CN1674549A - Method for switching private net user in public net - Google Patents
Method for switching private net user in public net Download PDFInfo
- Publication number
- CN1674549A CN1674549A CN 200410006287 CN200410006287A CN1674549A CN 1674549 A CN1674549 A CN 1674549A CN 200410006287 CN200410006287 CN 200410006287 CN 200410006287 A CN200410006287 A CN 200410006287A CN 1674549 A CN1674549 A CN 1674549A
- Authority
- CN
- China
- Prior art keywords
- message
- network address
- address translation
- list item
- carry out
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The present invention relates to a method for accessing user of private network into common network. Said method includes the following steps: in the list items necessary for inquiry when the message is processed by network address conversion equipment setting the mark necessary for making network address conversion or not; for message of the described private network user inquiring the described mark to judge that the described message is required for making network address conversion or not, if the described private network user message has need of making network address conversion, said message is converted in network address, then said message can be retransmitted, otherwise, said message can not be converted in network address, and can be directly retransmitted.
Description
Technical field
The present invention relates to a kind of private user be inserted the method for public network, relate in particular to a kind of private user and do not carry out the equipment and the method that private user are inserted public network that network address translation is directly visited particular station.
Background technology
Along with the increase to the IP address need of the quick growth of Internet number of users and other association area, the IPv4 address resource is in short supply day by day, so the application of network address translation (nat) equipment is also increasing in the network.The problem of thereupon bringing is the networking application problem that how to solve in the network a large amount of public network addresses and private net address coexistence.
As shown in Figure 1, the message of user PC1 access internet (Internet) enters from the port port1 of NAT device, port port2 goes out, do primary address conversion through NAT device around here, but consider that the server zone (such as www server Web server) of some metropolitan area network inside can directly be visited by the private user of inside.Like this, in order to reduce the load of NAT device, improve the performance of access internet, the network manager can control the stream of the server zone of visit metropolitan area network inside, allows it not carry out the processing of network address translation, but directly is forwarded to destination address.
Provide the technical scheme of public and private net address mixed networking less at present, what majority was taked is the method for utilizing access control list (ACL), by the control to private network user access right, realizes the purpose of public and private net address mixed networking.Promptly configuration ACL table on NAT device in the ACL table, is done the NAT visit to forbid it from the visit to the specific purpose address of private network.
In general, NAT is used with ACL on switching equipment or the router again, that is to say the direct forwarding of acquiescence, disposed corresponding acl rule and NAT binding after, coupling has suffered and has just done the NAT conversion
For example, under situation as shown in Figure 1, private net address is 10.11.10.11/24, allowing its address of directly visiting is 202.119.39.51, at this moment can on NAT device, be configured to rule down, realize controlling private user when this section of visit public network address, need not do network address translation and handle:
ip?nat?pool?pool1?202.119.32.208?202.119.32.223?mask?255.255.255.240
(defining pond, a NAT reference address)
ip?nat?source?10.11.10.11?mask?255.255.255.0?pool?pool1
(having defined a private network network segment, itself and public network address pond are bound, as the foundation of conversion, more than is the NAT rule.Certainly, also can directly use ACL)
acl?1?source?10.11.10.11?mask?255.255.255.0?dest?202.119.39.51?mask255.255.255.0?nat-forbidden
apply?acl?port1
(acl rule is applied to inbound port, also can omits port1, then be applied to the overall situation)
As shown in Figure 2, through after such configuration, NAT device at first can go inquiry whether to dispose the ACL Access Control List (ACL) after receiving the visit message of private user.If do not dispose ACL, then judge whether to meet the NAT switch condition according to the NAT transformation rule, if meet switch condition then handle, handle again and transmit, otherwise directly forwarding.If disposed ACL, then inquire about this message and whether mated an acl rule and forbid that it carries out the NAT conversion process.If the ACL block rule of coupling is arranged, then do not do the NAT conversion, directly forward.If there is not the ACL block rule of coupling, then judge whether to meet the NAT switch condition according to the NAT transformation rule, if meet switch condition then handle, handle again and transmit, otherwise directly forwarding.
Can see that from top description for realizing public network address and private net address mixed networking, this technical scheme must the additional configurations access control list (ACL) regulations.The shortcoming of prior art has:
1. necessary additional configurations acl rule has taken valuable ACL node resource.
2.ACL node is many more, inquires about slowly more, message forwarding performance is also just slow more.Simultaneously, also influence other and be associated with the application performance of ACL.
3. configuration more complicated if similar acl rule is arranged, causes conflict possibly.
Summary of the invention
The purpose of this invention is to provide and a kind of private user is inserted the equipment and the method for public network, do not use ACL, the flow process of utilizing message to transmit realizes the message from the visit particular station of private user is not carried out the NAT conversion, directly visit efficiently.
For achieving the above object, the invention provides and a kind of private user is inserted the method for public network, may further comprise the steps: carry out the sign whether setting in the message list item that institute must inquire about when handling needs to carry out network address translation at network address translation apparatus; For the message of described private user, inquire about described sign, judge whether described message needs to do network address translation; If need carry out network address translation to the message of described private user with determining, then described message is carried out transmitting after the described conversion again, otherwise described message is not carried out network address translation, directly transmit described message.
The described step that network address translation sign is set comprises: corresponding permission is set or does not allow to carry out the sign of network address translation according to the destination address of transmitting.
Described inquiry and judge whether and need the step that described private user message carries out network address translation be comprised: the destination address and the described list item of described private user message are mated, determine according to the result of coupling whether described message allows to carry out network address translation.
The list item that described network address translation apparatus must be inquired about in the message processing procedure be transmit, port index tables or stream cache tables.
Describedly transmit, port index tables or the setting of stream cache tables be at the outgoing interface of network address translation apparatus.
The beneficial effect that private user is inserted the method for public network of the present invention has:
1, the present invention separates the scheme of public and private net mixed networking from ACL, can not take the ACL node resource, can not use to form with other ACL and conflict;
Message processing speed when 2, the present invention has improved public and private net mixed networking simultaneously;
3, the present invention is simpler, clear to the configuration of equipment.
Description of drawings
Fig. 1 is the networking schematic diagram of the private user visit public network of example;
Fig. 2 is the schematic flow diagram of in the prior art private user being visited public network;
Fig. 3 is the schematic flow diagram of the private user visit public network of one embodiment of the present of invention.
Embodiment
Below in conjunction with accompanying drawing, the preferred embodiments of the invention are elaborated.
As shown in Figure 1, owing to after message enters in the NAT device, can inquire about forwarding-table item, prepare follow-up forwarding and handle.The outbound port of private user access internet is the port2 port of equipment, and outbound port generally can not changed by the route decision.May have two outgoing interfaces in the practical application, perhaps outgoing interface can change, and these can be by determining in different outgoing interface configurations.
In one embodiment of the invention, for outbound port configuration NAT conversion allows sign, simultaneously, according to requirements for access, enable operation is gone in the specific purpose address that does not need to do the NAT conversion process during with visit in transmitting.For example, under situation shown in Figure 1, its concrete configuration is as follows:
<port2#>dest?any?nat?permit
<port2#>dest?202.119.39.0?mask?255.255.255.0?nat?deny
Promptly the message that mails to all destination addresses except that destination address 202.119.39.0/24 from outbound port port2 all will be changed through NAT.
Like this, be in the transmitting of port2 at outbound port, will give tacit consent to all increases NAT permission sign.And outbound port is port2, has and forbids NAT sign but destination address belongs to transmitting of network segment 202.119.39.0:
Index Destination/Mask Interface Flag
(index) (destination address/mask) (port) (sign)
1 0.0.0.0/0 port2 nat-permit (permitting NAT)
2 202.119.39.0/24 port2 nat-deny (forbidding NAT)
If NAT device has a plurality of outbound ports, dispose accordingly by the outbound port that above-mentioned steps is NAT to needs.
Like this, as shown in Figure 3, after message enters NAT device, at first inquiry is transmitted, and judges that whether list item needs to carry out the NAT conversion, carries out the NAT conversion if desired, then judge whether to meet the NAT switch condition according to the NAT transformation rule, if meet switch condition then handle, handle again and transmit, otherwise directly forwarding.Particularly, under situation shown in Figure 1, private user when carrying out internet access, with index be 1 forwarding-table item coupling, finding has the NAT of permission sign in the list item, so carry out the NAT conversion process again.And when the user when as shown in Figure 1 address of visit is the Web server of 202.119.39.0/24, inquiry is transmitted, and will be that 2 forwarding-table item is complementary with index, finding has the sign of forbidding that NAT handles in the list item, so this message is directly transmitted.Thereby the present invention is more succinct on flow process, more efficient compared with existing scheme.
Can be according to the difference of distinct device on the message handling process, adopt similar scheme, such as, can will whether allow the sign of NAT conversion to be attached in the list item that to inquire about in the message processing procedure, the so-called list item that must inquire about is meant in switching equipment or routing device repeating process, message is handled the table that must inquire about.Even do not require convection current or, need to inquire about these list items yet under the visit message situation about controlling, generally be three layers of forwarding such as NAT, must look into route forwarding table.For Layer 2 switch, must look into MAC and transmit.The ACL table is Access Control List (ACL), is not requiring that convection current or visit message have under the situation of control, do not need to inquire about.Just inquire about the requirement that whether needs to look into the ACL table at most, thereby the ACL table not the list item that must inquire about yet.But miscellaneous equipment (nat feature is arranged) has different list items such as fire compartment wall or BAS equipment, such as port index tables, and safe list item, stream cache (high-speed cache) table or the like.ACL is not the list item that must inquire about.These can be different because of equipment.But basic thinking all is the same, and the constraint that promptly breaks away from ACL is added in the sign of whether being NAT in the necessary flow process, to improve the performance and the efficient of system handles.
More than the preferred embodiments of the present invention are described in detail for illustrative purposes; but those of ordinary skill in the art is to be appreciated that; in scope and spirit of the present invention; various improvement, interpolation and replacement all are possible, and all in the protection range that claim of the present invention limited.
Claims (10)
1. one kind is inserted the method for public network with private user, may further comprise the steps:
Carry out the sign whether setting in the message list item that institute must inquire about when handling needs to carry out network address translation at network address translation apparatus;
For the message of described private user, inquire about described sign, judge whether described message needs to do network address translation; With
If determine and need carry out network address translation to the message of described private user, then described message is carried out transmitting after the described network address translation again, otherwise described message is not carried out described network address translation, directly transmit described message.
2. whether method according to claim 1 is characterized in that, need to carry out in the step of sign of network address translation in described setting, corresponding permission is set or does not allow to carry out the sign of network address translation according to the destination address of transmitting.
3. method according to claim 1 is characterized in that, described inquiry and judge whether and need the step that described private user message carries out network address translation be comprised:
The destination address and the described list item of described private user message are mated, determine according to the result of mating whether described message allows to carry out network address translation.
4. according to claim 1,2 or 3 described methods, it is characterized in that the described list item that must inquire about is meant in the message repeating process, though do not require convection current or situation that the visit message is controlled under also must inquiry list item.
5. method according to claim 4 is characterized in that, the list item that described network address translation apparatus must be inquired about in the message processing procedure is to transmit.
6. method according to claim 5 is characterized in that, the described outgoing interface of transmitting setting at network address translation apparatus.
7. method according to claim 4 is characterized in that, the list item that described network address translation apparatus must be inquired about in the message processing procedure is a port index tables.
8. method according to claim 7 is characterized in that, described port index tables setting is at the outgoing interface of network address translation apparatus.
9. method according to claim 4 is characterized in that, the list item that described network address translation apparatus must be inquired about in the message processing procedure is the stream cache tables.
10. method according to claim 9 is characterized in that, described stream cache tables is provided with the outgoing interface at network address translation apparatus.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410006287 CN1674549A (en) | 2004-03-23 | 2004-03-23 | Method for switching private net user in public net |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410006287 CN1674549A (en) | 2004-03-23 | 2004-03-23 | Method for switching private net user in public net |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1674549A true CN1674549A (en) | 2005-09-28 |
Family
ID=35046824
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410006287 Pending CN1674549A (en) | 2004-03-23 | 2004-03-23 | Method for switching private net user in public net |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1674549A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102035661A (en) * | 2009-09-24 | 2011-04-27 | 中兴通讯股份有限公司 | Method, device and system for managing optical network unit |
| CN105684351A (en) * | 2013-10-25 | 2016-06-15 | 汤姆逊许可公司 | Improved subnet provisioning method |
| CN108156008A (en) * | 2016-12-05 | 2018-06-12 | 北京国双科技有限公司 | The configuration method and device of server |
-
2004
- 2004-03-23 CN CN 200410006287 patent/CN1674549A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102035661A (en) * | 2009-09-24 | 2011-04-27 | 中兴通讯股份有限公司 | Method, device and system for managing optical network unit |
| CN102035661B (en) * | 2009-09-24 | 2014-04-30 | 中兴通讯股份有限公司 | Method, device and system for managing optical network unit |
| CN105684351A (en) * | 2013-10-25 | 2016-06-15 | 汤姆逊许可公司 | Improved subnet provisioning method |
| CN108156008A (en) * | 2016-12-05 | 2018-06-12 | 北京国双科技有限公司 | The configuration method and device of server |
| CN108156008B (en) * | 2016-12-05 | 2021-03-26 | 北京国双科技有限公司 | Server configuration method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2591222C (en) | An arrangement and a method relating to flow of packets in communication systems | |
| CN102946354B (en) | Method, device and the network equipment that a kind of message forwards | |
| CN101567831B (en) | Method and device for transmitting and receiving messages among local area networks and communication system | |
| CN101036371A (en) | Apparatus and method for mapping overlapping internet protocol addresses in layer two tunneling protocols | |
| US7443842B2 (en) | Communication control apparatus | |
| CN1711728A (en) | Data group filtration at the network gate as execution point based on business strategy (SBLP) | |
| US11621917B2 (en) | Transparent multiplexing of IP endpoints | |
| CN1838609A (en) | Centralized service processing method and route apparatus | |
| CN102938736A (en) | Method and device for realizing IPv6 (Internet Protocol Version 6) network traversing of IPv4 message | |
| CN102970386A (en) | Method and device for realizing traverse of IPv6 message to IPv4 network | |
| CN1297105C (en) | Method for implementing multirole main machine based on virtual local network | |
| CN1863152A (en) | Method for transmitting various messages between internal network users | |
| CN1960321A (en) | Control method for implementing security of multicast | |
| CN1223159C (en) | Method of supporting address transfer application network | |
| CN101030934A (en) | Method for spanning heterogeneous network mobile telecommunication based on two-way tunnel | |
| CN103442096B (en) | NAT method based on mobile Internet and system | |
| US7773613B2 (en) | Communication control method and system | |
| CN1674549A (en) | Method for switching private net user in public net | |
| CN1697396A (en) | Method for realizing local virtual private network based on firewall | |
| US7420943B2 (en) | Mechanism to create pinhole for existing session in middlebox | |
| CN1705307A (en) | Method for implementing VLAN based L2VPN | |
| WO2003107604A1 (en) | Method and system for connecting manipulation equipment between operator's premises and the internet | |
| CN1232084C (en) | Method for readlizing voice communication between medium gates based on medium gate control protocol | |
| CN1534933A (en) | Safety access control method for internet protocol | |
| CN1801791A (en) | Method for operating a local computer network connected to a remote private network by an IPSEC tunnel, software module and ipsec gateway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20050928 |