H3C S7500 Series Operation Manual page 960

Operation Manual – NAT, Netstream, Policy Routing
H3C S7500 Series Ethernet Switches
192 .168 .1.3
PC
192 .168.1.2
Figure 1-1 Basic NAT procedure
As shown in
enterprise's internal network and external networks, and packets are exchanged
between an internal PC and an external server as follows:
When packet 1 sourced from the internal PC with IP address 192.168.1.3 and
destined for the external server with IP address 202.120.10.2 arrives at the NAT
server, the NAT process checks the packet header. It finds that the packet is
destined for an external site and matches a NAT rule. Then the process translates
the private IP address (192.168.1.3) in the source address field of the packet
header into a public IP address (202.169.10.1), which can be identified on the
Internet, and then forwards the packet to its destination and records the private to
public address mapping in the NAT table.
When response packet 2 (with destination address 202.169.10.1) from the
external server (202.120.10.2) arrives at the NAT server, the NAT process checks
the packet header, looks up the NAT table for the corresponding mapping, and
replaces the destination address (202.169.10.1) in the packet header with the
private IP address (192.168.1.3) of the internal PC.
The above NAT procedure is transparent to the communicating ends (such as the
internal PC and external server in
address of the internal PC is 202.169.10.1 and does not know the address 192.168.1.3
at all. In this way, NAT 'hides' the enterprise's internal network.
The advantage of NAT is that it enables internal hosts to access the external network
resources with the "privacy" of internal hosts being protected. However, it also has a
disadvantage: the packets it processes cannot be encrypted, or else it will not correctly
translate the IP address or port for the packets. For example, the encrypted FTP
connection cannot be used; otherwise, the FTP port cannot be translated correctly.
Packet 1：
Source IP:192.168.1.3
Destination IP:202.120.10.2
192.168.1.1
Packet 2：
Source IP:202.120.10.2
Destination IP:192.168.1.3
Figure 1-1, the switch used as a NAT server is located at the joint of an
Packet 1：
Source IP:202.169.10.1
Destination IP:202.120.10.2
202 .169.10.1
Internet
Switch
Packet 2：
Source IP:202 .120.10.2
Destination IP:202.169.10.1
Figure 1-1). The external server thinks that the IP
1-2
Chapter 1 NAT Configuration
202 .120 .10.2
Server
PC
202 .120 .10.3