NAT to implement IP address binding to multiple application servers

Suppose there are file servers, OA servers, mail servers, etc. inside the enterprise. Enterprises also hope that these servers can be accessed by users on external networks. For example, the company may have a sales office in a different place, or some employees often need to travel. In order to facilitate their work, they need to allow these employees to access these application servers inside the enterprise. But the reality is that most companies may only have one to two legitimate IP addresses. To allow external users to access the application server inside the enterprise, the first condition is that the enterprise has a sufficient number of legal IP addresses. What I want to introduce to you here is how to use the router's built-in NAT function to achieve a legal IP address binding multiple application servers at the same time.
1. Select the appropriate NAT type
NAT, also known as network address type translation, has three main types, namely static NAT, dynamic NAT, and port address mapping. It should be noted here that there are large differences between these three types. When network administrators use this technology, they must understand the differences between them, and then select the appropriate implementation method based on the actual situation of the enterprise.
The first type is static network address translation. Its main feature is one-to-one. In other words, this type of network address translation is designed for one-to-one mapping between local and global addresses. This requires that every host in the network have a real legal IP address. Combined with the above case, if all three servers in the enterprise need to be accessed by external users, then at least three IP addresses are required. Obviously, this method can not achieve the purpose of saving IP addresses. Generally speaking, the main purpose of static NAT is to hide the IP address of the internal server of the enterprise, so as to protect the server.
The second type is dynamic NAT. This type of network address translation maps the internal IP address of an enterprise to a legal IP address. Although this is also a one-to-one relationship, it is very different from static NAT. The former requires that the internal server of the enterprise must also have a public IP address. Dynamic NAT does not have this requirement, that is, servers within the enterprise can use internal addresses. However, at this time, a public IP address can only solve the access problem of an internal server. This is still somewhat different from the needs we mentioned above.
The third type is port address mapping. Port address mapping goes a step further in dynamic NAT. Simply put, its working mode is many-to-one. Multiple internal IP addresses (intranet addresses) can be mapped to a public IP address. Specifically, the internal network address + port number corresponds to the public network address. With this port address mapping, the enterprise network administrator can place the application server inside the enterprise (even if it does not have a legal public network address) on the external network for external users to access.
It can be seen that in the process of implementing NAT network address translation, it is the most critical content to understand these three different working modes, and then combine the actual situation of the enterprise to choose a suitable implementation method. Generally speaking, if an enterprise has enough public network addresses, but only for security reasons, to hide internal services, it is better to use static NAT. On the contrary, if an enterprise has multiple servers, a legitimate IP address is not enough. In this case, you need to use port address mapping to map multiple internal IP addresses to the public IP address through the port parameter.
Second, the configuration of port NAT For NAT technology, in fact, the configuration is the simplest link. The author generally divides NAT into four parts, namely design, configuration, verification and troubleshooting. The key to the design is the above-mentioned "select the appropriate NAT type". The configuration is the specific configuration. The main commands used here are IP NAT related commands. Its main job is to map the addresses and port numbers used by internal servers with public network addresses. Since the configuration is relatively simple, I will not make too many explanations for this. The author should focus on subsequent verification and troubleshooting.

3. Verification of NAT configuration
After NAT network address translation is configured, related configuration needs to be verified. Instead of waiting until the user reflects the problem and cannot access it normally, you go to verify. In the Cisco network environment, to verify the validity of the NAT configuration, two commands are mainly used.
One is to view related configuration information. When viewing the message, it is important to figure out the direction. That is, which are internal hosts and which are external hosts. Sometimes a set of internal IP addresses may correspond to a public IP address. At this time, the network administrator will see that many conversions are from different hosts to the same destination host. In the mode of port address translation, it can be judged according to the type of IP address. Generally, the IP addresses used by internal servers of the enterprise are all private network IP addresses, such as those beginning with 192. If you want to view the specific configuration information, you can use the following command.
Show ip nat translaTIon
The second is to judge its connectivity. In other words, whether this configuration is really effective. At this time, the network administrator can use the debug ip nat command to verify the NAT configuration. After using this command, the output will display the IP address of the sending end, the conversion destination address, port information and other content.
With these two commands, you can basically determine whether there is a problem with the NAT configuration. However, it should be noted that this can only determine whether there is a problem with its configuration. Whether this configuration is reasonable, whether performance needs to be optimized, etc. cannot provide effective information.
4. Analysis and elimination of NAT faults In this content, the author divides it into two parts. One part is the configuration problem of NAT itself, and the other part is the NAT application failure caused by problems other than NAT technology. In actual work, we may pay more attention to the latter. Because as long as the design and configuration of NAT is appropriate at first, then NAT itself will not cause much problems.
For the configuration problem of NAT itself, the author believes that network administrators only need to pay attention to the following five rules. As long as there are no problems with these five rules, then the configuration of NAT itself is OK. The five rules are as follows:
One is related to the access list. During configuration, you need to ensure that the access list specifies the correct translation address. It is very important to pay attention to this. Because this error is more difficult to find in subsequent investigations. Therefore, relevant control measures need to be taken during the setting to ensure that it can be properly configured.
The second is to check whether the internal and external interfaces are correctly defined. In fact, NAT technology is the interface between interfaces. If an error occurs when the interface is connected, the information flow cannot flow normally. At this time, the user cannot access normally. In this interface definition, the key is whether there is a problem with the port parameters. For example, the port used by the internal server is port 5150, and port 515 was accidentally entered during configuration. Then there will be problems. Another thing to note is that generally a certain protocol will have a default port, such as the FTP protocol uses ports 20 and 21. But sometimes for security reasons, network administrators often change this default port. At this time, you need to check whether the port information is set correctly.
The third is the address pool. When checking this address pool, network administrators should pay attention to two aspects. One is whether the fourth line of IP used by the dynamic address pool is composed of the correct address range. The second is to check whether there are any duplicate addresses in the dynamic address pool. As long as there is a problem with one of the above two rules, there may be an access failure.
The fourth is to pay attention to whether there is conflict between different types. For some reasons, enterprises may enable both dynamic port address mapping and static mapping. At this time, it is necessary to pay special attention to that the addresses used for static mapping and the addresses in the dynamic address pool cannot overlap. Otherwise, it will lead to more serious conflicts.
Fifth, it is necessary to pay attention to confirm that the addresses that appear in the list are not omitted, and that large addresses should not be added. This principle can be said to be a summary of the above four principles. Simply put, it is to ensure the integrity and accuracy of the relevant IP addresses. One less will not work, one more will not work.
Generally, as long as no one of the above rules is violated in NAT configuration, then the configuration of NAT itself is no problem. At this time, if the user cannot access the application server inside the enterprise, then other reasons need to be considered. Such as routing problems and so on.