NAT Address Pool and Its Conversion Basis
NAT Address Pool
To perform NAT on private network user packets, public IP addresses must be available. The NetEngine 8000 F uses NAT address pools to manage public IP addresses. The address pool defines the range of public IP addresses that can be allocated to private network packets.
To associate a NAT address pool with a NAT board, the following concepts are introduced on the NetEngine 8000 F:
service-location backup group: is used to specify the board where the NAT task is performed.
service-instance-group service instance group: is bound to a service-location backup group.
NAT instance: NAT processing policies may differ on various user devices. For example, a flow rate limit for each user are specified in policies. To facilitate unified management, the concept of NAT instances is introduced. Users with the same policy are assigned to the same instance. The NetEngine 8000 F uses NAT address pools to manage public IP addresses. The address pool defines the range of public IP addresses that can be allocated to private network packets.
The NAT instance must be bound to a specific service-instance-group service instance group so that user packets in the NAT instance can be forwarded to the specified board for NAT processing.
After a NAT instance is created, specify a NAT address pool for the NAT instance. In this way, the private IP address of the user can be replaced with the public IP address in the address pool during NAT.
After an address pool is specified in a NAT instance, the NetEngine 8000 F generates a UNR destined for the network segment or an IP address to route reverse packets (public network to private network).
NAT Easy IP
- The NAT device receives packets sent from the local host to access the public server. For example, the source IP address of the packets sent by Host A is 10.0.0.1, and the port number is 4000.
- The NAT device uses the public IP address of the public network interface to establish an Easy IP entry that maps to the source IP address of the internal network. The NAT device can then implement NAT on the received packets based on the interface IP address corresponding to the Easy IP entry. In this example, the source IP address is 1.1.1.1 and the port number is 4101 after NAT is implemented for the packets sent by Host A.
NAT Address Pool Translation Basis
The NetEngine 8000 F performs NAT based on quintuple information (source address, source port number, protocol type, destination address, and destination port number).
5-tuple NAT, also called symmetric NAT, translates IP addresses and filters out packets based on the 5-tuple information in packets. The 5-tuple information includes the source IP address, source port number, protocol type, destination IP address, and destination port number.
A NAT device receives packets carrying the same private source IP address and port number but different private destination IP addresses and port numbers. The NAT device translates the private source IP address and port number in these packets into different public IP addresses and port numbers. In addition, the NAT device allows public network hosts only with IP addresses matching these destination IP addresses to send packets carrying the translated IP addresses and port numbers to access private network hosts. When 5-tuple NAT is used, public network hosts can communicate with private hosts only if the public host packets carry the public network source IP address that match destination IP addresses carried in private host packets before NAT processes the private host packets. 5-tuple NAT improves packet transmission security, but does not allow hosts connected to different NAT devices to communicate.