For security purposes, most private network hosts do not expect access from public network users. However, in some applications, public network users need to access a private network server, for example, a WWW server or a private network FTP server . In basic NAT or PAT NAT mode, NAT entries cannot be dynamically created for the access initiated by public network users. As a result, public network users cannot access private network hosts.
To address this problem, the NAT Server function (also called NAT internal server) can be configured. This function creates mappings between private IP addresses+port numbers and public IP addresses+port numbers on a NAT device. With this function, the NAT device can reversely translate public IP addresses to private IP addresses so that users on a public network can access the internal servers.
After the mapping is specified, a UNR is generated on the device to guide the forwarding of reverse packets (packets from the private network to the public network).
To meet such a requirement, enable the NAT server function on a NAT device and configure mappings between a private network server's IP address+port number and a public network IP address+port number on the NAT server. For example, on the network shown in Figure 1
, the NAT server function is enabled on a NAT device, and a private network server's IP address+port number (192.168.0.2:80) are mapped to a public network IP address+port number (184.108.40.206:100). When a public network host requires to access the server 192.168.0.2, the NAT device converts 220.127.116.11:100 to 192.168.0.2:80, so that the service request can reach the server 192.168.0.2 on the private network. Such a conversion operation will not be performed if the host 192.168.0.3 requires to access the server 192.168.0.2 on the same private network.
Figure 1 NAT server application
The following uses the network shown in Figure 1 as an example to describe the implementation of the NAT server function.
- Static NAT conversion is configured on the NAT device. The NAT device generates a static NAT entry and a UNR.
- A public network host sends a request for accessing a private network server, and the NAT server receives the service request.
- The NAT server searches for a NAT entry that matches the request packet's destination IP address+port number, and converts the destination IP address+port number to the private network IP address+port number recorded in the matching entry. Then, the NAT server sends the packet to the target private network server.
- After receiving a response packet from the private network, the NAT device searches the flow table based on the quintuple of the packet, converts the packet based on the table query result, and sends the packet to the public network.
The address conversion function can easily enable private network servers to provide services for public network hosts. For example, you can enable a web server 18.104.22.168 or an FTP server 22.214.171.124 to provide services for public network hosts.
The NAT internal server function can be classified as address-level and port-level internal servers based on whether both IP addresses and port numbers are translated.
- Address-level NAT for internal servers: During NAT, the IP address alone is translated, and the port number is not translated. In this mode, one public IP address is used only by one internal server.
- Port-level NAT for internal servers: During NAT, both the IP address and port number in each packet are translated. In this mode, one public IP address can be allocated to multiple internal servers, and different servers can be distinguished by port numbers.