深入理解Netscaler INat

NetscalerINat主要是用作基于目的地址的转换,将client访问的公网IP通过Netscaler转换成服务器的私网IP,与DNAT作用类似。由于Netscaler默认的工作机制就是同时做源IP:【源端口】+目的IP:【目的端口】的转换,也就是说它默认执行了NAPT(端口映射)但有不完全等同与NAPTNAPT只替换目的IP和端口,而Netscaler默认是全部替换的。

测试环境:

SNIP10.110.110.121

      10.110.140.151

      10.110.140.152

MIP 10.110.140.153

VIP111.1.1.1

Client10.110.110.146

Server VIP10.110.140.150

Server10.110.110.130

 

配置方法:

> add inat <name> <public ip> <private ip>(private ip不能是Netscaler所属的IP包括VIP)

         -ftp ( ENABLED | DISABLED )

         -mode STATELESS

         -proxyIP <ip_addr|ipv6_addr>

         -tcpproxy ( ENABLED | DISABLED )

         -td <positive_integer>

         -tftp ( ENABLED | DISABLED )

         -usip ( ON | OFF )

         -usnip ( ON | OFF )

wKioL1ikK-Hx4ijMAABEoPSSd7I836.png-wh_50


When the appliance forwards a packet to a server, the source IP address assigned to the

packet is determined as follows:

  • If use subnet IP (USNIP) mode is enabled and use source IP (USIP) mode is disabled,

the NetScaler uses a subnet IP address (SNIP) as the source IP address.

  • If USNIP mode is disabled and USIP mode is disabled, the NetScaler uses a mapped IP

address (MIP) as the source IP address.

  • If USIP mode is enabled, and USNIP mode is disabled the NetScaler uses the client IP

(CIP) address as the source IP address.

  • If both USIP and USNIP modes are enabled, USIP mode takes precedence.

  • You can also configure the NetScaler to use a unique IP address as the source IP

address, by setting the proxyIP parameter.

  • If none of the above modes is enabled and a unique IP address has not been

specified, the NetScaler attempts to use a MIP as the source IP address.

  • If both USIP and USNIP modes are enabled and a unique IP address has been

specified, the order of precedence is as follows: USIP-unique IP-USNIP-MIP-Error.

To protect the NetScaler from DoS attacks, you can enable TCP proxy. However, if other

protection mechanisms are used in your network, you may want to disable them.

 

如果启用了proxy ip,那么与服务器连接就只用一个SNIP,与静态DNAT类似

wKiom1ikLJ_A0nbqAABfe8o_igM531.jpg-wh_50

如果关闭proxy ip,Netscaler将采用轮训的方式,用与私网目的IP一个网段的SNIP来连接服务器,类似动态DNAT

wKiom1ikLUuTcQkOAAB-O8QRcR4599.jpg-wh_50

 

只打开USIP时,Netscaler会用client的源ip来与后台私网连接(由于测试环境没有去client的路由因此没有完成TCP连接)

wKioL1ikLnTA9pMiAAAxqBBs5HY939.jpg-wh_50

同时打开USIP和USNIP时,由于USIP的优先级高于USNIP,Netscaler会用client的源ip来与后台私网连接(由于测试环境没有去client的路由因此没有完成TCP连接)

wKiom1ikLo_DDgJSAABAcCHk_oA886.jpg-wh_50

关闭USIP和USNIP后,Netscaler会用MIP来与后台连接

wKioL1ikL3CjqGyAAACC2Cs1CzI761.jpg-wh_50

关闭USIP和USNIP,但选择了Proxy IP后,被选择的SNIP优先高于MIP,会用它与后台服务器连接

wKioL1ikL4uRui9EAAB8BIIrKWc073.jpg-wh_50

 

不管是用USIP还是USNIP,启用了TCP proxy后Netscaler都会用client源IP来与后台连接,tcp proxy可以保护Netscaler抵抗DOS***

wKioL1ikL6jxc8JVAAAwMeE_XhE318.jpg-wh_50

Mode中的stateless只能应用与IPV4-IPV6的转换