularities, pluses / minuses, but it’s impossible to point them out.

Weaknesses and strengths of NAT

+

- In the middle of nowhere NAT allows you to protect public IP addresses. Vlasne, for tsgogo vіn i buv creations. It is theoretically possible to send more than 65,000 other addresses through one address (for the number of ports).
- in a different way, PAT and dynamic NAT are the world's firewalls, hopping over the outer walls to reach the end computers, which may not show their own firewall and antivirus. On the right, in the fact that you are calling for attachments, that you are rubbing, a package arrives, which is not cleared here, or there are no permissions, you just see it.
If the package was skipped and canceled, you should be responsible for following this:
1) The NAT table may have an entry for the given address specified as the directory address in the packet
І
2) The port of the wdpravnik in the packet is responsible for overriding the port for the specified address in the record
І
3) The port assigned to the packet is changed from the port of the record.
ABO
Ports have been fixed.
But it’s not necessary to look at NAT itself like a firewall - it’s no more than a little extra yogo bun.

- Thirdly, NAT attaches to third-party eyes the internal structure of your network - when tracing the route of the call, you will not let anything irritate the device.

-

Yes, NAT has minuses. Find some of them, maybe like this:
- Deyakі protocols can't work through NAT without militia. For example, FTP or tunneling protocols (for example, just as I just set up FTP at the laboratory, in real life you can create a bunch of problems)
- Another problem is that there are too many requests for one server from one address. If you go to the Rapidshare account, but it seems like your IP has already been banned, you think it's "bugger, dog", but your suid is already soaked. This caused problems with ICQ if the servers were controlled at the registration.
- The problem is not relevant at the same time: the need for the processor and the operational memory. Oskilki worked to do a great job with simple routing (you don’t just need to look at the IP header, you need to remove it, remove the TCP header, add it to the table, screw new headers) other offices have problems with it.
I am from such a situation.
One possible solution is to blame the NAT function on a small PC or a specialized add-on, such as the Cisco ASA.
For great gravits, for which routers turn on 3-4 BGP full-view, there is no problem at all.

What else do you need to know?
- NAT zastosovuєtsya important to secure access to the Internet to hosts with private addresses. Ale buvaє y іnshe zastosuvannya - a link between two private borders with address spaces that overlap.
For example, your company buys its own family in Aktyubinsk. Your addressing is 10.0.0.0-10.1.255.255, and the stench may be 10.1.1.0-10.1.10.255. The ranges are clearly interchanged, you can’t see the routing in any way, because one and the same address can be found in Aktyubinsk and at your headquarters.
At this time, NAT is installed on the mist stick. We don’t have a few other addresses, you can see, for example, the range 10.2.1.0-10.2.10.255 and work broadcasting one-on-one:
10.1.1.1-10.2.1.1
10.1.1.2-10.2.1.2
…
10.1.10.255-10.2.10.255

Great games for mature NATs can have implementations on an okremіy board (and often so) without it. And on the office halls, navpaki, є mayzhe zavzhdi.

With all the IPv6 implementations, the need for NAT's is going down the drain. Already at the same time, great zamovniki begin to chime in with the functionality of NAT64 - if you have access to the world via IPv4, and the internal network is already on IPv6

It was clear, just a superficial look at NAT and even a sea of ​​nuances, do not drown in any additional self-illumination.

NAT practice

What do we need reality?
1) Management system cannot access the Internet
2) Hosts from PTO networks can only access specialized sites, for example Linkmeup.ru
3) Dear women in accounting, it is necessary to be virubaty at the world of client-banks.
4) FEO do not let go anywhere, for the blame of the financial director
5) Other has our computer and the administrator's computer - it has full access to the Internet. All others can be asked for a letter request.
6) Let's not forget about the philanthropy in St. Petersburg and in Kemerovo. For simplicity, we have created a new access for en_k_їv іz tsikh p_dmerezh.
7) From the servers of the okrema song. For them, we are lucky to redirect ports. Everything we need:
a) WEB server can be available on port 80
b) Postal server on the 25th and 110th
c) The file server is accessible from the world of FTP.
8) Administrator's computers and our services are available from the Internet via RDP. On the other hand, it’s the wrong way - for a remote connection, it’s necessary to win a VPN connection and, while being in a local area, win a RDP, but the topic is also known as another article.

At the same time, a test maidanchik is being prepared:

Connection to the Internet will be organized through a link, whichever provider you choose.
Vіn ide in the measure of the provider. Let's hope that everything is in the darkness - it's an abstract mesh, as it can be made up of dozens of routers and hundreds of switches. And if we need kerovans and transfers, we will supply a router here. From one side, at a new link from a switch, from another server on the Internet.

We need servers like this:
1. Two client banks for accountants (sperbank.ru, mmm-bank.ru)
2. Linkmeup.ru for PTO students
3. Yandex (yandex.ru)

For such a connection, we add one more vlan to msk-arbat-gw1. Yogo number, zrozumіlo, uzgodzhuєtsya іz provider. Let it be VLAN 6
Let's say the provider gives us pidcity 198.51.100.0/28. The first two addresses are won for organizing a link (198.51.100.1 and 198.51.100.2), and we win as a pool for NAT. Wtim, nobody knows we need to win the address 198.51.100.2 for the pool. So i zrobimo: pool: 198.51.100.2-198.51.100.14
For simplicity, let's assume that our public servers are in the same subdivision:
192.0.2.0/24 .
How to create a link and address you are already in the know.
Since we only have one router at the provider’s level, and all connections are connected without interruption, then there is no need to set up routing.
And the axis of our msk-arbat-gw1 is to blame for knowing where to send packets to the Internet, we need a route for locking:

msk-arbat-gw1(config)# ip route 0.0.0.0 0.0.0.0 198.51.100.1

Now in order

The first ones have a pool address

msk-arbat-gw1(config)# ip nat pool main_pool 198.51.100.2 198.51.100.14 netmask 255.255.255.240

Now select ACL:

msk-arbat-gw1(config)# ip access-list extended nat-inet

1) Management area

can't access the internet
Ready

2) Hosts from PTO

Only access to specialized sites, for example Linkmeup.ru

msk-arbat-gw1(config-ext-nacl)# permit tcp 172.16.3.0 0.0.0.255 host 192.0.2.2 eq 80

3) Accounting

We give access to all hosts on the offending server

msk-arbat-gw1(config-ext-nacl)# permit ip 172.16.5.0 0.0.0.255 host 192.0.2.3
msk-arbat-gw1(config-ext-nacl)# permit ip 172.16.5.0 0.0.0.255 host 192.0.2.4

4) FEO

Yes, I let the financial director out - only one host.

msk-arbat-gw1(config-ext-nacl)# permit ip host 172.16.4.123 any

5) Other

Our computers with full access

msk-arbat-gw1(config-ext-nacl)# permit ip host 172.16.6.61 any
msk-arbat-gw1(config-ext-nacl)# permit ip host 172.16.6.66 any

6) Fіlії near St. Petersburg and Kemerovo

Let the enikіїv addresses be the same: 172.16.х.222

msk-arbat-gw1(config-ext-nacl)# permit ip host 172.16.16.222 any
msk-arbat-gw1(config-ext-nacl)# permit ip host 172.16.17.222 any
msk-arbat-gw1(config-ext-nacl)# permit ip host 172.16.24.222 any

The axis looks like this at the same time the ACL looks like this:
ip access-list extended nat-inet
remark PTO
permit tcp 172.16.3.0 0.0.0.255 host 192.0.2.2 eq www
remark ACCOUNTING
permit ip 172.16.5.0 0.0.0.255 host 192.0.2.3
permit ip 172.16.5.0 0.0.0.255 host 192.0.2.4
remark FEO
permit ip host 172.16.4.123 any
remark IAM
permit ip host 172.16.6.61 any
remark ADMIN
permit ip host 172.16.6.66 any
remark SPB_VSL_ISLAND
permit ip host 172.16.16.222 any
remark SPB_OZERKI
permit ip host 172.16.17.222 any
remark KMR
permit ip host 172.16.24.222 any

Let's start:

msk-arbat-gw1(config)# ip nat in the middle source list nat-inet pool main_pool overload

But, fortunately, we won’t be able to do it without tweaking the interfaces:
On the calling interface, you need to issue a command ip nat outside
On the inside: ip nat inside

msk-arbat-gw1(config)# int fa0/0.101
msk-arbat-gw1(config)# int fa0/0.102
msk-arbat-gw1(config-subif)# ip nat inside
msk-arbat-gw1(config)# int fa0/0.103
msk-arbat-gw1(config-subif)# ip nat inside
msk-arbat-gw1(config)# int fa0/0.104
msk-arbat-gw1(config-subif)# ip nat inside

msk-arbat-gw1(config)# int fa0/1.6
msk-arbat-gw1(config-subif)# ip nat outside

To allow the router to understand, check packets, as it will be necessary to process them and then force them.

If servers on the Internet were available by domain, it would not be good for us to acquire a DNS server in our domain:

Naturally, it is necessary to prescribe yoga on quiet outbuildings, for which it is possible to access:

Show must go on!

Everything is available to the administrator from the computer:

3 PTO measures є only access to the linkmeup.ru website on the 80th port (HTTP):

Less than 4.123 (financial director) to get out of the FEO at the light

Accountants have less client-bank websites. Ale oskіlki allowed given over to the IP protocol, then you can pinguvat:

7) Servers

Here we need to improve the transfer of ports, so that we can reach them from the Internet:

a) Web server

msk-arbat-gw1(config)# ip nat inside source static tcp 172.16.0.2 80 198.51.100.2 80

Against this, for example, we can work from a test PC with Ares 192.0.2.7.
At the same time, we don’t need anything, because we didn’t set up an interface for msk-arbat-gw1 for the servers:

msk-arbat-gw1(config)# int fa0/0.3
msk-arbat-gw1(config-subif)# ip nat inside

And at once:

b) File server

msk-arbat-gw1(config)# ip nat inside source static tcp 172.16.0.3 20 198.51.100.3 20
msk-arbat-gw1(config)# ip nat inside source static tcp 172.16.0.3 21 198.51.100.3 21

Axis for this in ACL Servers-out mi vіdkrivali і 20-21 ports for all

c) Mail server

msk-arbat-gw1(config)# ip nat inside source static tcp 172.16.0.4 25 198.51.100.4 25
msk-arbat-gw1(config)# ip nat inside source static tcp 172.16.0.4 110 198.51.100.4 110

Pereviriti is also not difficult. Read the instructions:
On the fly, we have a mail server. Vkazuєmo domain that svoryuєmo dvoh koristuvachіv.

We have installed a computer from our company:

From the outside:

Ready sheet:

On the localhost, we press Receive:

8) Access via RDP to the computers of our administrator

msk-arbat-gw1(config)# ip nat inside source static tcp 172.16.6.61 3389 198.51.100.10 3389
msk-arbat-gw1(config)# ip nat inside source static tcp 172.16.6.66 3389 198.51.100.10 3398

Bezpeka

At last, one respect. More for everything that rubs attachments, you have to marvel at your ip nat outside the name interface - to the Internet. That's why the whole interface wouldn't have been bothered to increase the ACL, de vie protect, let me, whatever you need. On which food is not mentioned already in this article.

For the first time, the knowledge of NAT technology will be over.
Just one more DZ, give a confirmation on food, why there is no access to the Internet from computers enikіїv from St. Petersburg in Kemerovo. Aje mi їх have already been added to the access list.