This article mainly analyzes the principle of realizing intranet interconnection of overseas physical servers based on NAT mechanism. The internal server cluster of the data center uses private addresses to connect to the NAT gateway device located at the edge. The NAT gateway is configured with a public IP assigned by the operator. NAT is usually deployed at the exit of the organization network, and interconnection with the Internet is achieved by replacing the source IP or destination IP of the internal network with the exit public IP. In the case of scarce IPv4 address resources, operators often use NAT technology to allow multiple intranet users to share a small number of public addresses.
When planning network addresses, private network segments defined by RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, etc.) should be used as IDC internal network addresses. Different business systems can be divided into different subnets (such as application server network segments, management network segments, etc.), and a set of public network addresses can be reserved for NAT devices. Due to the scarcity of public network addresses, it is necessary to negotiate with operators to obtain stable public network IP resources (such as static IP or IP segment) for NAT mapping. Usually one or a small number of public IPs are configured for SNAT to enable intranet hosts to share the Internet; while the intranet servers that provide services to the outside are bound to the specified public IP and port through DNAT. Address planning needs to consider routing and firewall policies to ensure the accessibility of the public IP and the connectivity of the internal network segment, as well as to meet the operator's requirements for IP address segments and traffic.
In terms of access interoperability mechanisms, SNAT and DNAT are the core. Source Address Translation (SNAT) is used for intranet hosts to access the public network. During the SNAT process, the source IP of the data packet sent by the intranet host to the Internet is modified to the public IP of the NAT gateway. SNAT can be divided into two categories: static and dynamic. Static SNAT maps one or more internal IPs to the same public IP, which is suitable for scenarios where a fixed IP needs to be displayed externally at all times; while dynamic SNAT/PAT converts the intranet address to one of multiple public addresses or port pools, and each connection dynamically selects the egress IP or port on the NAT device.
Under dynamic SNAT, the NAT router selects an address from the public IP pool for each connection, so different connections of the same internal host may use different public source IPs. Usually, dynamic NAT can also reuse ports (PAT), one public IP corresponds to multiple internal connections, and different ports are used to distinguish mappings, thereby achieving maximum reuse of public IP.
When Internet host C requests to access IDC, the target address of its request is the public IP of the NAT gateway. After receiving the request, the NAT gateway modifies the destination address to the private IP of internal server A in the pre-routing stage.
During configuration, DNAT rules are usually added to the NAT table of the firewall or router to map specific protocols and ports to the internal server address. It should be noted that after DNAT changes the target IP, SNAT or port mapping is required to ensure that the return traffic is correctly delivered to the requester.
Common NAT configuration methods include:
Static NAT (1:1 address mapping): directly map an internal host IP to a specific public IP, and all datagrams enter and exit with the public IP. Applicable to servers that provide continuous services to the outside world.
Dynamic NAT/PAT (NAT address reuse): Map multiple internal hosts to one or more public IPs, and usually use port address translation (PAT) to reuse a single public IP to save address resources. In dynamic mode, internal hosts can initiate any external connection, and the NAT device assigns an exit address/port to each connection.
Port mapping (DNAT/port forwarding): Forward requests to access specific ports of public IP to the IP and port of the internal server, which is used to publish internal services to the Internet. For example, map the HTTP port on the public network to the intranet Web server to enable external access to internal applications.
In terms of security control, NAT is usually used in conjunction with firewall functions to adopt strict access policies. The border firewall should only allow necessary SNAT/DNAT traffic, and all other unsolicited connections should be rejected or discarded. The ports that provide services to the outside world should be kept as simple as possible and bound to dedicated public IPs, and the access source address range should be limited through access control lists (ACLs). In addition, it is necessary to consider the restrictions of operators on ports. Some ports that are considered high-risk by operators (such as Telnet 23, SMTP 25, etc.) are often blocked by default. When deploying, you should avoid using these ports or other means to replace them. Although NAT itself hides the internal network topology and isolates the internal network IP, the security policy still needs to cover application layer protection, intrusion detection, etc. to resist attacks on internal servers.
Regardless of the specific device, the overall logic is consistent: source address translation changes the source IP of the data packet sent from the internal network to the public network IP, and destination address translation changes the destination IP of the data packet from the public network to the internal network IP. By monitoring the NAT table, you can view all mapping relationships and connection status. When implementing it, you must also configure routing policies as needed, such as setting the internal network server to DMZ or one-arm routing to ensure that the NAT device forwards the message correctly.
Operator conditions are also a key factor that must be considered when designing a NAT solution. Since ordinary broadband lines mostly use operator-level NAT (that is, the external network IP actually obtained by users often starts with 10., 100., 172.), IDC devices in such networks cannot provide services to the public network. The NAT/PAT mode of the operator will cause the intranet host to lack a stable public network mapping relationship, and can only actively initiate external connections, while the outside cannot initiate requests to reach the inside. Therefore, in order to ensure two-way access between the internal and external networks, IDC usually needs to sign an enterprise dedicated line or business line service with the operator to obtain a real static public network IP or routable address segment. Before deployment, you should understand the operator's network planning rules and restrictions in detail, purchase qualified public network IP resources, and configure address mapping and security policies that meet the operator's requirements on the NAT device.
In the traditional IDC environment, intranet network intercommunication depends on the SNAT and DNAT functions of NAT technology. When designing, it is necessary to reasonably plan private network segments and public network IP addresses, clarify the conversion process, properly configure port mapping rules and combine firewall policies to ensure security. It is necessary to meet the operator's requirements for public network IP, ports and lines to ensure the accessibility of external and internal access services and system compliance.
