NAT: Network
address translation, is the process of
modifying IP address information in IP packet headers while in transit across a
traffic routing device.When you use the Cisco 2900 router, Cisco 1921 router, you should know these.
Two different types of NAT:
Static NAT: The simplest type of NAT provides a one-to-one
translation of IP addresses. It is often also referred to as one-to-one NAT. In
this type of NAT only the IP addresses, IP header checksum and any higher level
checksums that include the IP address need to be changed. The rest of the
packet can be left untouched (at least for basic TCP/UDP functionality, some
higher level protocols may need further translation). Basic NATs can be used
when there is a requirement to interconnect two IP networks with incompatible
addressing. With static NAT, translations exist in the NAT translation table as
soon as you configure static NAT command(s), and they remain in the translation
table until you delete the static NAT command(s).
Dynamic NAT: Dynamic NAT has some similarities and differences
compared to static NAT. Like static NAT, the NAT router creates a one-to-one
mapping between an inside local and inside global address and changes the IP
addresses in packets as they exit and enter the inside network. However, the
mapping of an inside local address to an inside global address happens
dynamically. Dynamic NAT sets up a pool of possible inside global addresses and
defines matching criteria to determine which inside local IP addresses should
be translated with NAT. The dynamic entry stays in the table as long as traffic
flows occasionally. With dynamic NAT, translations do not exist in the NAT
table until the router receives traffic that requires translation. Dynamic
translations have a timeout period after which they are purged from the
translation table.
Inside to Outside:
If IPSec then
check input access list
decryption – for
CET (Cisco Encryption Technology) or IPSec
check input access
list
check input rate
limits
input accounting
redirect to web cache
policy routing
routing
NAT inside to
outside (local to global translation)
crypto (check map
and mark for encryption)
check output
access list
inspect
(Context-based Access Control (CBAC))
TCP intercept
encryption
Queueing
Outside to Inside:
If IPSec then
check input access list
decryption – for
CET or IPSec
check input access
list
check input rate
limits
input accounting
redirect to web
cache
NAT outside to
inside (global to local translation)
policy routing
routing
crypto (check map
and mark for encryption)
check output
access list
inspect CBAC
TCP intercept
encryption
Queueing
没有评论:
发表评论