tìm hiểu về nat(network address translation) và cách thiết lập nat server _ vi-et spaces

03/11/2013 Tm hiu v NAT(Network Address Translation) v cch thit lp NAT server | Vi-et Spaces

vuvanson.wordpress.com/2013/05/27/tim-hieu-ve-natnetwork-address-translation-va-cach-thiet-lap-nat-server/ 1/36

Vi-et Spaces

THNG 5 27 2013

Tm hiu v NAT(Network Address Translation)

v cch thit lp NAT server

i

1 Vote

Phn I:

Gii thiu tng quan v NAT (Network Address Translation)

I : NAT (Network Address Translation) l g ?

NAT ging nh mt router, n chuyn tip cc gi tin gia nhng lp mng khc nhau trn mtmng ln. NAT dch hay thay i mt hoc c hai a ch bn trong mt gi tin khi gi tin i qua

mt router, hay mt s thit b khc. Thng thng, NAT thng thay i a ch (thng l a chring) c dng bn trong mt mng sang a ch cng cng.

NAT cng c th coi nh mt firewall c bn. thc hin c cng vic , NAT duy tr mt bngthng tin v mi gi tin c gi qua. Khi mt PC trn mng kt ni n 1 website trn Internetheader ca a ch IP ngun c thay i v thay th bng a ch Public m c cu hnh sn

trn NAT server , sau khi c gi tin tr v NAT da vo bng record m n lu v cc gi tin, thayi a ch IP ch thnh a ch ca PC trong mng v chuyn tip i. Thng qua c ch qun tr

mng c kh nng lc cc gi tin c gi n hay gi t mt a ch IP v cho php hay cm truycp n mt port c th.

II: NAT lm vic nh th no ?

"Don't study,dont' know-Studying you will know!!!"



NAT s dng IP ca chnh n lm IP cng cng cho mi my con (client) vi IP ring. Khi mt my

con thc hin kt ni hoc gi d liu ti mt my tnh no trn internet, d liu s c gi tiNAT, sau NAT s thay th a ch IP gc ca my con ri gi gi d liu i vi a ch IP caNAT. My tnh t xa hoc my tnh no trn internet khi nhn c tn hiu s gi gi tin tr v

cho NAT computer bi v chng ngh rng NAT computer l my gi nhng gi d liu i. NATghi li bng thng tin ca nhng my tnh gi nhng gi tin i ra ngoi trn mi cng dch v v

gi nhng gi tin nhn c v ng my tnh (client). NAT x l mt gi tin xut pht t bn trong i ra bn ngoi mt mng theo cch thc sau:

+> Khi NAT nhn mt gi tin t mt cng bn trong, gi tin ny p ng cc tiu chun NAT,router s tm kim trong bng NAT a ch bn ngoi (outside address) ca gi tin. Ni cch khc, tintrnh NAT tm kim mt hng trong bng NAT trong a ch outside local address bng vi a

ch ch ca gi tin. Nu khng c php so trng no tm thy, gi tin s b loi b. +> Nu c mt hng trong bng NAT l tm thy (trong hng ny, a ch ch ca gi tin bng vi a

ch outside local), NAT s thay th a ch ch trong gi tin bng a ch outside global theo thng tintrong bng NAT.

+> Tin trnh NAT tip tc tm kim bng NAT xem c mt a ch inside local no bng vI a chngun ca gi tin hay khng. Nu c mt hng l tm thy, NAT tip tc thay th a ch ngun cagi tin bng a ch inside global. Nu khng c mt hng no c tm thy, NAT s to ra mt hng

mi trong bng NAT v chn a ch mi vo trong gi tin.

NAT s x l mt gi tin xut pht t mng bn ngoi i vo mng bn trong theo cch sau:+> Khi NAT nhn c mt gi tin xut pht t mt cng bn ngoi, p ng cc tiu chun NAT,

tin trnh NAT s tm kim trong bng NAT mt hng trong a ch inside global l bng vI ia ch

ch ca gi tin.

+> Nu khng c hng no trong bng NAT c tm thy, gi tin b loI b. Nu c mt hng tmthy trong bng NAT, NAT s thay th a ch ch bng a ch inside local t bng NAT.

+> Router tm kim bng NAT tm ra a ch outside global bng vi a ch ngun ca gi tin. Nu

c mt hng l tm thy, NAT s thay th a ch ch bng a ch outside local t bng NAT. NuNAT khng tm thy mt hng no, n s to ra mt hng mi trong bng NAT v cng thc hin

nh bc 2.

Nhn vo thanh bar xem kch thc tht.



(http://i143.photobucket.com/albums/r129/quanghung221/nat1.gif)

NAT table mappings:

Private IP Translated IP Original Port Translated Port192. 168. 1. 2 10. 3. 4. 5 1025 2000

192. 168. 1. 3 10. 3. 4. 5 1026 2001





III: NAT gii quyt nhng vn no ?

Ban u, NAT c a ra nhm gii quyt vn thiu ht a ch ca IPv4 .

NAT gip chia s kt ni Internet (hay 1 mng khc) vi nhiu my trong LAN ch vi 1 IP duy

nht.

NAT che giu IP bn trong LAN NAT gip qun tr mng lc cc gi tin c gi n hay

gi t mt a ch IP v cho php hay cm truy cp n mt port c th.

IV: Cc khi nim c bn .

1. Inside local address - a ch IP c gn cho mt host ca mng trong. y l a ch c cu

hnh nh l mt tham s ca h iu hnh trong my tnh hoc c gn mt cch t ng thng qua

cc giao thc nh DHCP. a ch ny khng phi l nhng a ch IP hp l c cp bi NIC

(Network Information Center) hoc nh cung cp dch v Internet2. Inside global address - L mt a ch hp l c cp bi NIC hoc mt nh cung cp dch v

trung gian. a ch ny i din cho mt hay nhiu a ch IP inside local trong vic giao tip vi mng

bn ngoi.

3. Outside local address - L a ch IP ca mt host thuc mng bn ngoi, cc host thuc mng bn

trong s nhn host thuc mng bn ngoi thng qua a ch ny. Outside local khng nht thit phi l

mt a ch hp l trn mng IP (c th l a ch private).

4. Outside global address - L a ch IP c gn cho mt host thuc mng ngoi bi ngi s huhost . a ch ny c gn bng mt a ch IP hp l trn mng Internet

Chng ta c th hnh dung phn bit 4 kiu a ch ny nh sau:

Cc gi tin bt ngun t bn trong mng ni b (inside) s c source IP l a ch kiu inside local v

destination IP l ouside local khi n cn trong phn mng ni b. Cng gi tin , khi c

chuyn ra ngoi mng (qua NAT) source IP address s c chuyn thnh inside global address v

a destination IP ca gi tin s l outside global address. Hay ngc li, khi mt gi tin bt ngun

t mt mng bn ngoi, khi n cn ang mng bn ngoi , a ch source IP ca n s l outsideglobal address, a ch destination IP s l inside global address. Cng gi tin khi c chuyn

vo mng bn trong (qua NAT), a ch source s l outside local address v a ch destination ca

gi tin s l inside local address.





__________________Phn II:

Cc k thut NAT

I: K thut NAT tnh .

Vi NAT tnh, a ch IP thng c nh x tnh vi nhau thng qua cc lnh cu hnh. Trong NAT

tnh, mt a ch Inside Local lun lun c nh x vo a ch Inside Global. Nu c s dng, mi

a ch Outside Local lun lun nh x vo cng a ch Outside Global. NAT tnh khng c tit kima ch thc.

Mc d NAT tnh khng gip tit kim a ch IP, c ch NAT tnh cho php mt my ch bn trong

hin din ra ngoi Internet, bi v my ch s lun dng cng mt a ch IP thc .

Cch thc thc hin NAT tnh th d dng v ton b c ch dch a ch c thc hin bi mt cng

thc n gin:

a ch ch =a ch mng mi OR (a ch ngun AND ( NOT netmask))

V d :Mt a ch private c map vi mt a ch public. V d 1 mt my trng mng LAN c a ch 10.

1. 1. 1 c phin dch thnh 1 a ch public 20. 1. 1. 1 khi gi tin ra ngoi Internet.





Bt u bng mt gi tin c gi t mt PC bn tri ca hnh n mt my ch bn phi a ch

170. 1. 1. 1. a ch ngun private 10. 1. 1. 1 c dch thnh mt a ch thc 200. 1. 1. 1. My client

gi ra mt gi tin vi a ch ngun 10. 1. 1. 1 nhng router NAT thay i a ch ngun thnh 200. 1.

1. 1. Khi server nhn c mt gi tin vi a ch ngun 200. 1. 1. 1, my ch ngh rng n ang nichuyn vi my 200. 1. 1. 1, v vy my ch tr li li bng mt gi tin gi v a ch ch 200. 1. 1. 1.

Router sau s dch a ch ch 200. 1. 1. 1 ngc li thnh 10. 1. 1. 1. II: K thut NAT ng

(dynamic NAT).

Vi NAT, khi s IP ngun khng bng s IP ch. S host chia s ni chung b gii hn bi s IP ch

c sn. NAT ng phc tp hn NAT tnh, v th chng phi lu gi li thng tin kt ni v thm ch

tm thng tin ca TCP trong packet. Mt s ngi dng n thay cho NAT tnh v mc ch bo mt.

Nhng ngi t bn ngoi khng th tm c IP no kt ni vi host ch nh v ti thi im tip

theo host ny c th nhn mt IP hon ton khc.

Nhng kt ni t bn ngoi th ch c th khi nhng host ny vn cn nm gi mt IP trong bng

NAT ng. Ni m NAT router lu gi nhng thng tin v IP bn trong (IP ngun )c lin kt vi

NAT-IP(IP ch). Cho mt v d trong mt session ca FPT non-passive. Ni m server c gng thitlp mt knh truyn d liu v th khi server c gng gi mt IP packet n FTP client th phi c mt

entry cho client trong bng NAT. N vn phi cn lin kt mt IPclient vi cng mt NAT-IPs khi

client bt u mt knh truyn control tr khi FTP session ri sau mt thi gian timeout. Xin ni thm

giao thc FTP c 2 c ch l passive v non-passive . Giao thc FTP lun dng 2 port (control v data) .

Vi c ch passive (th ng ) host kt ni s nhn thng tin v data port t server v ngc li non-

passive th host kt ni s ch nh dataport yu cu server lng nghe kt ni ti.

Bt c khi no nu mt ngi t bn ngoi mun kt ni vo mt host ch nh bn trong mng ti

mt thi im ty ch c 2 trng hp :

+ Host bn trong khng c mt entry trong bng NAT khi s nhn c thng tin host



unreachable hoc c mt entry nhng NAT-IPs l khng bit.

+ Bit c IP ca mt kt ni bi v c mt kt ni t host bn trong ra ngoi mng. Tuy nhin ch

l NAT-IPs v khng phi l IP tht ca host. V thng tin ny s b mt sau mt thii gian timeout

ca entry ny trong bng NAT router. V d:

Mt a ch private c map vi mt a ch public t mt nhm cc da ch public. V d mt mng

LAN c a ch 10. 1. 1. 1/8 c phin dch thnh 1

a ch public trong di 200. 1. 1. 1 n 200. 1. 1. 100 khi gi tin ra ngoi Internet.

III: K thut NAT overloading ( hay PAT)

Dng nh x nhiu a ch IP ring sang mt a ch cng cng v mi a ch ring c phn bit

bng s port. C ti 65. 356 a ch ni b c th chuyn i sang 1 a ch cng cng. Nhng thc t

th khang 4000 port.

PAT hot ng bng cch nh du mt s dng lu lng TCP hoc UDP t nhiu my cc b bn

trong xut hin nh cng t mt hoc mt vi a ch Inside Global. Vi PAT, thay v ch dch a chIP, NAT cng dch cc cng khi cn thit.

V bi v cc trng ca cng c chiu di 16 bit, mi a ch Inside Global c th h tr ln n 65000

kt ni TCP v UDP ng thi. V d, trong mt h thng mng c 1000 my, mt a ch IP thc

c dng nh l a ch Inside Global duy nht c th qun l trung bnh su dng d liu n v i

t cc my trn Internet.

V d :

PAT map nhiu a ch Private n mt a ch Public, vic phn bit cc a ch Private ny c da

theo port, v d IP address 10. 1. 1. 1 s c map n ip address 200. 1. 1. 6:port_number







* Mi quan h gia NAT v PAT

PAT c mi quan h gn gi vi NAT nn vn thng c gi l NAT

Trong NAT, nhn chung ch a ch ip c i. C s tng ng 1:1 gia a ch ring v a ch cng

cng.

Trong PAT, c a ch ring ca ngi gi v cng u c thay i. Thit b PAT s chn s cng m

cc hosts trn mng cng cng s nhn thy.

Trong NAT, nhng gi tin t ngoi mng vo c nh tuyn ti a ch IP ch ca n trn mng

ring bng cch tham chiu a ch ngn i vo

Trong PAT, Ch c mt a ch IP cng cng c nhn thy t bn ngoi v gi tin i vo t mng

cng cng c nh tuyn ti ch ca chng trn mng ring bng cch tham chiu ti bng qun



l tng cp cng private v public lu trong thit b PAT. Ci ny thng c gi l connection

tracking

Mt s thit b cung cp NAT, nh broadband routers, thc t cung cp PAT. v l do ny, c s nhm

ln ng k gia cc thut ng. Nhn chung ngi ta s dng NAT bao gm nhng thit b PAT .

IV: Masquerading ( hay NAPT)

y l mt trng hp c bit ca NAT ng. N c s dng trong Linux. Vi NAPT, nhiu a

ch IP c n i di mt a ch duy nht. N tng phn vi NAT ng , rng ch c mt kt ni

cho mt IP duy nht ti mt thi im. Trong NAPT nhiu kt ni n cng mt IP s c phn chia

thng qua TCP Port. Vn c bit ca NAPT l mt s service trn host ch nh ch chp nhn kt

ni t nhng port c quyn m bo rng kt ni i vo khng phi l t mt user bnh thng.

C l ch superuser c th x l nhng port ny. V trn DOS hoc Window mi ngi u c th s

dng chng nn mt s chng trnh khng th s dng kt ni NAPT. NAPT thng s dng

nhng port mt tm vc cao. Trong Linux , bt u l 61000 v kt thc l 61000+4096. Mc nh

ny c th thay i . iu ny cng ch ra rng Linux hin thc NAPT ch cho ng thi 4096 kt ni

NAPT . Kt ni NAPT cn phi lu gi nhiu thng tin v trng thi kt ni. V d trn Linux, n xem

nh tt c cc packet vi Destination IP= Local IP v Destination port nm trong tm port cho php

ca NAPT khi phi demasqueraded (phn gii nhng packet c masqueraded) . Thc cht l

vic thay i destination address v source address trong header packet.

Nh vy NAPT ch c mt chiu . Nhng kt ni vo th khng th Masquerading . V thm ch khimt host c mt entry trong masquerading table ca NAT device th entry ny ch hp l khi mt kt

ni ang c active. Ngay c mt ICMP-Reply lin quan n kt ni (host/port unreachable) cng

phi c filter v relay bi NAT router.

Li ch ln nht ca Masquerading l ch cn mt IP c cp m ton mng vn c th kt ni trc

tip n Internet.

V d :

- Masquerading cho mng 203. 156. 0. 0 dng NAT n IP local

- Cho mi packet IP i ra source IP s c thay bi IP ca NAT router. Source port s c i thnh

mt port nm trong tm ca Masquerading.

V: Mt s k thut NAT khc

1, Virtual Server (Loadbalancing)

NAT router ng vai tr l mt virtual server v cc kt ni vo s c chuyn n 2 hay nhiu server

tht . Ph thuc vo gii thut c xy dng m kt ni ny s i vo server no bn trong.

V d :

- To mt virtual server vi IP l 203. 156. 98. 100

- S dng 2 host l 203. 156. 98. 111 v 203. 156. 98. 112 l nhng real server cho virtual server.

- Mt kt ni t bn ngoi s c remap bi NAT router s dng mt trong 2 host

(realserver)

- Load Balancing

Gii thut quyt nh real server no c kt ni. Cho v d kim tra ti trn nhng real server da

trn vic m s packet trn mi giy i qua NAT device n real server sau s chn ra real server chiu nng nht. Bng cch y s iu chnh c traffic trn mng v gim ti cho cc server. S gii

thut c s dng y th khng th m c v da trn nhng cch tnh ton khc nhau

nhng tt c u c chung mc ch l gim ti cho server. Khi nim ti y th khng r rng v

khng c nh ngha duy nht.



V d:

Chy mt deamon trn mi server cung cp thng tin cho NAT router v ti (load) trn my ny v

remap nhng kt ni mi n h thng ni m s ny l thp nht.

iu ny i hi s lin lc gia nhng host (real server) v NAT router v th chng ta nn s dng

nhng thng tin c trn NAT router nh l s kt ni hin ti ang c remap n mt host hoc ta

phi s dng nhng thng tin vn khng c trn server nhng c th d dng c tm thy nh l s

byte hoc packet mi giy ca mt host hin ti handle. Yu t c cp y s l mt vi nim

quyt nh vic t c s cn bng trong vic phn b ti. Chnh xc hn l chng ta c gng o

lng v tnh ton ti cho mi host. C mt s gii thut v d nh gii thut da trn hc thuyt v

nguyn l khng chc chn trong nh lng ca Heisenberg.

V th chng ta phi tm cch lm ti thiu chi ph ca host quyt nh ti v host s c kt ni.

Ngay c khi chng ta gi s tm ra mt phng thc chnh xc v tt quyt nh ti c sdng da trn vic nh ngha ti l g th thc tin vn cha phi l gii php tt nht v mt IP

packet c kch thc nh nht ch c xc nh bng cch nh lng vt l. Chng ta c th ch mi

chn c host no chng ta cn gi kt ni n khi mt kt ni mi c m m cha tht s ti u.

Tuy nhin d sao i na cc phng thc cp trn cng c th c p dng vo thc tin cho

vic xc nh cn bng ti ngoi ra c th c mt cch tnh ton no tt nht m chng ta cha tm

ra.

C nhiu cch tip cn gii quyt cho bi ton Load balancing , hu ht trong s chng u mc

application. Mt v d c m t trong RFC 1794 l dng DNS support cho Load balancing.

Trong ti liu ny cp n vic dng DNS cho vic iu khin ti ca my bng cch tm ra IP ca

my t bn rn nht khi c cht vn (queried). V DNS-queries s c cache bi lin tip cc DNS-

server vi vic iu khin cc gii hn mt cch kht khe. N lm vic hon ton tt khi c nhiu cht

vn v ngay c khi chng n t nhiu my client. Tuy nhin d cho Load balancing c lm vic trong

trng thi tt th cch tip cn ny s khng gip c g mt khi server b fail v thm ch ngay c khi

cc IP c phn chia ring bit trong vic cht vn th n vn cn c cache do khi server b failth c th server ny l hiu nng nht v c ch load balancing hon ton b ph v . Mt v d cho

chng trnh cache ni ting l Squid n s dng gii thut phc tp tm ra mt mc tiu tt nht.

Gii quyt ny cha hn ging trn NAT nhng mc tiu ca n l nh nhau. Vi NAT chng ta

c th phn b ti cho nhng service ln v a dng da trn IP cn Squid phc v cho mt mc ch

khc v s so snh ny cha hn hon ton hp l. Ngi vit chn squid l mt v d v trong

squid thc hin vic load balancing tm ra mt d liu sao cho ti u mt cch thng minh.

- Backup Systems

Virtual server cng c th c s dng t c kh nng phc v tt nht nu gii quyt cbi ton mt real server bt k b fail trn. V cc service c cung cp bi Virtual server th c kh

nng trn bt k real server . t trng hp mt real server b fail c xc sut l p th mt virtual

server s dng NAT real server trong trng hp b fail c th c tnh ton nh sau:

t

+ p1. . pn l kh nng xy ra li ca server n trn N (N l s server c cung cp cho virtual server)

+ pNAT: kh nng xy ra li ca NAT router, li ny khng ph thuc vo thit b khc

+ pvirt: kh nng xy ra li ca virtual server khi mt realserver b fail

Cng thc c tnh ton l:

Pvirt=1-((1- [tch(pi) chy t 1->n]) X (1-pNAT))

D nhin setup h thng s dng cng thc trn cho vic tnh ton load balancing phi thay i danh

sch server c s dng bi NAT router ngay khi mt real server b fail . iu ny khng thuc v



NAT-code nhng c th thc hin tt mc cao , thm ch t shell scripts. Quan trng l phi c c

ch remove server b fail t bng virtual server v th phi xy dng bng virtual server c kh nng

thay i d dng nhng IP c th thm vo hoc loi b trong thi gian thc thi (runtime) . Nh

vy vi cch lm ny chng ta c mt lin kt gia 2 kh nng l load balancing v high

availability dng virtual server. N th hon ton trong sut i vi tt c cc host , ngi s dng v

nhng chng trnh dng virtual service.

2, Multiple routers per DestinationNh trn chng ta thy chng ta c th dng NAT phn b ti qua nhiu host v t c kh

nng sn sng cao (high availability) . Chng ta c th s dng NAT lm iu ny cho nhiu mng

khng? Vng chng ta c th. phn trn chng ta thy chng ta s dng virtual server thay th

cho nhiu host tht s (real server) . Chng ta cng c th to ra kt ni mng o (virtual network)

gm nhiu mch tht s (real wire) dng k thut virtual server.

Chng ta c th lm iu ny vi NAT nh th no? Hy tng tng chng ta c 2 ngun cung cp

Internet (Internet provider). Chn 2 bi v chng ta khng mun xy ra li khi mt ngun b hng. Mi

host cn kt ni Internet phi c mt IP duy nht v th chng ta mua cho mi host mt IP t 2 nh

cung cp khc nhau. Nh vy chng ta c th s dng mt trong 2 host gi packet n cng mt

v tr. By gi chng ta s setup cho h thng m t trn, chng ta s phn b ti bng cch s dng

mt t host thng qua provider 1 v mt vi ci khc thng qua provider 2 v chng ta c higher

availibility ca kt ni n Internet . Tuy nhin chng ta cng c th hnh dung ra rng rt kh thc

hin load balancing khi mi host quyt nh gi packet i. Chng ta khng cp n lm th no

mt mng dng IP ny hay IP khc. y vn l s s dng mt central authority quyt nh host

no s s dng provider no d nhin thng qua mt special NAT router. S dng Nat my tnh Local

ca chng ta ch cn mt IP. Nu chng ta c mt provider tin cy chng ta c th s dng IP ca

provider ny cung cp ng thi vn c th s dng cc IP bn trong mng. By gi nu mt host bn

trong mng mun thit lp mt kt ni mi ti Internet n ch cn gi packet n default router (NAT-

router) vi source IP l IP ca host ny. Do NAT-router bit c tt c nhng kt ni i ra, n s

quyt nh provider gi packet i sao cho ti u. N s thay source IP l IP ca provider chn v

gi packet n router ca provider ny. V source IP l IP ca provider cung cp nn con ng i tip

theo ca packet s do provider quyt nh thng qua provider router . Host gi packet i s khng bao

gi bit provider no c chn bi NAT router v th x l l trong sut.

Chng ta c th s dng cng mt gii thut s dng cho Virtual server. im khc nhau gia ng

dng l ng dng ny chng ta can thip vo x l routing.

__________________Phn III:

Cc vn NAT cn gii quyt

I: Lu gi thng tin trng thi

Ngoi tr NAT tnh, cc ci cn li i hi chng ta cn phi lu tr v qun l thng tin ng tclient ang s dng h thng l mt router. Thng tin ny phi c mt i sau mt thi gian timeout

NAT-IP c gn cho mt host cn c th c s dng li. Thi gian timeout cng l mt l do ti

sao phi c thng tin TCP-header. Timeout c th ngn cho mt TCP-connection va c ng v

sao cho TCP-connection vn cn c thit lp. V d nhiu telnet session c th treo trong mt thi

gian di khng c s trao i bt k packet no . Trong trng hp ny, nu chng ta c NAT-IP

chng ta khng cn ngt kt ni ny , nhng gi s trong trng hp nhiu kt ni mi c yu cu



v NAT-IP cn c thm IP th chng ta s cho telnet session ny b cht ly li IP. Mt cch khc l chng ta khng gi thng tin trng thi m ch cn tm IP ch nh (NAT-ip) . N th

n gin hn cho vic hin thc NAT v trong nhiu trng hp s lm vic tt cho cc gii quyt

trn. Khi lun c NAT-IP cn d cho vic s dng chng ta khng ch ti chi tit khc nhau ca

2 cch , ngoi tr trong mt telnet session hoc cc chng trnh lin quan chng hn nh ssh. Ch khi

s NAT-IP khng nhiu v khng , chng ta mi cn lu gi thng tin trng thi v chng ta c th

nhn ra ngay chnh xc mt kt ni va mi ng v c th ly li ngay IP cp pht m khng cn

ht thi gian timeout. Vic lu gi du vt ca cc kt ni khc nhau phc v cho mc ch bo mtnu n c s dng bi firewall, y khng hn ch l NAT. C mt s trng hp vic NAT ch truy tm ch IP th hon ton khng hiu qu. l trong cc ng

dng virtual server v virtual network bi v traffic c sinh ra bi mt IP th khng th no phnchia c na. Khi chng ta yu cu NAT truy tm thm c TCP/UDP port th chng ta c th cn

bng ti v gim traffic tt hn bng cch remap cc kt ni n mt IP thch hp .

II: Phn chia (fragmentation)

Quan h mt thit vi vic lu gi thng tin trng thi v TCP v c th l UDP l vn IP fragment.N quyt nh vic thay i khng phi ch IP address m cn TCP/UDP port. Telnet packet c thc i x khc vi HTTP packet. Cho mt v d ch s dng mt virtual server hoc DNS cho tt c

cc service n c map ti cc host cung cp service thc s , nhiu service thm ch c cung cpbi virtual host. Mt firewall l gateway mc application c th lm c iu ny nhng gateway th

hu nh l khng trong sut. Vn l ngay khi mt packet c fragment n NAT-router , n khng th cung cp thng tin v

port ngoi tr fragment u tin cha TCP-header. l l do ti sao chng ta phi lu gi nhngthng tin trng thi v mi fragment. Chng ta phi lu gi tt c thng d liu ca fragment u tin

gm TCP/UDP port ca n m chng ta c th bit port ca nhng fragment khc ang hot ng.Nhiu khi phng php ny khng thch ng v IP layer khng m bo packet ti vi ng s th

t (sequence) V d fragment th 3 ca packet c fragment c th i qua NAT router u tintrc khi fragment u tin vn cn lu gi thng tin port . Trong trng hp ny chng ta s ngn

li cc fragment khng phi l fragment s 1 n khi fragment s 1 tI ch chng ta bit chngta c cn phI thay I thng tin ca packet hay khng . Vic thay i khng ch IP m cn TCP/UDP

port th khng quan trng nhng chc chn hu ch. V d chng ta s dng mt virtual server . Gi s chng ta mun to mt virtual webserver vdeamon ca webserver tht s ang chy trn nhng my khc nhau v lng nghe trn nhng port

khc nhau v mt s l do. Khi nu chng ta khng ghi nhn li destination port trong packet ,default l port 80 n virtual server v thay destination port l port m real webserver ang lng nghe

vo packet reply th chng ta khng th c c nhng g chng ta mong mun. Khi tt c cc realwebserver phi lng nghe trn cng mt port m virtual server cung cp dch v web (default l port

80). Xin ni thm l mt TCP connection thc hin c ch handshaking 3 ln nh vy nu packet replykhng ch ra ng port kt ni ti th kt ni s khng c thit lp.

III: nh ra giao thc (protocol) c th

NAT khng phi lun lun trong sut nh ni , n ch hon ton trong sut khi m IP l giao thcnm gi thng tin v IP ca mt packet. C mt s giao thc chng gI IP l mt phn ca d liu

truyn i. Nh vy nu IP ny c thay i vi NAT router th chng ta s gp nhiu vn trc



trc khi gi ti ngi nhn . N khng th ng IP c truyn i. Mt cch gii quyt cho vn

ny l tm thng tin data truyn i da trn mt giao thc no bit c thng tin v IP cthm vo. Qa trnh ny ch lm thm overhead v phc tp hn.

* Mt s v d cho nhng Protocol lm vic vi NAT

FTPFTP command PORT v response PASV c 2 u send mt IP v port cho u kt ni bn kia . Cho

FTP lm vic vi mt kt ni b thay i chng ta phi thay th IP trong message . iu ny rtphc tp v IP v port c truyn i di dng m ASSCII m t cho mt s thp phn. Tc l m

i s thp phn n l c m t l mt byte trong packet . V l do ny IP th khng c mt chiudi c nh trong mt FTP-packet, by gi chng ta thay th IP hin ti bi mt IP khc t hoc nhiu

s hn , packet s ln hoc nh i iu ny buc phi chnh lI TCP sequence number v th chng taphi gi mt s thng tin v nhng kt ni ny iu chnh cc sequence number thch hp trong

mi packet . y khng ch l vn cho giao thc FTP m cn cho nhiu giao thc khc m khi thayi IP n lm thay i chiu di packet

ICMP

Mt s ICMP message ph thuc vo loi message , nu thm vo header ca packet c th gy ranhng vn . Nu packet ny c thay i th header ny s cha NAT-Ip ch khng phi IP ca

host s nhn message ICMP ny . Da trn iu ny nu by gi chng ta khng thay local IP m lthm vo NAT-Ip vo header th iu ny s c gii quyt.

DNS

D thy vn y l nu mt name service ca mt IP bn trong mun cung cp ra ngoi NAT-domain. Mt cch gii quyt l s dng 2 DNS service . Mt cho vic gii p cho cc IP bn trong v

mt ci khc gii p cho cc IP ngoi mng . D nhin cc IP c gii p bi DNS server th 2khng c a vo danh sch nhm IP ng cho NAT. NAT router th hu ht c t trn ranh

gii gia cc mngphn chia internal DNS v external DNS v c m rng s dng cho l do bo mt

Nu s dng mt cch tip cn phc tp hn l ghi li tt c cc DNS data c relay bi NATrouter chng ta nn s dng mt gateway mc ng dng hn l hin thc mt NAT bi v DNS thch

hp vI mc gateway hn v chng ta ch nn tc ng ti kernel khi tht s cn thit(xy dngNAT)

BOOTP

Giao thc ny khng c vn g vi NAT v n khng i ra khi ranh gii ca mt NAT-domain.

Routing Protocol (RIP, EGP)

Khng cn phi gii thch ti sao routing protocol gp rt nhiu vn vi NAT . C nhiu giao thctm ng khc nhau v lm vic vi n th khng d dng cht noC 3 cch gii quyt l:

- Khng s dng nhng giao thc ny , ch s dng static routing. y l cch chn la tt cho phnln cc kt ni t mng chng ta ra bn ngoi thng qua NAT router

- S dng mt gateway mc ng dng- Ghi li thng tin ca packet

IV: Tn mn nhng ng dng nh hng bi NAT



IV: Tn mn nhng ng dng nh hng bi NATMt s giao thc lp trn ( nh l FTP v SIP) gi thng tin a ch tng mng bn trong ng dngpayloads. FTP trong ch kch hot, v d, s dng vic chia kt ni iu khin traffic (cu lnh)

v cho d liu (file contents). Khi ang yu cu truyn mt file, mt trm to ra yu cu xc lp kt nitrao i d liu bng a ch lp 3 v lp 4 ca n. Nu my trm to ra mt yu cu gi pha sau mt

NAT firewall n gin, vic truyn a ch IP hoc s cng TCP to ra thng tin s c nhn bi mtServer khng hp l.

Mt Gateway tng ng dng (ALG) c th sa li ny. Mt module phn mm ALG chy trn thit bNAT firewall cp nht bt k d liu payload no to ra bt hp l bi s dch chuyn a ch. ALG

hin nhin cn phi hiu giao thc cp cao m chng cn sa cha, v v th mi giao thc vi nhngvn i hi khc nhau l mt phn ca ALG

Mt gii php khc c th s dng gii quyt vn ny l s dng cng ngh NAT traversal sdng nhng giao thc nh l STUN hay ICE hay tip cn c quyn trong mt session border

controller. NAT traversal c th l ng dng da trn c TCP v UDP, nhng k thut da trn UDPl n gian hn, c hiu bit rng ri hn, v tng thch vi legacy NATs hn. Trong c hai

trng hp, giao thc tng cao phi c thit k vi NAT traversal gia, v n khng lm vicmt cch tin cy symmetric NATs hay poorly-behaved legacy NATs khc.Mt tin ch c trin vng khc l UPnP (Universal Plug and Play) hay Bonjour (NAT-PMP), nhng

nhng ci ny yu cu s lin hp cc thit b NAT.Tuy nhin, hu ht cc giao thc client-server truyn thng (ngoi tr FTP), khng gi thnng tin lin

h lp 3 v v vy khng yu cu phi c s x l c bit bng NAT. Trn thc t, trnh s phc tpNAT l yu cu thc t khi thit k mt giao thc tng cao mi ngy nay.

NAT cng c th l nguyn nhn nhng vn ni m ha IPsec c ng dng v trong trnghp ni nhiu thit b nh l SIP phones c xc nh ng sau NAT. Phones m ha tn hiu vi IP

sec tm lc thng tin cng trong gi tin IPsec ngha l thit b NA(P)T khng th truy cp v dchchuyn cng. Trong nhng trng hp ny thit b NA(P)T hon nguyn ti hat ng NAT n

gin. iu ny ngha l tt c traffic tr li ti NAT s b map ti mt client nguyn nhn dch v li.C 2 gii php cho vn ny, mt l s dng TLS (hot ng tng th 4 trong m hnh tham chiu

OSI) v v vy khng che du s hiu cng, hay tm lc IPsec trong UDP gii php sau cng cTISPAN chn lu tr an ton NAT traversal.



Khi qut v NAT

NAT hay (http://en.wikipedia.org/wiki/Hay) cn gi l Network Address Translation

(http://en.wikipedia.org/wiki/Network_address_translation) l mt k thut c pht minh lc khiu dng gii quyt vn IP shortage, nhng dn dn n chng t nhiu u im m lc pht

minh ra n ngi ta khng ngh ti, mt trong nhng li im ca NAT ngy nay c ng dngnhiu nht l NAT cho php

1. Chia s kt ni internet vi nhiu my bn trong LAN(http://en.wikipedia.org/wiki/Local_area_network) vi mt a ch IP ca WAN(http://en.wikipedia.org/wiki/Wide_area_network)Mt li im na ca NAT l n c th lm vic

nh mt2. Firewall, n gip du tt c IP bn trong LAN vi th gii bn ngoi, trnh s dm ng ca

hackers.3. Tnh linh hot v s d dng trong vic qun l

NAT gip cho cc home user v cc doanh nghip nh c th to kt ni vi internet mt cch d dngv hiu qu cng nh gip tit kim vn u t.



NAT cng c nhiu loi hay hnh thc khc nhau, chng ta s ni s lc qua cc dng NAT

Static NAT

Vi static NAT th s chuyn i packet gia hai network, gia ngun v a ch n tr nn n ginv nht nh, cc iu kin v trng thi kt ni khng cn phi gi li. N ch cn nhn vo mi IP

packet (http://en.wikipedia.org/wiki/Internet_Protocol) khi chuyn i, cc thng tin v mapping ukhng cn thit. Static NAT s dng khi s lng IP trong LAN bng s lng NAT-IP.

Cc bn c th tham kho hnh sau y v cu hnh static NAT.



Dynamic NAT

Dynamic NAT khc vi static l cc a ch host IP c thay i lin tc mi ln to kt ni ra ngoi

cc host ny s nhn c mt a ch NAT-IP v mi ln nh vy NAT s gi li thng tin IP ca hostny trong NAT Table ca n v c nh th. Tuy nhin ci bt li ca dynamic NAT l khi NAT-IP

c cung cp ht do cng mt lc c nhiu host rong LAN gi yu cu th lp tc s khng cn bt kmt kt ni no c chuyn dch na qua NAT v NAT-IP c cp pht ht v nh vy n phi

i ti ln kt ni sau.

Cc bn c th tham kho hnh sau y c th hiu cch lm vic ca Dynamic NAT

NAT rule: Dynamic translate tt c IP thuc class B 138.201 n mt a ch thuc class C 178.201

Mi mt kt ni t bn trong mun ra ngoi s c NAT cung cp mt a ch trong s lng IP

sn c ca NAT, nu cc NAT-IP ny c cp pht ht th cc connection t class B s khng thra ngoi c na.



NAT ngy trang hay gi lp (Masquerading)

y l dng NAT ph thng m chng ta thng gp v s dng ngy nay trong cc thit b phncng hay phn mm routing nh router hay cc phn mm chia s internet nh ISA

(http://en.wikipedia.org/wiki/Industry_Standard_Architecture), ICS hay NAT server(http://en.wikipedia.org/wiki/Server_%28computing%29) m lt na y chng ta s c dp tm hiu

cch thit lp n.

Dng NAT ny hay cn c gi vi mt ci tn NPAT (Network Port Address Translation), vi dngNAT ny tt c cc IP trong mng LAN c du di mt a ch NAT-IP, cc kt ni ra bn ngoi

u c to ra gi to ti NAT trc khi n n c a ch internet.

Cc bn c th tham kho hnh di y tm hiu cch lm vic ca NAPT

NAT rule: Gi trang internet IP address 138.201 s dng a ch NAT router

Cho (http://en.wikipedia.org/wiki/Cho_%28Korean_name%29) mi packets c gi ra ngoi IPngun s c thay th bng NAT-IP l 195.112 v port ngun c thay th bng mt cng no cha c dng NAT, thng thng l cc cng ln hn 1204.

Nu mt packet c gi n a ch ca router v port ca destination nm trong khong portdng masquerading th NAT s kim tra a ch IP ny v port vi masquerading table ca NAT

nu l gi cho mt host bn trong LAN th gi tin ny s c NAT gn vo a ch IP v port cahost v s chuyn n n host .

Hy vng nhng g c a ra trn, phn no gip bn c cht kin thc cn bn v NAT bctip theo sau chng ta s lm quen vi cu hnh ca NAT server.



Setup NAT Server

1. Bc u tin thit lp NAT bn cn phi enable RRAS(http://en.wikipedia.org/wiki/RRAS). Start, Programs, Administrative Tools, Routing and

Remote Access (RRAS)

2. Trong (http://www.trongs.com/) mc Routing and Remote Access, bn right click vo tn

server chn Configure and Enable Routing and Remote Access nh hnh di y.

1. Sau khi bn chn Configure and Enable Routing and Remote Access, welcome windows s hin

ln, bn ch vic click Next.

2. phn Common Configurations nh hnh di y, bn nn chn vo mc Manuallyconfigured server, sau click Next.



3. Windows tip theo bn chn Finish v tip theo chn Yes nh hnh di y

4. Bi tip theo sau l bn chn giao thc routing theo hnh di y. Chn New Routing

Protocol



5. Trong phn New Routing Protocol bn chn Network Address Translation (NAT). Click OK theo

hnh di

6. Nh vy l bn va ci xong giao thc NAT. NAT c th lm vic bn cn xc nh NIC card

no dnh cho NAT v NIC card no dnh cho mng LAN. Theo hnh di y bn right clickvo Network Address Translation, chn New Interface



7. Trong phn New Interface for Network Address Translation (NAT), bn chn NIC cardtn WAN cho phn kt ni vi internet, chn OK

8. Sau khi bn chn NIC card cho phn kt ni vi internet bn hy check vo hai th mc nh hnhdi y v, click vo phn Address Pool



9. Trong phn Address Pool ny bn chn mc ADD v sau nhp vo dy s a ch IP m cc ISPcung cp cho bn nu bn s dng NAT ny lm gateway, hoc bn c th t ci dy s IP theo bn mun, tuy nhin lu phn subnet nu bn t ci IP range



10. Sau khi bn chn mc ADD trn th bn c th nhp vo dy s m ISP cung cp cho bn, trongtrng hp ny IP range ca mnh c cp pht nh hnh di y v, chn OK

11. Dy s IP range m bn va nhp vo s dng mapping gia NAT IP v cc host trong LANkhi cn. Trong trng hp bn s dng dynamic IP th phn Address Pool ny bn khng cnphi in vo v s i thng ti bc 19. Nu cng c th reserve mt a ch NAT-IP cho ringmt a ch server no trong LAN, bn c th chn mc Reservations theo hnh di y



12. Sau khi bn chn Reservations th bn c th nhp a ch no bn mun bo qun ring cho mtserver trong LAN, bn c th nhp vo y theo hnh di, trong trng hp ny mnh mun

server vi a ch 192.168.0.15 c static NAT vi a NAT-IP l 68.122.45.220 nu bn khngmun add static NAT vo y th bn c th tip tc sang bc 15, cn khng th bn click OK

13. Trong mc Spcial Ports ny cho php bn m nhng cng cn thit cc dch v ca cc hostbn trong LAN c quyn truy cp cng nh bn ngoi c th truy cp c cc dch v ny ca

cc host trong LAN, chn giao thc TCP. Click vo mc Add pha di



14. Trong phn Add Special Port, bn add vo cc port cn thit tng xng vi a ch IP ca tngserver bn trong LAN nh th d di y, bn c th chn vo mc On this interface hay Onthis address pool entry. Nu bn chn On this interface v nhp vo a ch IP ca server trongLAN l 192.168.0.15 th tt c cc IP c ci trn NIC WAN s chu trch nhim translate qua cho

a ch IP 192.168.0.15 vi port l 80 v, c tip tc add cc port cn thit cho cc dch v ca bn. Nu bn chn mc On this address pool entry th ch c mt a ch l 68.122.45.220 chu trchnhim lin lc v masqurerading gia a ch ny v 192.168.0.15 v ngc li



15. y l nhng ports cn thit dnh cho cc dch v ca cc server bn trong LAN, ty theo yu cuca tng dch v bn s s dng TCP ports hay l UDP ports, phn ln l TCP ports nh hnh

di l mt s TCP port thng dng c m ra cho cc server mang a ch theo sau



16. V y l cc UDP ports cn thit nh l DNS port v DHCP port, 192.168.0.25 l DNS cng lDHCP server. Sau khi ban cung cp y thng tin cn thit cho NAT th bn c th click OK

17. Phn trn l phn thit lp NAT cho NIC card WAN, sau y l phn thit lp NAT cho LAN. Lp

li bc 8 v 9, bn chn interface l LAN, click OK nh hnh di y



18. Trong mc Network Address Translation Properties ny bn ch vic click OK theo hnh di y. y bn c th c xem nh l hon tt thit lp NAT. Nu bn khng cn s dng ccdch v DHCP v DNS Proxy ca NAT th bn c th t ci static IP vo cc client v ch gateway

ti internal NAT interface, trong trng hp ny l 192.168.0.1. Trong trn hp bn mun thitlp DHCP v DNS proxy cho NAT th bn c th theo d bc tip theo



19. cc client bn trong LAN c th truy cp c internet cng nh s dng nhng dch v caNAT cung cp nh DHCP v DNS Proxy bn c th lm nh sau, right click vo Network AddressTranslation, chn Properties theo hnh di



20. Chn mc Address Assigment, y l chc nng DHCP ca NAT, cho php NAT cung cp cc a

ch IP khi client cn truy cp internet Bn check vo mc Automatically assign IP address byusing DHCP v bn nhp vo dy IP no bn mun trong trng hp ny l class C bt u t192.168.0.1 n 192.168.0.254.

Lu : trnh tnh trang DHCP cung cp IP ca gateway cng nh cc IP quan trong khctrong mng nh WINS server, DNS server, mail server bn c th chn NAT cung cp cc a chy trong mc Exclude



21. Trong phn Exclude Reservered Addresses, bn nhp vo cc a ch IP m bn ngh rng NATkhng c cung cp cho client v s b mu thun IP, trong trng hp ny 3 a ch IP di ykhng c php cung cp cho client l gateway 192.168.0.1, DC 192.168.0.15 v mail server l192.168.0.25. Sau khi nhp vo cc d liu di y, bn click OK



22. client c th truy cp c internet th cng cn phi c DNS, bn c th s dng proxy DNSca NAT cung cp cho cc client khi cn truy cp. Trong phn Network Address Translation(NAT) Properties, chn Name Resolution, di phn Resolve IP addresses for check vo mc Clients

using Domain Name System (DNS), sau click OK



23. Nh vy l bn va hon tt thit lp mt NAT server. Hai bc di y gip bn theo diNAT v vic mapping ca NAT bng cch bn click vo Network Address Translation, windowsbn phi, bn right click vo WAN interface chn Show Mapping, Nat s cho php bn theo dimapping table ca NAT ang lm vic, nhng ai ang truy cp vo nhng server no bng port

no



24. Trong trng hp bn c DHCP server trong mng v bn khng mun s dng DHCP caNAT th bn c th thit lp DHCP Relay Agent bng cch click vo DHCP Relay

Agent chn Properties theo hnh di y

25. Trong phn DHCP Relay Agent Properties ny, bn nhp vo a ch IP ca DHCP server chutrch nhim cp pht IP cho mng LAN, click Add vy l bn khng cn s dng chc

nng Assign IP address ca NAT.

Lu : Trc khi bn thit lp DHCP Relay Agent, bn cn phi tt chc nng Automatically

assign IP address by using DHCP bc 22. Trong bi ny DHCP server l 192.168.0.35



Nh vy l bn va thit lp xong mt NAT server, chc bn vui v.

By vuson.tk Posted in CCNA L thuyt Tagged Asia, linh, NAT, Network Address Translation,

RRAS, SlideShare, static nat, Tm hiu v NAT(Network Address Translation) v cch thit lp NATserver, Trongs, tuy, Vietnam, Vietnamese ng

Blog at WordPress.com. | The iTheme2 Theme.

About these ads (http://en.wordpress.com/about-

these-ads/)

tìm hiểu về nat(network address translation) và cách thiết lập nat server _ vi-et spaces

Documents