Golovna  /  Not working  /  Connection type nat. Fixing problems with GTA Online under the hour of troubleshooting the “stupid” NAT type

Connection type nat. Fixing problems with GTA Online under the hour of troubleshooting the “stupid” NAT type

Not working
21.01.2021

Hello today, let's talk about how to configure Cisco NAT. What is NAT and why is it needed, because this functionality has long and greatly increased in our everyday life and is now even difficult to understand, although one enterprise would not be vicarious in any way technology given. Just in time, she turned down the Internet and greatly delayed the transition from ipv4 to ipv6, but let’s talk about everything in order.

What is NAT?

NAT (Network Address Translation) is a mechanism for converting network addresses, simply put, this is a technology that allows you to sit behind a single IP with a number of private or shared IPs. An example could be the office Internet, where all the clients sit through a private gateway, on which the IP address is configured to access the Internet, and the clients have local IP addresses configured.

It looks something like this

See NAT

  • Static NAT - changing a gray IP to a white one, for example, transferring a port to a local network, for example, RDP
  • Dynamic NAT - converting a gray IP to one IP address of a group of more IP addresses
  • Re-translation of NAT, also known as PAT (port Address translation), converts several gray IPs into white ones, giving them different ports.

Today we will look at static NAT and PAT.

Setting up NAT Cisco

This is what the diagram of a small office looks like. We have 3 computers in vlan 2, a server in adjacent vlan 3. All this is connected to a switch of another level Cisco 2660, which we have to build into Cisco router 1841, which routes local traffic between vlan 2 and 3.

Setting up Cisco 2960

Create vlan 2 and vlan3, set their names and configure the required ports on this vlan.

enable
conf t
creating vlan 2
vlan 2
name VLAN2
exit
creating vlan 3
vlan 3
name VLAN3
exit
We place the port in vlan2
int range fa0/1-3
switchport mode access
switchport access vlan 2
exit
We place the port at vlan3
int fa 0/4
switchport mode access
switchport access vlan 3
exit

int fa 0/5
switchport mode trunk
switchport trunk allowed vlan 2,3
do wr mem

Setting up Cisco 1841

We will first create the sub interfaces and raise the port.

enable
conf t
int fa0/0
not shutdown
exit

int fa0/0.2
encapsulation dot1Q 2
ip address 192.168.2.251 255.255.255.0
not shutdown
exit

int fa0/0.3
encapsulation dot1Q 3
ip address 192.168.3.251 255.255.255.0
not shutdown
exit

As a result, the port turned green

Setting up PAT

In my virtual infrastructure, unfortunately, our scheme cannot be published on the Internet, so we simulate that we will have a router with a white IP address and a server with a white IP address. Schematically it looks like this. On the provider's router, the main port is assigned a white IP address of 213.235.1.1 and a boundary mask of 255.255.255.252

We configure this IP on our test provider router.

en
conf t
int fa0/0
ip address 213.235.1.1 255.255.255.252
not shutdown
exit

We configure port fa0/1, which is visible to the server, and assign it another white ip 213.235.1.25 255.255.255.252

int fa0/1
ip address 213.235.1.25 255.255.255.252
not shutdown
exit

The server has an IP address of 213.235.1.26 and the gateway will be 213.235.1.25, the interface of the provider’s router, which is connected to the server.

Now we are setting up our local router Router0, we are setting up the new IP address 213.235.1.2 255.255.255.252 from our provider, the gateway will be 213.235.1.1

enable
conf t
int fa0/1
ip address 213.235.1.2 255.255.255.252
not shutdown
exit
ip route 0.0.0.0 0.0.0.0 213.235.1.1
exit
wr mem

We try to ping the IP addresses of the provider and server from the office router, and, most importantly, everything works correctly.

Router#ping 213.235.1.1

Success rate is 80 percent (4/5), round-trip min/avg/max = 0/0/0 ms

Router#ping 213.235.1.1

Type escape sequence to abortion.

Sending 5, 100-byte ICMP Echos to 213.235.1.1, timeout is 2 seconds:

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms

Router#ping 213.235.1.2

Type escape sequence to abortion.

Sending 5, 100-byte ICMP Echos to 213.235.1.2, timeout is 2 seconds:

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/9/17 ms

Router#ping 213.235.1.25

Type escape sequence to abortion.

Sending 5, 100-byte ICMP Echos to 213.235.1.25, timeout is 2 seconds:

Router#ping 213.235.1.26

Type escape sequence to abortion.

Sending 5, 100-byte ICMP Echos to 213.235.1.26, timeout is 2 seconds:

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms

Same thing. On the local router you can do the same. Now we need to set which nat interface will be external and which internal, here everything will simply be external, after setting up the provider’s IP address, and internal ones connecting to a switch of another level. fa0/1 will be external, and the two sub interfaces will be internal.

enable
conf t
int fa0/1
ip nat outside
exit
int fa0/0.2
ip nat inside
int fa0/0.3
ip nat inside
exit

Setting up Access List

Access List is a list of which traffic needs to be routed and which needs to be processed without NAT.

Creating an access list for NAT names

ip access-list standard NAT
Two bullets allowed
permit 192.168.2.0 0.0.0.255
permit 192.168.3.0 0.0.0.255

0.0.0.255 ce Wildcard bits

As a matter of fact, we have an access list in our configuration and assigned ports for outside and inside.

I enter another special command, so that every traffic that arrives at fa0/1 needs to be pushed behind the NAT rule. As a result, we adjusted PAT.

ip nat inside source list NAT interface fa0/1 overload

We save everything do wr mem

check it from your computer local measures availability of external resources. See the exact configuration using the ipconfig command, using the IP address 192.168.2.1, pinging 213.235.1.26, so everything is ok and NAT Cisco is working.

The principle of a robotic router (router)

Reading this article, I think everyone will understand that such a router is still needed, but who cares - how does it work? In this article, I will learn the most accessible knowledge of the basic principles of the router’s operation. This article will be brown and system administrators we’ll forgive the Koristuvachs.

The main function of any router is NAT

NAT- Network Address Translation serves as a replacement for the IP address. Local networks mainly use addresses like 192.168.1.XXX or similar ones, and this creates a routing problem in global measure Internet, fragments of IP addresses are not to blame for being duplicated. The most common problem with this problem is NAT - local network computers are connected to local interface router, select a new IP address and gateway (the router serves as the gateway), and the WAN interface of the router is connected to the Internet.

Now let's look at the principle of NAT translation:

  • From any computer in the local network, try to ask, for example, you try to enter some website - the computer directs Denmark asks at the gateway address, like our router;
  • The router, having received the data, records your computer as the initiator of the connection, after which a copy of your packet is created and sent to the designated address, as well as the name of the router, and from its IP address, and your packet is simply decline;
  • The server to which the request was sent collects it and sends a response, naturally to the router address. And the router has already checked, having created a record about those who may receive a confirmation on your computer, and sends it to your computer. Apparently, this scheme - the initiator can only connect to a computer from a local network, and send the output from the server to the computer, only the router whose router is checked (response to the power supply). In other words, all attempts will be made to connect to the router, unless the router supplies a resource to the powered port or the Port Forwarding rules have been set up, which we’ll talk about in a moment.

Port Forwarding

Port Forwarding- this is essentially the same thing as NAT, but in another bank, and only static NAT, so you can only write songs on computer songs, and even the global network cannot know the IP address behind the router. For example, you created FTP or HTTP server on your computer if you want to give access to these resources, for which you need to register this is the rule The router will specify that all incoming packets to the required port (21 or 80 for our version) will be transferred to the IP address of our computer on the second port (the port can be changed).

NAT-DMZ

NAT-DMZ- This is absolutely the same as Port Forwarding, but with the difference that you don’t need to write a rule for each port, you just need to set up NAT - DMZ, which will transfer to the required computer all requests that enter the WAN router. It is absolutely no longer possible to change the port.

Routing

To simplify the statement about what is the same, we can say what is the same, what is NAT, or just in both directions. With this scheme, the router has more than 2 LAN interfaces (not ports, but interfaces), with different address spaces, for example, one IP interface has 192.168.0.1, and the other has 192.168.1.1 . Also, computers of one network will select IP type 192.168.0.XXX, and other networks will be 192.168.0.XXX, and their gateways will be 192.168.0.1 and 192.168.1.1. The axis in this way results in two-way routing.

Don't forget to deprive

FRAGE:

Mein Spiel zeigt mir an, mein NAT sei Strict oder Moderate. Wie bekomme ich Open NAT?

ANTWORTH:

Ein Strict oder Moderate NAT kann dazu führen, dass Sie nicht alle Features Ihres Online-Mehrspieler-Spiels genießen können.

NAT steht für Network Address Translation (Netzwerkadressübersetzung). Grob gesagt is es eine Methode, den Verkehr aus dem Internet (zum Beispiel einer Webseite, einem Spielserver oder einem P2P-Netzwerk) zum richtigen Gerät (zum Beispiel Computer, Console, Tablet) ihn Ihrem Diese Methode zieht sowohl das Gerät als auch den Ursprung des Verkehrs in der "Unterhaltung" in Betracht und das kann dazu führen, dass Sie für manche Dienste oder Spiele Open NAT will be und Strict NAT für and.

Die Hardware, die in einem Netzwerk für NAT verantwortlich ist, ist der Router. Ihr Anfangspunkt beim NAT-Troubleshooting sollte daher Ihr Router und seine Konfiguration sein, auch wenn andere Faktoren Ihr NAT negativ beeinflussen können.

Das kann gut oder schlecht sein:

Einige Router sind leichter zu konfigurieren als andere
- Wenn Sie eine gemeinschaftliche Internetverbindung benutzen (zum Beispiel in einem Wohnheim, einer Militärbasis, einem Krankenhaus)
- Manche Internetanbieter bieten Ihnen einen Router für zuhause an, aber organisieren das Netzwerk so, dass Sie hinter einem weiteren Router sitzen, zu dem Sie keinen Zugang haben. (Ihr Router is so nicht direkt mit dem Internet verbunden, sondern mit einem zweiten "lokalen" Netzwerk. Dieses Szenario nennt man .)


Nun zum Troubleshooting!

Wir haben Troubleshooting-FAQs für Verbindungsprobleme für die meisten Ubisoft-Spiele zusammengestellt. Um diese zu finden, klicken Sie auf die Suchleiste oberhalb von diesem FAQ, wählen Sie Ihr Spiel und Ihre Plattform und geben Sie ein Verbindungsschwierigkeiten. Die Suche zeigt Ihnen das passende Verbindungs-FAQ für Ihr Spiel an, mit dem Sie NAT-Schwierigkeiten sowie andere Verbindungsproblems beheben können.

About the principles of the robotic protocol NAT (Network Address Translation) And now the time has come to look at your setup on the installation Cisco.

Setting up static NAT (Static NAT)

Guess what, it’s static NAT is a combination of internal and external addresses one to one. It allows external devices to initiate connections to internal devices from a statically assigned address.

For example, an internal web server can be created with a different internal global address so that it is accessible from outside the network.

The diagram shows the internal network for setting up a web server with a private IPv4 address. The router is configured with static NAT to allow devices from outside the network to reach the web server. The client from the external network connects to the web server using an additional secretly accessible IPv4 address. Static NAT converts a privately accessible IPv4 address to private.

When setting up static NAT translations, two main tasks come into play:

  1. Creation between internal local ( inside local) address and internal global ( inside global) addresses. For example, the internal local address is 192.168.1.5 and the internal global address is 208.165.100.5 in a scheme configured as a static NAT translation.
  2. After the production is configured, the interfaces that take part in the broadcast must be configured as internal ones ( inside) and external ( outside) shodo NAT. In the diagram, the router interface Serial 0/0/0 is internal, and Serial 0/1/0 is external.

Packets that arrive at the internal interface of the Serial 0/0/0 router from the configured internal local IPv4 address (192.168.1.5) are broadcast and then redirected to the external network. Packets that arrive on the external Serial 0/1/0 interface, addressed to the configured internal global IPv4 address (208.165.100.5), are translated to the internal local address (192.168.1.5) and then redirected in the middle of the boundary.

Adjustment is required for a few euros:

  1. Create a static broadcast between internal local and external global addresses. For whom is the vikorist team ip nat inside source static [local_IP global_IP]. To view the broadcast, you need to enter the command no ip nat inside source static. If we need to broadcast not addresses to addresses, but addresses to interface addresses, then the command is used ip nat inside source static [local_IP_type_interface_number_interface].
  2. What matters is the internal interface. Now go into the configuration mode of the interface using the vikory command interface[type number] then enter the command ip nat inside
  3. So just signify the external interface, the vikoryst command ip nat outside

Router(config)# ip nat inside source static 192.168.1.5 208.165.100.5 Router(config)# interface serial0/0/0 Router(config-if)#ip nat inside Router(config-if)#exit Router(config)# interface serial0/1/0 Router(config-if)#ip nat outside

The result of the broadcast will be as follows:

  1. The client wants to open the connection with the web server. The client sends a packet to a web server with a privately accessible IPv4 address assigned to 208.165.100.5. This is the internal global address of the web server.
  2. The first packet that the router passes as a client to the external NAT interface forces it to check its NAT table. The IPv4 addresses of the recipient are in the NAT table and are broadcast.
  3. The router replaces the internal global address 208.165.100.5 with the internal local 192.168.1.5 and forwards the packet to the web server.
  4. The web server receives the packet and forwards it to the client with the internal local address of the device 192.168.1.5.
  5. The router receives the packet from the web server to its internal NAT interface with the address of the internal local address of the web server, 192.168.1.5. It checks the NAT table to translate the internal local address from the internal global one, changes the device address from 192.168.1.5 to 208.165.100.5 and sends it from the Serial 0/1/0 interface to to the client
  6. The client picks up the package, and the exchange of packages continues. The router seals the front edges of the skin pack.

Verification of static NAT

The shortcut command for checking NAT is the command show ip nat translations. This command shows active NAT translation. Static transfers, in addition to dynamic transfers, always reside in the NAT table.

208.165.100.5 192.168.1.5 208.165.100.70 208.165.100.70

Another koris team is the team show ip nat statistics. It displays information about the number of active transfers, NAT configuration parameters, the number of addresses in the pool and the number of addresses that were seen.

Router#show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Peak translations: 2, 00:00:21 ago Outside interfaces: Serial0/1/0 Inside interfaces: Serial0/0/0 Hits : 7 Misses:0

To reconnect what NAT translation is doing, it is best to clear the statistics from any forward transfers, vikoryst and command clear ip nat statistics before testing.

Setting up dynamic NAT (Dynamic NAT)

While static NAT is permanently installed between the internal local and internal global addresses, dynamic NAT allows you to automatically create internal local and global addresses (including public IP addresses). Dynamic NAT vikorist group or pool of public IPv4 addresses for translation. Dynamic NAT, like static NAT, requires the configuration of internal and external interfaces that take part from NAT.


Let's look at the example of this diagram. Here we have an internal network with two submergers 192.168.1.0/24 and 192.168.2.0/24 and a border router, on which we have configured dynamic NAT with a pool of public addresses 208.165.100.5 - 208.165.100

Pool of public addresses ( inside global address pool) available for any arrangement at the internal boundary according to the principle “first come first, first served.” With dynamic NAT, one internal address is transformed into one external address. With this type of transfer, there may be a sufficient address at the pool for one-hour transmission for all internal devices that require access to the external border. Since all the addresses in the pool are in the Wikoristan, the device is responsible for checking the available address before it can deny access to the external network.

Let's take a look at the infusion one by one:

  1. Mean the pool, which will be vikorystuvatsya for retranslation, vikoristuyu team ip nat pool [name cob_ip kintseviy_ip]. This pool address is called a group of publicly accessible addresses. Addresses are identified by the end IP address of the pool and the end IP address of the pool. Key words netmask or else prefix-length specify a mask.
  2. It is necessary to adjust the standard access-list (ACL), to indicate which addresses are being translated. Let's enter the command. You can read about standard access-lists in this (and about extensions in). An ACL that allows even a wide range of addresses can be produced to untransferred results, so at the end of the argument there is a command deny all.
  3. It is necessary to bind an ACL to the pool for which the command is being used ip nat inside source list [number_ACL] number pool [pool_name]. This configuration is used by the router to determine which devices (list) select addresses (pool).
  4. This means that what interfaces are located in the middle, basically NAT, so that any interface that connects to the internal border.
  5. This means which interfaces are located outside of NAT, so that any interface that connects to the outside edge.

Router(config)# ip nat pool MerionNetworksPool 208.165.100.5 208.165.100.15 netmask 255.255.255.0 Router(config)# access-list 1 permit 192.168.0.0 0.0 0.0 pool MerionNetworksPool Router( config)# interface serial0/0/0 Router(config -if)#ip nat inside Router(config-if)#exit Router(config)# interface serial0/1/0 Router(config-if)#ip nat outside

As you can see in our diagram:

  1. Computers with addresses 192.168.1.10 and 192.168.2.10 send packets to the server behind the public address 208.165.100.70
  2. The router receives the first packet from host 192.168.1.10. As soon as this packet is rejected on the interface configured as the internal NAT interface, the router checks the NAT configuration to determine who is responsible for the packet being translated. The ACL allows the packet and the router checks its NAT table. Since there is no translation record for this IP address, the router indicates that the output address 192.168.1.10 may be translated dynamically. R2 selects an available global address from the pool of dynamic addresses and creates a transfer record, 208.165.200.5. The IPv4 address of the host (192.168.1.10) is identified as an internal local address, and the address is transferred to the internal global address (208.165.200.5) in the NAT table. For another host 192.168.2.10, the router repeats this procedure, selecting an available global address from the pool of dynamic addresses, and creates another transfer record - 208.165.200.6.
  3. After replacing the internal local address of the device in the packets, the router redirects the packet.
  4. The server receives the packet from the first PC and sends it to the destination address 208.165.200.5. If the server receives the packet from another PC, then the connections at the destination address are 208.165.200.6.
  5. If the router finds the assigned address 208.165.200.5, it searches the NAT table and translates the assigned address to the internal local address 192.168.1.10 and forwards it to the PC. The same is received with the package, direct to another PC.
  6. It's annoying for PCs to sniff out packets and exchange packets. For the skin pad, the front edges are drawn.
Dynamic NAT verification

To verify this, the command is also used show ip nat displays all static transfers that have been configured, as well as dynamic transfers created by traffic. Adding a keyword verbose depicts additional information about the translation of the skin, including those that were recorded long ago and vikorystuvavsya. Promotion data about transfers will end after 24 years, since the timers were not reconfigured for additional commands ip nat translation timeout [hour_in_seconds] in global configuration mode.

To clear dynamic records before the start time, you can use the command clear ip nat translation. It is important to clear dynamic entries before testing the NAT configuration. This command can be modified with keywords and changes to control which records are cleared. You can clear specific entries so you don't interrupt active sessions. Only dynamic translations are removed from the table. Static translations cannot be found in the table.

You can also create a vikory command show ip nat statistics which displays information about the number of active transfers, NAT configuration parameters, the number of addresses in the pool and the number of address transfers.

Since we are victorizing the ACL access control arches here, then to check them you can use the command show access-lists.

Setting up Port Address Translation (PAT)

PAT (also rank NAT overload) stores addresses in an internal global address pool, allowing the router to use one internal global address for many internal local addresses. In other words, one private IPv4 address can be used to identify hundreds and thousands of internal private IPv4 addresses. If several internal local addresses are combined with one internal global address, the port numbers TCP or else UDP Each internal node of the skin is divided into local addresses.

The limited number of internal addresses that can be transferred to one external address can theoretically be set to 65536 per individual IP address. However, in practice, the number of internal addresses that can be assigned to one IP address is close to 4000.

There are two ways to configure PAT, depending on how the provider sees illegally accessible IPv4 addresses. In the first type, the Internet provider sees more than one public IPv4 address of the organization, and in the other, it sees one privately accessible IPv4 address that the organization needs to connect to the Internet. provider.

Setting up PAT for a pool of public IP addresses

Since we have access to more than one secretly accessible IPv4 addresses, these addresses may be part of a pool that is used to validate PAT. This is similar to dynamic NAT, except that in this type there are not enough common addresses for mutually assigning internal addresses. A small pool of addresses is distributed among a large number of devices.

The main difference between this configuration and the configuration for dynamic NAT lies in what is being vicoristed keyword overload, This includes PAT.

Let's take a look at the PAT infusion for the pool address in terms of terms:

  1. Mean the pool address of the global addresses that will be used for broadcasting PAT, the vikory command ip nat pool [name cob_ip kintseviy_ip] netmask [mask] | prefix-length [prefix_prefix].
  2. Create a standard access-list that allows addresses that may be translated. Vikorist team access-list [ACL_number] permit source.
  3. Let's hear PAT, vikorist and charming word Overload. Enter the command ip nat inside source list [number_ACL] number pool [pool_name] overload.
  4. This means that some interfaces are located in the middle, mainly NAT, and some other calls. Vikorist team ip nat insideі ip nat outside

An example of setup for the circuits that were victorized before, but now we will vikorize PAT:

Router(config)# ip nat pool MerionNetworksPool2 208.165.100.5 208.165.100.15 netmask 255.255.255.0 Router(config)# access-list 1 permit 192.168.0.5 0.0 1 pool MerionNetworksPool2 overload Router (config)# interface serial0/0/0 Router( config-if)#ip nat inside Router(config-if)#exit Router(config)# interface serial0/1/0 Router(config-if)#ip nat outside

Configuring PAT for one public IPv4 address

The diagram shows the topology of PAT implementation for broadcasting one public IP address. In this application, all hosts from the network 192.168.0.0/16 (wireless ACLs), which force traffic through the router, will be transferred to IPv4 208.165.99.225 (IPv4 addresses to the S0 /1/0 interface). Traffic is identified by port numbers in the NAT table.

Setting up:

  1. Create an access-list that allows addresses that need to be translated – access-list [ACL_number] permit source.
  2. Adjust the conversion of the device address to the interface address via the command ip nat inside source list [ACL_number] interface [type number] overload
  3. Identify external and internal interfaces through commands ip nat insideі ip nat outside.

The configuration is similar to dynamic NAT, except that the pool address is replaced with a vikoryst interface address with a spring IP address. The NAT pool does not appear.

Example: Router(config)# access-list 1 permit 192.168.0.0 0.0.255.255 Router(config)# ip nat source list 1 interface serial0/1/0 overload Router(config)# interface serial0/0/0 Router(config- if)#ip nat inside Router(config-if)#exit Router(config)# interface serial0/1/0 Router(config-if)#ip nat outside

The PAT process does not change if one address or a pool of addresses is selected.

Let's look at the PAT process step by step:

  1. In the diagram, two different PCs are connected to two different web servers. The first PC is connected to the device address 192.168.1.10 and vikoryst TCP port 1444, and the other PC is connected to the dzherel address 192.168.2.10 and then vikoryst port 1444
  2. The packet from the first PC immediately reaches the router and the VIN, using PAT, changes the output IPv4 address to 208.165.99.225 ( inside global address). The NAT table has no other devices with port 1444, so PAT uses the same port number and the packet is sent directly to server 208.165.101.20.
  3. Then the packet from another computer reaches the router, where PAT connections are made using the same global IPv4 address for all transfers - 208.165.99.225. Similar to the transfer process for the first PC, PAT changes Weekend addresses another PC to the internal global address 208.165.99.225. However, another PC uses the same device port number as the current PAT record of the first PC, so the PAT will have a larger device port number until the document becomes unique in its table. In this case, the entry for the output port in the NAT table and the packet for another PC selects port 1445. If you want to offend your PC, use the same internal global address 208.165.99.225 and the same port number on the device - 1444, change the port number for another PC (1445) to create a unique entry in the NAT table. This will become obvious when packets are sent from servers back to clients.
  4. The servers respond to requests from computers, and select the output port from the received packet as the destination port and the output address as the destination address. You might think that the smells are linked to one and the same host behind the address 208.165.99.225, but that’s not the case - they can cause multiple problems.
  5. If packets are sent to the router, you will know unique record Your NAT table has different addresses assigned to the port assigned to the skin packet. Each packet from the first server address assigned 208.165.99.255 has a number of records, and only one with port assigned 1444. Vikoryst this entry in its table, the router changes the IPv4 address of the packet’s addressee to 192.168.1.10 , do not change the port of assignment. Then the packet is redirected to the first PC
  6. When a packet from another server arrives at a router, a similar transfer proceeds. The IPv4 addresses assigned to 208.165.99.225 contain a number of records that are assigned to the vicorist port 1445, the router can uniquely identify the broadcast recording. The destination IPv4 addresses will be changed to 192.168.2.10 and in this case the destination port will also be changed to the output value 1444, which is stored in the NAT table. After this package is downloaded to another PC
Verification of Port Address Translation (PAT)

To verify PAT, use the same commands as for primary NAT. Team show ip nat translations displays the translation of the IP address along with the ports and the command show ip nat statistics shows information about the number and type of active transfers, NAT configuration parameters, the number of addresses in the pool and the number of visible addresses.

Router#show ip nat statistics Total active translations: 2 (0 static, 2 dynamic; 2 extended) Peak translations: 2, 00:00:07 ago Outside interfaces: Serial0/1/0 Inside interfaces: Serial0/0/0 Hits : 4 Misses:0 CEF Translated packets: 4, CEF Punted packets:0 Expired translations: 0 Dynamic mappings: -- Inside Source access-list 1 pool MerionNetworksPool2 refcount 2 pool MerionNetworksPool2: netmask 255.250.00 0.00 165.100.15 type generic, total addressers 10, 1(10%) entered, misses 0 Total doors: 0 Appl doors: 0 Normal doors: 0 Queued Packets: 0

Also, to look for problems, you can use the debug, which is launched by the command debug ip nat, which displays information about each packet that is broadcast by the router. You can also create a vikory command debug ip nat detailed This generates a description of the skin packet. This command also provides information about various cancellations, for example, such as failure to see the global address. However, this team is more capable of securing resources.

Router#debug ip nat IP NAT debugging is on Router# *2012. 682: NAT*: s=208.165.101.20 d=208.165.99.225 ->192.168.1.10 *Aug 24 16:20:331:698: NAT*: s=192.168.1.10-2.1 .20 * Aug 24 16:20: 331:702: NAT*: s=192.168.1.10->208.165.99.225 d=208.165.101.20 .99.225 -> 192.168.1.10

The output has the following symbols and meanings:

  • * (star) – a star with NAT indicates that the transfer is carried out via a fast-switched path. The first package of the rose is always larger, the other packages pass through with frequent alternations.
  • s=- Dzherel IP addresses
  • a.b.c.d? w.x.y.z- this value indicates that the address of the device a.b.c.d is transferred to w.x.y.z.
  • d=- IP addresses assigned
  • - meaning in the arms – tse ID number IP.

Chi korisna to you tsia statya?

Be kind, tell me why?

We are sorry that the article was not a boon for you: (Be kind, if it’s not difficult, tell me for what reason? We will be very grateful for the report. Such that you help us become better!

If you read this document, then, after reading everything, you are connected to the Internet, and you are broadcasting the web address ( Network Address Translation, NAT) right away! The Internet has become so great that someone will soon realize it. Wanting the exact size of the unknown, the current estimate is approximately 100 million hosts and more than 350 million clients who are actively working on the Internet. In fact, the rate of growth is such that the Internet will effectively grow in size. For a computer to connect with other computers and Web servers on the Internet, it depends on the IP address. IP addresses (IP stands for Internet Protocol) are a unique 32-bit number that identify where your computer is located on the Internet. Basically it works the same way as your street address: a way to know exactly where you are and provide you with information. Theoretically, you can have 4,294,967,296 unique addresses (2^32). The actual number of available addresses is small (here between 3.2 and 3.3 billion) through the method by which addresses are divided into classes and require actions to be taken from the address for multiplayer, testing or other basic needs. With more home and business connections, the number of available IP addresses is no longer enough. The obvious solution is to redesign the address format to accommodate as many addresses as possible. In this way, the IPv6 protocol is being developed, which is due to the fact that it requires modifications of the entire Internet infrastructure.

The axis is where NAT comes to our rescue. Basically, Merezhev Address Translation allows a single device, such as a router, to act as an agent between the Internet (or the "public network") and the local (or "private") network. This means that only one unique IP address is needed to represent the entire group of computers, in my opinion. A missing IP address is just one reason to use NAT. Two other serious security and administration departments

You learn how you can take advantage of NAT, but first, get to know NAT a little more closely and see what you can do.

Maskuvannya

NAT guesses the secretary of the great office. Let's say that you have deprived the secretary of instructions so as not to redirect you daily calls, documents and do not ask for it. Later, you call the potential client and leave the information for the new client to call you back. You tell your secretaries that you will hear a call from this client and the call will need to be transferred. The client calls the main number of your office, which is the only number he knows. When the client tells the secretary who he is looking for, the secretary checks his list of agents to find out the type of name and extension number. The secretary knows that you have received this call, so it is up to you to transfer the person who called your phone.

Cisco technology has been developed, and the translation of the boundary addresses is carried out by a device (intermediate screen, router or computer), which is located between the internal boundary and other parts of the world. NAT comes in many forms and can be implemented in a number of ways:

Static NAT- Mapping of an unregistered IP address to a registered IP address on the stand one to one. It’s especially bad if the device is available for calls.

With static NAT, the computer with the address 192.168.32.10 will first be translated to the address 213.18.123.110:


Dynamic NAT- Displays an unregistered IP address to a registered address in the group of registered IP addresses. Dynamic NAT also establishes a direct mapping between the unregistered and registered addresses, but the mappings can be changed according to the registered address available in the address pool during the hour of communication.

With dynamic NAT, a computer with the address 192.168.32.10 is translated to the first available address in the range from 213.18.123.100 to 213.18.123.150


Perevantazhennya (Overload)- A form of dynamic NAT, which maps a number of unregistered addresses into a single registered IP address, depending on different ports. Also known as PAT (Port Address Translation)

When the skin is transferred, the computer at the private network is broadcast to the same address (213.18.123.100), but with a different port number


Perekrittya- If IP addresses, vicoristovy at your intranschly Merezhi, tacot vicorist in Inschi -Merezhi, the router is guilty of the trimati to the dushki address so, Shchob VIN MIG Perekhopi Perekhopii the Speed ​​UNICIAL IP addresses. It is important to note that the NAT router is responsible for translating "internal" addresses into unique address registrations, and is also responsible for translating "external" address registrations into addresses that are unique to the private network. This can be done through static NAT, or you can use DNS and implement dynamic NAT.

Butt:
The internal IP range (237.16.32.xx) is also a registered range that is used by another network. Therefore, the router translates addresses to avoid potential conflicts. It is also possible to translate registered global IP addresses back to unregistered local addresses if packets are processed at the internal border


The internal network - called LAN (Local Network), is most often called a stub domain. The dead-end domain is the LAN, which is the vikorist's internal IP addresses. Majority boundary traffic in such a domain it is local and does not interfere with internal boundaries. A domain can include both registered and unregistered IP addresses. Of course, any computer that is victorious about unregistered IP addresses must vikorist NAT in order to avoid the world.

NAT can be configured in different ways. In the application below, the NAT router is configured in such a way as to broadcast unregistered IP addresses (local internal addresses), which are permanently located in a private (internal) zone in the registered IP address. This happens immediately if a device on the internal part with an unregistered address may escape from the external network.


NAT overloading is a unique feature of the TCP/IP protocol stack, such as multiplexing, which allows a computer to support multiple parallel connections. from a remote computer, vikoryst different TCP or UDP ports. The IP packet contains a header containing the following information:

  • Exit addresses are the IP addresses of your computer, for example, 201.3.83.132.
  • Output port - this is the TCP or UDP port number assigned by the computer's hardware for this packet, for example, Port 1080.
  • Target addresses are the IP addresses of the target's computer. For example, 145.51.18.223.
  • The destination port is the number of the TCP or UDP port that you want to open your computer on, for example, port 3021.

IP addresses are assigned to two machines on each other, while port numbers ensure that connections between the two computers have a unique identifier. The combination of these four numbers means a single TCP/IP connection. Each port number is 16 bits, which means there are 65536 (2^16) possible values. In fact, a number of different printers display ports in a variety of ways, so you can see approximately 4,000 available ports.

Applications of dynamic NAT and NAT with emphasis

Below is how dynamic NAT works.

Click on one of the green buttons to send a successful package to either the internal borders. Press one of the red buttons to send a packet to the router through an invalid address.

  • The internal bottle is set with IP addresses that were not specifically assigned to this company by IANA (Internet Assigned Address Authority), the global bureau that distributes IP addresses. Such addresses should be treated as non-routable, as they are not unique. These are internal local addresses.
  • The company will install a router from NAT. The router has a range of unique IP addresses identified by the company. These are internal global addresses.
  • A computer on a LAN can connect to a computer like a Web server.
  • The router receives the packet from the computer to the LAN.
  • After the routing table is checked during the translation check process, the router stores the unrouted computer address in the address translation table. The router replaces the unrouted address of the directory computer with the first available IP address in the unique address range. The translation table now displays the unrouted IP address of the computer to which one of the unique IP addresses corresponds.
  • When the packet arrives at the computer, the router checks the receiving address in the packet. Then look at the address translation table to find out which computer in the domain belongs to Denmark package. It changes the receiving address to those that were previously saved in the translation table and sends the packet the required computer. If the router does not know the identity of the table, it listens for the packet.
  • The computer receives the packet from the router and the entire process is repeated until the computer connects to the external system.
Next we’ll see how the conversion works
  • The internal network was installed with non-routable IP addresses that were not specifically assigned to the company
  • The company will install a router from NAT. The router has a unique IP address, as identified by IANA
  • The computer at the domain is allowed to connect to the computer via a network, such as a Web server.
  • The router receives the packet from the computer to the domain.
  • After routing and verifying the packet for final translation, the router stores the unrouted computer IP address and port number in the translation table. The router replaces the unrouted IP address of the directory computer with the IP address of the router. The router replaces the output port of the directory computer with a specific port number and stores the address for that directory in the translation table. The translation table displays the IP address of the computer that is not being routed, and the port numbers in order of the IP address of the router.
  • When a packet returns from its destination, the router checks the receiver port in the packet. You can then look at the translation table to find out which computer in the domain the packet belongs to. Next, the router changes the receiving address and receiving port to the values ​​that were previously stored in the translation table and sends the packet to the end node.
  • The computer receives the packet from the router and the process repeats
  • Since the NAT router now maps to the computer's output address and output port, saving up to the translation table, you can continue to use the same port number for future connections. Right now, when the router starts up before an entry in the broadcast table, the timer for that entry is reset. If the recording is not started, the first timer will end and will be removed from the table

The number of one-hour broadcasts that the router will support is determined by the amount of DRAM (Dynamic Access Permitted Memory). Since a typical entry in the translation table takes up approximately 160 bytes, a router with 4 MB of RAM can theoretically process 26,214 one-hour connections, which is more than enough extras.

Security and Administration

The implementation of dynamic NAT automatically creates border security between your internal network and external borders or the Internet. Dynamic NAT prevents connections that may arise at the local network. Essentially, this means that a computer on the other side cannot connect to your computer unless the computer has started connecting. Thus, you can browse the Internet, connect to the site, and download the file. But no one else can simply encroach on your IP address and hijack it to connect to a port on your computer.

Static NAT, also called inbound mapping, allows connections to be initiated external buildings to computers on the LAN for singing furnishings. For example, you can map the internal global address to the internal local address assigned to your Web server.

Static NAT allows a computer on the LAN to support a specific address based on the following devices:


These NAT routers provide high filtering and logging traffic. Filtering allows your company to control which sites on Merezha are visited by professionals who choose to view questionable material. You can use traffic logging to create a log of which sites are supported and on which platform different calls are generated.

In addition to Merezhev Broadcasting, addresses wander from proxy servers, where they have the same authority. NAT insight for computers dzherela and priymacha. None of them know what is on the right of the third building. Ale proxy server is not insightful. The destination computer knows to use the proxy. The recipient's computer respects that the proxy server is the output computer and is directly to the right of it. In addition, proxy servers are designed to operate on Level 4 (Transport) of the OSI model or, more importantly, NAT – the Level 3 (Network) protocol. More work high levels use proxy servers below NAT devices in most cases.