CN104202439A - Addressing and access method, gateway and system - Google Patents
Addressing and access method, gateway and system Download PDFInfo
- Publication number
- CN104202439A CN104202439A CN201410350747.XA CN201410350747A CN104202439A CN 104202439 A CN104202439 A CN 104202439A CN 201410350747 A CN201410350747 A CN 201410350747A CN 104202439 A CN104202439 A CN 104202439A
- Authority
- CN
- China
- Prior art keywords
- address
- intranet
- outer net
- request
- transformed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to an addressing and access method, a gateway and a system. The addressing and access method comprises the following steps that corresponding address conversion is carried out on a request of converting an intranet to an extranet or corresponding address conversion is carried out on a request of converting the extranet to the intranet according to a binary address group stored in an address conversion list, wherein when a message carries the request of converting the extranet to the intranet, a corresponding intranet IP (Internet Protocol) address is searched from the address conversion list, and a target IP address of the message carrying the request of converting the extranet to the intranet is converted to the intranet IP address; when the message carries the request of converting the intranet to the extranet, a corresponding extranet IP address is searched from the address conversion list, and a source IP address of the message carrying the request of converting the intranet to the extranet is converted to the extranet IP address. According to the method, through one-to-one NAT (Network Address Translation) conversion, the extranet can actively visit the extranet and the extranet and the intranet can actively visit the extranet.
Description
Technical field
The present invention relates to network safety filed, particularly, relate to a kind of addressing for publicly-owned cloud and access method, gateway and system.
Background technology
In network safety filed, often need to provide address translation feature.The cause of address transition is that IPv4 address is not enough, in order to reuse public network IP address, network is divided into external network (abbreviation outer net) and internal network (abbreviation Intranet).Outer net is used public network IP address, realizes global network communication; Intranet utilizes internal network to realize interior Network Communication; When accessing outer network from inner network or extranet access Intranet, by NAT (address transition, Network Address Translation) technology.
When accessing outer network from inner network, use be SNAT technology (conversion of Source Network Address Translation source address), be about to Intranet and initiatively access the source address of the request message of outer net and convert outer net IP address to by IP address of internal network.In order to save public network IP address, be generally that internal address is many, and outer net address is few, or only has an outer net address, i.e. many-one or multipair few mapping, and can only support Intranet initiatively to initiate access.
When extranet access Intranet, what use is DNAT technology (conversion of Destination Network Address Translation destination address), and the destination address that soon outer net is initiatively accessed the request message of interior network server becomes IP address of internal network by outer net IP address transition.Because public network IP address is limited, be all generally the server cluster that the corresponding one or more interior network servers of a public network IP address form, a public network IP address converts one or more Intranet IP to.DNAT now can only be one to one or the address transition of one-to-many, and can only support the access that outer net is initiatively initiated.
Along with the development of network technology and virtual technology, the very large development that cloud service is produced and obtains, current privately owned cloud and publicly-owned cloud are commercial, and market further developing and expanding, and prospect is very wide.For publicly-owned cloud, the service of a kind of " fictitious host computer " can be provided, simply to say to be exactly that " fictitious host computer " is in the Intranet of cloud service provider, external user needs initiatively to access " fictitious host computer " of Intranet, again can be in inside and outside " fictitious host computer " initiatively online various services outside access; And the quantity of " fictitious host computer " of server is externally provided is huge, much up to a hundred, thousands of even up to ten thousand, no matter be DNAT or SNAT, all cannot meet this demand, therefore need a kind of brand-new NAT conversion regime.
Summary of the invention
The present invention is directed to above-mentioned situation, a kind of addressing and access method, gateway and system are provided, the method is changed by man-to-man NAT, can initiatively access outer net by outer net, can inside and outside initiatively access outer net again, and ARP proxy function is provided, without requiring the destination address of conversion to be configured on the network interface of security gateway.
For this purpose, the present invention proposes a kind of addressing and access method, it is characterized in that, described method comprises: according to the binary group of addresses of storing in address transition list, the request that Intranet is transformed into outer net is carried out corresponding address transition or the request that outer net is transformed into Intranet is carried out to corresponding address transition, wherein, when message carries outer net and is transformed into the request of Intranet, from described address transition list, find corresponding IP address of internal network, by described, carry the object IP address transition of message that outer net is transformed into the request of Intranet and become described IP address of internal network; When message carries Intranet while being transformed into the request of outer net, from described address transition list, find corresponding outer net IP address, by described, carry the source IP address of message that Intranet is transformed into the request of outer net and convert described outer net IP address to.
Wherein, described IP address of internal network is configured on fictitious host computer.
Wherein, when the described request that Intranet is transformed into outer net is carried out corresponding address transition or the described request that outer net is transformed into Intranet and carried out corresponding address transition, by ARP proxy, carry out arp response.
Wherein, described binary group of addresses is the man-to-man binary group of addresses being formed by described IP address of internal network and described outer net IP address.
Another aspect of the present invention, provides a kind of gateway, and described gateway comprises: Transmit-Receive Unit, for receiving and send the message that carries address transition request; Memory cell, for memory address conversion list, described address transition list comprises at least one man-to-man binary group of addresses being formed by IP address of internal network and outer net IP address; Processing unit, described processing unit is connected with described memory cell respectively at described Transmit-Receive Unit, for according to described binary group of addresses, the request that Intranet is transformed into outer net is carried out corresponding address transition or the request that outer net is transformed into Intranet is carried out to corresponding address transition.
Wherein, described processing unit is also for providing corresponding arp response by ARP proxy when the address transition.
Another aspect of the present invention, provides a kind of addressing and access system, and described system comprises: gateway as above; Server, this server is used for IP address of internal network configuration virtual main frame.
Known by above-described embodiment, use addressing of the present invention and access method, gateway and system, by man-to-man IP group of addresses, configure, can realize when the outer net IP address of fictitious host computer changes, do not need internal network topology structure to revise accordingly.The present invention is simultaneously not only a kind of DNAT conversion, is also a kind of SNAT conversion, and intranet host can be realized extranet access Intranet and accessing outer network from inner network by this man-to-man NAT conversion.In addition, use the method not need a large amount of outer net IP address to be all configured on security gateway, by ARP proxy function, can realize arp response, thereby make the method scheme flexible, be easy to Intranet management.
Accompanying drawing explanation
By reference to accompanying drawing, can more clearly understand the features and advantages of the present invention, accompanying drawing is schematically to should not be construed as the present invention is carried out to any restriction, in the accompanying drawings:
Fig. 1 shows the flow chart of addressing of the present invention and access method.
Fig. 2 shows the schematic diagram of the specific embodiment of addressing of the present invention and access method.
Fig. 3 shows the structured flowchart of gateway of the present invention.
Fig. 4 shows the structured flowchart of addressing of the present invention and access system.
Embodiment
Below in conjunction with accompanying drawing, embodiments of the present invention is described in detail.
Fig. 1 shows the flow chart of addressing of the present invention and access method.
With reference to Fig. 1, addressing and the access method of the embodiment of the present invention comprise step:
S1, according to the binary group of addresses of storing in address transition list, the request that Intranet is transformed into outer net is carried out corresponding address transition or the request that outer net is transformed into Intranet is carried out to corresponding address transition;
S2, when message carries outer net and is transformed into the request of Intranet, from described address transition list, find corresponding IP address of internal network, by described, carry the object IP address transition of message that outer net is transformed into the request of Intranet and become IP address of internal network;
S2 ', when message carries Intranet while being transformed into the request of outer net, from described address transition list, find corresponding outer net IP address, by described, carry the source IP address of message that Intranet is transformed into the request of outer net and convert outer net IP address to.
In said method, the step of S2 and S2 ' is not distinguished sequencing, is that Intranet is transformed into two kinds of change over conditions that outer net or outer net are transformed into Intranet.
In said method, IP address of internal network is configured on the fictitious host computer of Intranet, and when the request that Intranet is transformed into outer net is carried out corresponding address transition or the described request that outer net is transformed into Intranet and carried out corresponding address transition, by ARP proxy, carry out arp response.
Above-mentioned binary group of addresses is the man-to-man binary group of addresses being formed by IP address of internal network and outer net IP address.
At an embodiment, outer net IP address is the common network IP address in network service, and IP address of internal network is the private ip addresses of internal network.
Fig. 2 shows the schematic diagram of the specific embodiment of addressing of the present invention and access method.
With reference to Fig. 2, the present embodiment is in the situation that the publicly-owned cloud of cloud service carries out, in the cloud service of publicly-owned cloud, interior network server provides a plurality of fictitious host computers, each fictitious host computer configures an IP address of internal network accordingly, in the address transition list of the cell stores of gateway, there are a plurality of binary group of addresses, this binary group of addresses is the man-to-man binary group of addresses in IP address of internal network and outer net IP address, as being set to: the corresponding outer net IP of IP address of internal network 1 address 1, the corresponding outer net IP of IP address of internal network 2 address 2 etc.
In the present embodiment, outer net IP address is the user's of the common network in the network service outside cloud service center IP address, i.e. the IP address of external network, and IP address of internal network is the private network IP address of each fictitious host computer in the heart in cloud service.
On the gateway of the present embodiment, be provided with ARP proxy function, so that arp response to be provided when carrying out intranet and extranet conversion.
When external user access Intranet, external user sends and carries the message that outer net is transformed into the request of Intranet, gateway receives after this message, in the address transition list of memory cell, find corresponding binary group of addresses, and find corresponding IP address of internal network, the object IP address transition of this message is become to IP address of internal network.
When Intranet user access outer net, Intranet user sends and carries the message that Intranet is transformed into the request of outer net, gateway receives after this message, in the address transition list of memory cell, find corresponding binary group of addresses, and find corresponding outer net IP address, convert the source IP address of this message to outer net IP address.
Fig. 3 shows the structured flowchart of gateway of the present invention.
As shown in Figure 3, an alternative embodiment of the invention provides a kind of gateway 10, and this gateway 10 comprises:
Transmit-Receive Unit 100, for receiving and send the message that carries address transition request;
Memory cell 200, for memory address conversion list, described address transition list comprises at least one man-to-man binary group of addresses being formed by IP address of internal network and outer net IP address;
Processing unit 300, described processing unit is connected with described memory cell respectively at described Transmit-Receive Unit, for according to described binary group of addresses, the request that Intranet is transformed into outer net is carried out corresponding address transition or the request that outer net is transformed into Intranet is carried out to corresponding address transition.
In addition, processing unit is also for providing corresponding arp response by ARP proxy when the address transition.
Fig. 4 shows the structured flowchart of addressing of the present invention and access system.
As shown in Figure 4, another embodiment of the present invention provides a kind of addressing and access system, and this system comprises: gateway 10 as above and server 20, server 20 is for to Intranet IP address configuration fictitious host computer.
Known by above-described embodiment, use addressing of the present invention and access method, gateway and system, by man-to-man IP group of addresses, configure, can realize when the outer net IP address of fictitious host computer changes, do not need internal network topology structure to revise accordingly.The present invention is simultaneously not only a kind of DNAT conversion, is also a kind of SNAT conversion, and intranet host can be realized extranet access Intranet and accessing outer network from inner network by this man-to-man NAT conversion.In addition, use the method not need a large amount of outer net IP address to be all configured on security gateway, by ARP proxy function, can realize arp response, thereby make the method scheme flexible, be easy to Intranet management.
Although described by reference to the accompanying drawings embodiments of the present invention, but those skilled in the art can make various modifications and variations without departing from the spirit and scope of the present invention, such modification and modification all fall into by within claims limited range.
Claims (7)
1. addressing and an access method, is characterized in that, described method comprises:
According to the binary group of addresses of storing in address transition list, the request that Intranet is transformed into outer net is carried out corresponding address transition or the request that outer net is transformed into Intranet is carried out to corresponding address transition,
Wherein, when message carries outer net and is transformed into the request of Intranet, from described address transition list, find corresponding IP address of internal network, by described, carry the object IP address transition of message that outer net is transformed into the request of Intranet and become described IP address of internal network;
When message carries Intranet while being transformed into the request of outer net, from described address transition list, find corresponding outer net IP address, by described, carry the source IP address of message that Intranet is transformed into the request of outer net and convert described outer net IP address to.
2. addressing according to claim 1 and access method, is characterized in that, described IP address of internal network is configured on fictitious host computer.
3. addressing according to claim 1 and access method, it is characterized in that, when the described request that Intranet is transformed into outer net is carried out corresponding address transition or the described request that outer net is transformed into Intranet and carried out corresponding address transition, by ARP proxy, carry out arp response.
4. addressing according to claim 1 and access method, is characterized in that, described binary group of addresses is the man-to-man binary group of addresses being formed by described IP address of internal network and described outer net IP address.
5. a gateway, is characterized in that, described gateway comprises:
Transmit-Receive Unit, for receiving and send the message that carries address transition request;
Memory cell, for memory address conversion list, described address transition list comprises at least one man-to-man binary group of addresses being formed by IP address of internal network and outer net IP address;
Processing unit, described processing unit is connected with described memory cell respectively at described Transmit-Receive Unit, for according to described binary group of addresses, the request that Intranet is transformed into outer net is carried out corresponding address transition or the request that outer net is transformed into Intranet is carried out to corresponding address transition.
6. gateway according to claim 5, is characterized in that, described processing unit is also for providing corresponding arp response by ARP proxy when the address transition.
7. addressing and an access system, is characterized in that, described system comprises:
The gateway of any one described in claim 5-6;
Server, for to Intranet IP address configuration fictitious host computer.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410350747.XA CN104202439A (en) | 2014-07-22 | 2014-07-22 | Addressing and access method, gateway and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410350747.XA CN104202439A (en) | 2014-07-22 | 2014-07-22 | Addressing and access method, gateway and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN104202439A true CN104202439A (en) | 2014-12-10 |
Family
ID=52087664
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410350747.XA Pending CN104202439A (en) | 2014-07-22 | 2014-07-22 | Addressing and access method, gateway and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104202439A (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105991568A (en) * | 2015-02-09 | 2016-10-05 | 苏州精易会信息技术有限公司 | Proxy realizing device |
CN106375493A (en) * | 2016-10-10 | 2017-02-01 | 腾讯科技(深圳)有限公司 | Cross-network communication method and proxy servers |
CN107147533A (en) * | 2017-05-31 | 2017-09-08 | 郑州云海信息技术有限公司 | A kind of flow table configuration distributing method and system based on SDN frameworks |
CN107508811A (en) * | 2017-08-28 | 2017-12-22 | 浙江宇视科技有限公司 | A kind of secure registration querying method and system based on UNP |
CN108200222A (en) * | 2017-12-27 | 2018-06-22 | 郑州云海信息技术有限公司 | A kind of method, apparatus and equipment of cluster accessing outer network from inner network |
CN109151084A (en) * | 2017-06-15 | 2019-01-04 | 中兴通讯股份有限公司 | File transmitting method and device, system, CGN equipment |
CN109218467A (en) * | 2018-11-15 | 2019-01-15 | 锐捷网络股份有限公司 | A kind of method for network address translation and chip |
CN109587254A (en) * | 2018-12-11 | 2019-04-05 | 深圳市口袋网络科技有限公司 | Cloud Server access method, device, Cloud Server and storage medium |
CN113596184A (en) * | 2020-04-30 | 2021-11-02 | 华为技术有限公司 | Hybrid cloud system, gatekeeper, network access method, and storage medium |
CN115529270A (en) * | 2022-11-23 | 2022-12-27 | 广东睿江云计算股份有限公司 | Physical and virtual network fusion method and device, computer equipment and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101465889A (en) * | 2008-12-03 | 2009-06-24 | 北京星网锐捷网络技术有限公司 | Network address translation equipment and request method of response address analysis protocol |
CN101582925A (en) * | 2009-06-15 | 2009-11-18 | 中兴通讯股份有限公司 | Network address translation method and system |
CN102170380A (en) * | 2010-02-25 | 2011-08-31 | 杭州华三通信技术有限公司 | Method and device for accessing outer network from inner network |
US20140052870A1 (en) * | 2004-02-02 | 2014-02-20 | Apple Inc. | Nat traversal for media conferencing |
-
2014
- 2014-07-22 CN CN201410350747.XA patent/CN104202439A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140052870A1 (en) * | 2004-02-02 | 2014-02-20 | Apple Inc. | Nat traversal for media conferencing |
CN101465889A (en) * | 2008-12-03 | 2009-06-24 | 北京星网锐捷网络技术有限公司 | Network address translation equipment and request method of response address analysis protocol |
CN101582925A (en) * | 2009-06-15 | 2009-11-18 | 中兴通讯股份有限公司 | Network address translation method and system |
CN102170380A (en) * | 2010-02-25 | 2011-08-31 | 杭州华三通信技术有限公司 | Method and device for accessing outer network from inner network |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105991568A (en) * | 2015-02-09 | 2016-10-05 | 苏州精易会信息技术有限公司 | Proxy realizing device |
CN106375493A (en) * | 2016-10-10 | 2017-02-01 | 腾讯科技(深圳)有限公司 | Cross-network communication method and proxy servers |
CN107147533A (en) * | 2017-05-31 | 2017-09-08 | 郑州云海信息技术有限公司 | A kind of flow table configuration distributing method and system based on SDN frameworks |
CN109151084A (en) * | 2017-06-15 | 2019-01-04 | 中兴通讯股份有限公司 | File transmitting method and device, system, CGN equipment |
CN107508811B (en) * | 2017-08-28 | 2020-05-19 | 浙江宇视科技有限公司 | UNP-based secure registration query method and system |
CN107508811A (en) * | 2017-08-28 | 2017-12-22 | 浙江宇视科技有限公司 | A kind of secure registration querying method and system based on UNP |
CN108200222A (en) * | 2017-12-27 | 2018-06-22 | 郑州云海信息技术有限公司 | A kind of method, apparatus and equipment of cluster accessing outer network from inner network |
CN109218467A (en) * | 2018-11-15 | 2019-01-15 | 锐捷网络股份有限公司 | A kind of method for network address translation and chip |
CN109218467B (en) * | 2018-11-15 | 2022-02-25 | 锐捷网络股份有限公司 | Network address conversion method and chip |
CN109587254A (en) * | 2018-12-11 | 2019-04-05 | 深圳市口袋网络科技有限公司 | Cloud Server access method, device, Cloud Server and storage medium |
CN109587254B (en) * | 2018-12-11 | 2021-09-17 | 深圳市口袋网络科技有限公司 | Cloud server access method and device, cloud server and storage medium |
CN113596184A (en) * | 2020-04-30 | 2021-11-02 | 华为技术有限公司 | Hybrid cloud system, gatekeeper, network access method, and storage medium |
WO2021219104A1 (en) * | 2020-04-30 | 2021-11-04 | 华为技术有限公司 | Hybrid cloud system, gatekeeper, network access method and storage medium |
CN113596184B (en) * | 2020-04-30 | 2023-08-08 | 华为云计算技术有限公司 | Hybrid cloud system, gatekeeper, network access method and storage medium |
CN115529270A (en) * | 2022-11-23 | 2022-12-27 | 广东睿江云计算股份有限公司 | Physical and virtual network fusion method and device, computer equipment and storage medium |
CN115529270B (en) * | 2022-11-23 | 2023-04-11 | 广东睿江云计算股份有限公司 | Physical and virtual network fusion method and device, computer equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104202439A (en) | Addressing and access method, gateway and system | |
CN106686085B (en) | Load balancing method, device and system | |
US9407567B2 (en) | Enabling external access to multiple services on a local server | |
US9917905B2 (en) | Location-based domain name system service discovery | |
CN106559511B (en) | Cloud system, cloud public service system and the exchanging visit method for cloud system | |
US9876756B2 (en) | Network access method and device for equipment | |
US9560016B2 (en) | Supporting IP address overlapping among different virtual networks | |
US11277378B2 (en) | Network communication method and apparatus | |
JP2013034071A (en) | Address converter, communication system, and address conversion method | |
CN105577723B (en) | Virtualize the method and apparatus that load balancing is realized in network | |
US11438427B2 (en) | Discovery of resources in a local network | |
US20120324063A1 (en) | Method, network device, and system for automatically configuring network device in ipv6 network | |
US20180069787A1 (en) | Exposing a subset of hosts on an overlay network to components external to the overlay network without exposing another subset of hosts on the overlay network | |
WO2013123420A1 (en) | Load balancing using dns in a ipv4/ipv6 environment | |
CN104427010A (en) | NAT (network address translation) method and device applied to DVPN (dynamic virtual private network) | |
CN114095430B (en) | Access message processing method, system and working node | |
CN107809386B (en) | IP address translation method, routing device and communication system | |
CN110012118B (en) | Method and controller for providing Network Address Translation (NAT) service | |
JP2019536369A (en) | Method and system and device for handling NF component exceptions | |
CN104639497A (en) | Remote access configuration method, remote access method, remote access configuration device, remote access device and remote access system | |
US11882090B2 (en) | Efficiently mapping a distributed resource to a virtual network | |
EP3231142B1 (en) | Network address translation | |
US20130254425A1 (en) | Dns forwarder for multi-core platforms | |
US10904037B2 (en) | Relaying apparatus, relaying method, and relaying system | |
CN103532852A (en) | Routing scheduling method, routing scheduling device and network equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20141210 |