????????????????深入理解Netscaler INat

Netscaler的INat主要是用作基于目的地址的轉換，將client訪問的公網IP通過Netscaler轉換成服務器的私網IP，與DNAT作用類似。由于Netscaler默認的工作機制就是同時做源IP：【源端口】+目的IP：【目的端口】的轉換，也就是說它默認執行了NAPT（端口映射）但有不完全等同與NAPT。NAPT只替換目的IP和端口，而Netscaler默認是全部替換的。

測試環境：

SNIP：10.110.110.121

????? 10.110.140.151

????? 10.110.140.152

MIP：?10.110.140.153

VIP：111.1.1.1

Client：10.110.110.146

Server VIP：10.110.140.150

Server：10.110.110.130

?

配置方法:

> add inat <name> <public ip> <private ip>(private ip不能是Netscaler所屬的IP包括VIP）

???????? -ftp ( ENABLED | DISABLED )

???????? -mode STATELESS

???????? -proxyIP <ip_addr|ipv6_addr>

???????? -tcpproxy ( ENABLED | DISABLED )

???????? -td <positive_integer>

???????? -tftp ( ENABLED | DISABLED )

???????? -usip ( ON | OFF )

???????? -usnip ( ON | OFF )

When the appliance forwards a packet to a server, the source IP address assigned to the

packet is determined as follows:

• If use subnet IP (USNIP) mode is enabled and use source IP (USIP) mode is disabled,

the NetScaler uses a subnet IP address (SNIP) as the source IP address.

• If USNIP mode is disabled and USIP mode is disabled, the NetScaler uses a mapped IP

address (MIP) as the source IP address.

• If USIP mode is enabled, and USNIP mode is disabled the NetScaler uses the client IP

(CIP) address as the source IP address.

• If both USIP and USNIP modes are enabled, USIP mode takes precedence.

• You can also configure the NetScaler to use a unique IP address as the source IP

address, by setting the proxyIP parameter.

• If none of the above modes is enabled and a unique IP address has not been

specified, the NetScaler attempts to use a MIP as the source IP address.

• If both USIP and USNIP modes are enabled and a unique IP address has been

specified, the order of precedence is as follows: USIP-unique IP-USNIP-MIP-Error.

To protect the NetScaler from DoS attacks, you can enable TCP proxy. However, if other

protection mechanisms are used in your network, you may want to disable them.

?

如果啟用了proxy ip，那么與服務器連接就只用一個SNIP，與靜態DNAT類似

如果關閉proxy ip，Netscaler將采用輪訓的方式，用與私網目的IP一個網段的SNIP來連接服務器，類似動態DNAT

?

只打開USIP時，Netscaler會用client的源ip來與后臺私網連接（由于測試環境沒有去client的路由因此沒有完成TCP連接）

同時打開USIP和USNIP時，由于USIP的優先級高于USNIP，Netscaler會用client的源ip來與后臺私網連接（由于測試環境沒有去client的路由因此沒有完成TCP連接）

關閉USIP和USNIP后，Netscaler會用MIP來與后臺連接

關閉USIP和USNIP，但選擇了Proxy IP后，被選擇的SNIP優先高于MIP，會用它與后臺服務器連接

?

不管是用USIP還是USNIP，啟用了TCP proxy后Netscaler都會用client源IP來與后臺連接，tcp proxy可以保護Netscaler抵抗DOS***

Mode中的stateless只能應用與IPV4-IPV6的轉換

轉載于:https://blog.51cto.com/caojin/1898173

總結

以上是生活随笔為你收集整理的深入理解Netscaler INat的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。