????????????????深入理解Netscaler INat

NetscalerINat主要是用作基于目的地址的轉換,將client訪問的公網IP通過Netscaler轉換成服務器的私網IP,與DNAT作用類似。由于Netscaler默認的工作機制就是同時做源IP:【源端口】+目的IP:【目的端口】的轉換,也就是說它默認執行了NAPT(端口映射)但有不完全等同與NAPTNAPT只替換目的IP和端口,而Netscaler默認是全部替換的。

測試環境:

SNIP10.110.110.121

????? 10.110.140.151

????? 10.110.140.152

MIP?10.110.140.153

VIP111.1.1.1

Client10.110.110.146

Server VIP10.110.140.150

Server10.110.110.130

?

配置方法:

> add inat <name> <public ip> <private ip>(private ip不能是Netscaler所屬的IP包括VIP)

???????? -ftp ( ENABLED | DISABLED )

???????? -mode STATELESS

???????? -proxyIP <ip_addr|ipv6_addr>

???????? -tcpproxy ( ENABLED | DISABLED )

???????? -td <positive_integer>

???????? -tftp ( ENABLED | DISABLED )

???????? -usip ( ON | OFF )

???????? -usnip ( ON | OFF )

wKioL1ikK-Hx4ijMAABEoPSSd7I836.png-wh_50


When the appliance forwards a packet to a server, the source IP address assigned to the

packet is determined as follows:

  • If use subnet IP (USNIP) mode is enabled and use source IP (USIP) mode is disabled,

the NetScaler uses a subnet IP address (SNIP) as the source IP address.

  • If USNIP mode is disabled and USIP mode is disabled, the NetScaler uses a mapped IP

address (MIP) as the source IP address.

  • If USIP mode is enabled, and USNIP mode is disabled the NetScaler uses the client IP

(CIP) address as the source IP address.

  • If both USIP and USNIP modes are enabled, USIP mode takes precedence.

  • You can also configure the NetScaler to use a unique IP address as the source IP

address, by setting the proxyIP parameter.

  • If none of the above modes is enabled and a unique IP address has not been

specified, the NetScaler attempts to use a MIP as the source IP address.

  • If both USIP and USNIP modes are enabled and a unique IP address has been

specified, the order of precedence is as follows: USIP-unique IP-USNIP-MIP-Error.

To protect the NetScaler from DoS attacks, you can enable TCP proxy. However, if other

protection mechanisms are used in your network, you may want to disable them.

?

如果啟用了proxy ip,那么與服務器連接就只用一個SNIP,與靜態DNAT類似

wKiom1ikLJ_A0nbqAABfe8o_igM531.jpg-wh_50

如果關閉proxy ip,Netscaler將采用輪訓的方式,用與私網目的IP一個網段的SNIP來連接服務器,類似動態DNAT

wKiom1ikLUuTcQkOAAB-O8QRcR4599.jpg-wh_50

?

只打開USIP時,Netscaler會用client的源ip來與后臺私網連接(由于測試環境沒有去client的路由因此沒有完成TCP連接)

wKioL1ikLnTA9pMiAAAxqBBs5HY939.jpg-wh_50

同時打開USIP和USNIP時,由于USIP的優先級高于USNIP,Netscaler會用client的源ip來與后臺私網連接(由于測試環境沒有去client的路由因此沒有完成TCP連接)

wKiom1ikLo_DDgJSAABAcCHk_oA886.jpg-wh_50

關閉USIP和USNIP后,Netscaler會用MIP來與后臺連接

wKioL1ikL3CjqGyAAACC2Cs1CzI761.jpg-wh_50

關閉USIP和USNIP,但選擇了Proxy IP后,被選擇的SNIP優先高于MIP,會用它與后臺服務器連接

wKioL1ikL4uRui9EAAB8BIIrKWc073.jpg-wh_50

?

不管是用USIP還是USNIP,啟用了TCP proxy后Netscaler都會用client源IP來與后臺連接,tcp proxy可以保護Netscaler抵抗DOS***

wKioL1ikL6jxc8JVAAAwMeE_XhE318.jpg-wh_50

Mode中的stateless只能應用與IPV4-IPV6的轉換