[go: up one dir, main page]

CN101483657B - Implementation method and system for same side private network device access by private user - Google Patents

Implementation method and system for same side private network device access by private user Download PDF

Info

Publication number
CN101483657B
CN101483657B CN200910079705A CN200910079705A CN101483657B CN 101483657 B CN101483657 B CN 101483657B CN 200910079705 A CN200910079705 A CN 200910079705A CN 200910079705 A CN200910079705 A CN 200910079705A CN 101483657 B CN101483657 B CN 101483657B
Authority
CN
China
Prior art keywords
information
private network
access
address information
gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200910079705A
Other languages
Chinese (zh)
Other versions
CN101483657A (en
Inventor
蒋伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN200910079705A priority Critical patent/CN101483657B/en
Publication of CN101483657A publication Critical patent/CN101483657A/en
Priority to PCT/CN2009/073533 priority patent/WO2010099680A1/en
Application granted granted Critical
Publication of CN101483657B publication Critical patent/CN101483657B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2514Translation of Internet protocol [IP] addresses between local and global IP addresses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for realizing that a private network subscriber accesses a private network device at the same side. The method comprises that a gateway configures access rule configuration information comprising that a private network subscriber can access the information of a private network device at the same side through accessing a public network of the gateway; the gateway controls the private network device accessing of private network subscribers. The invention also discloses a device for realizing that a private network subscriber accesses a private network device at the same side. The system comprises a configuration unit and a control unit, wherein, the configuration unit is used by a gateway for configuring access rule configuration information; the control unit is used by the gateway for controlling the private network device accessing of private network subscribers according to the access rule configuration information. By adopting the method and the system of the invention, requirements of public network accessing to private network devices at the same side by private network subscribers can be satisfied.

Description

Method and system for realizing access of private network user to private network equipment on same side
Technical Field
The invention relates to an access technology in the field of computer network communication, in particular to a method and a system for realizing public network access of private network users under a gateway to private network equipment on the same side.
Background
With the continuous development of the internet and application technologies thereof, people can develop more and more abundant applications and services by using the internet. It is also becoming more and more popular as a gateway, a portal, for people to access the internet. The appearance of the gateway generates the private and public points of the network; thus, the network is divided into private network and public network.
The private network is located inside the gateway and is the network environment protected by the gateway. Because the networking information in the private network is shielded by the gateway, the information is not known by users outside the private network, and the network security of the private network is higher. The public network is opposite to the public network, the public network is positioned outside the gateway, and the networking information of the public network is open and is known by all users, so that the network security of the public network is low. Due to the difference between private and public networks, more and more network services are being placed on private network devices located on the private side and provided to the outside for access. Generally, in order to solve the privacy problem of the private Network information and also meet the accessibility requirement of the Network service device on the private Network, a Network Address Translation (NAT) technology is commonly used. The NAT technology is provided in the gateway, and through the NAT technology, a user other than a private network user can also be understood as a public network user, and can map to a specific network service device providing services on a private network inside the gateway through accessing a public network address provided by the gateway, thereby realizing the accessibility of the private network device.
The general networking scenario solved by the NAT technology provided by the existing gateway includes: the system comprises a private network device, a gateway and a public network user, wherein the private network device is a network service device for providing service. The access requirement under the networking scene is that public network users realize the accessibility of private network equipment, and the solution is as follows: the public network user accesses the public network address on the gateway or the public network address plus the service port through the NAT technology provided by the gateway, thereby mapping to the access to the private network equipment on the private network or the network service provided by the private network equipment.
However, the following networking scenarios and requirements are not yet solved by current gateway products. The networking scene comprises the following steps: the network deployment scene is a network deployment scene that the private network accesses the public network and then maps to the private network. The access requirements in this networking scenario are: the private network user realizes public network access to the private network equipment on the same side. That is, a private network user on a private network wants to access the same private network device or different private network devices located inside the same gateway and network services provided by the same private network device or different private network devices; moreover, since the private network user does not know the private network address information of the network service or the networking scenario does not allow the private network user to directly access the private network device by bypassing the gateway, the private network user wants to indirectly access the private network device through the public network accessing the gateway. With the popularization and development of network services, networking scenes and access requirements of the private network for accessing the public network and mapping the public network to the private network become more and more common, and the solution to the access requirements also becomes more and more significant and urgent.
Disclosure of Invention
In view of this, the main object of the present invention is to provide a method and a system for realizing access to a private network device on the same side by a private network user, so as to meet the requirement of the private network user for realizing public network access to the private network device on the same side, and enable the user on the private network to realize access to the private network device on the same side by accessing the public network of the gateway.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
a method for realizing access of private network users to private network equipment on the same side comprises the following steps:
gateway configuration access rule configuration information; the access rule configuration information includes: private network user information, public network information and private network equipment information, wherein a preset mapping relationship exists among the private network user information, the public network information and the private network equipment information;
the gateway obtains the address information of the private network user as the source address information from the private network user, the destination address information is the access message of the public network access address information, the destination address information of the access message is modified into the address information of the private network equipment according to the access rule configuration information, the source address information of the access message is modified into the public network access address information, and the access message with the source address information and the destination address information modified is forwarded to the private network equipment on the same side through a routing mechanism.
Wherein the configuration requirement of the access rule configuration information is derived from: a user and/or an operator.
Wherein the gateway configuration access rule configuration information specifically includes: actively sending the access rule configuration information to the gateway in the form of a configuration file, and analyzing the configuration file by the gateway to obtain and configure the access rule configuration information; or,
the gateway passively acquires and configures access rule configuration information from a user and/or an operator; or,
and the gateway dynamically generates and configures access rule configuration information according to the network networking condition.
The expression form of the mapping relation among the private network user information, the public network information and the same-side private network equipment information is all data structure forms of the identification mapping relation, including a table or an array.
The private network user information is information which uniquely identifies the private network user, and comprises the following steps: address information of a private network user or access equipment information of the private network user;
the public network information is the public network information which uniquely identifies the public network, and comprises the following steps: the public network access address information or the protocol information and the port information used by the private network user for requesting to access the public network to realize the access message of the private network equipment on the same side;
the same-side private network device information is information which uniquely identifies the private network device or the service provided on the private network device, and comprises the following steps: address information of the private network device, or information related to a service provided on the private network device.
The gateway modifies the destination address information of the access message into the address information of the private network equipment according to the access rule configuration information, modifies the source address information of the access message into the public network access address information, and forwards the access message after modifying the source address information and the destination address information to the private network equipment on the same side through a routing mechanism:
A. the gateway acquires an access message from the private network user, extracts effective information in the access message, and matches the effective information with the access rule configuration information; if the matched access rule configuration information is retrieved, executing B; otherwise, ending the access of the current control private network user to the private network equipment on the same side;
B. and the gateway modifies the address information forwarded by the access message through a Network Address Translation (NAT) mechanism according to the matched access rule configuration information, and controls the access message to be forwarded to the public network firstly and then to be forwarded to the private network equipment on the same side by the public network.
Wherein, the effective information is the information which uniquely identifies the access message, and comprises: the media access control address information of the access message, the source address information/destination address information of the access message, the access equipment information of the access message, the field information of the configuration information carried in the dynamic host configuration protocol of the access message, or the domain name information accessed by the access message;
the access message is: the private network user requests to access the public network to realize the access message for accessing the private network equipment on the same side.
In step A, the source address information of the access message in the effective information is specifically the address information of a private network user, and the destination address information is the public network access address information; the matched access rule configuration information specifically includes: the address information of the private network user, the public network access address information and the address information of the private network equipment; the step B is specifically as follows:
b1, before routing, the gateway modifies the destination address information of the access message into the address information of the private network equipment through an NAT mechanism;
b2, the gateway determines that the access message needs to be forwarded to the private network equipment on the same side through a routing mechanism;
b3, after routing and before forwarding the access message, the gateway modifies the source address information of the access message into the public network access address information through an NAT mechanism;
b4, through the route mechanism, the gateway forwards the access message after the source address information and the destination address information are modified to the private network equipment on the same side.
Wherein, the access rule configuration information is further updated according to a networking mode and a service mode; the updates are manually updated in a static manner or automatically updated in a dynamic manner.
A realization system for private network users to access private network equipment on the same side comprises: a configuration unit and a control unit; wherein,
a configuration unit, configured to configure, by a gateway, access rule configuration information, where the access rule configuration information includes: private network user information, public network information and private network equipment information, wherein a preset mapping relationship exists among the private network user information, the public network information and the private network equipment information;
the control unit is used for acquiring an access message of which the source address information is the address information of a private network user and the destination address information is the access address information of a public network access address information from the private network user by the gateway, modifying the destination address information of the access message into the address information of private network equipment according to the access rule configuration information, modifying the source address information of the access message into the public network access address information, and forwarding the access message with the source address information and the destination address information modified to the private network equipment on the same side through a routing mechanism.
The configuration unit is further configured to actively issue the access rule configuration information to the gateway in the form of a configuration file, and the gateway analyzes the configuration file to obtain and configure the access rule configuration information; or,
the gateway passively acquires and configures access rule configuration information from a user and/or an operator; or,
and the gateway dynamically generates and configures access rule configuration information according to the network networking condition.
The invention configures and stores access rule configuration information in a gateway, wherein the access rule configuration information comprises the following components: the private network user accesses the information of the private network equipment on the same side through the public network of the access gateway. The gateway controls the private network user to realize the access to the private network equipment on the same side of the private network user according to the access rule configuration information.
Because the invention is based on the access rule configuration information, the address information of the message is modified through the NAT mechanism provided by the gateway, the access message of the private network user is controlled to be forwarded to the public network firstly through the routing mechanism provided by the gateway according to the correct round-trip path which accords with the access rule configuration information, and then the message is forwarded to the private network equipment on the same side of the private network user through the public network. The access message of the private network user is as follows: the private network user requests to access the public network to realize the access message for accessing the private network equipment on the same side. Therefore, the invention can control the private network user to request to realize the message forwarding and transmission of the private network equipment accessing the same side according to the correct round-trip path according to the access rule configuration information stored in the gateway, meets the requirement of the private network user on realizing public network access of the private network equipment accessing the same side, and ensures that the user in the private network realizes the access of the private network equipment accessing the same side in a public network mode of the gateway.
Drawings
FIG. 1 is a schematic flow chart of the implementation of the method of the present invention;
FIG. 2 is a schematic diagram of a networking architecture of an example of a networking scenario used in the present invention;
fig. 3 is a schematic flow chart of an implementation of a method according to an embodiment of the present invention.
Detailed Description
The basic idea of the invention is: according to the access rule configuration information of the private network user for accessing the private network equipment on the same side through the public network of the access gateway, the access of the private network user to the private network equipment on the same side of the private network user is controlled and realized by the gateway.
The following describes the embodiments in further detail with reference to the accompanying drawings.
As shown in fig. 1, a method for a private network user to access a private network device on the same side includes the following steps:
step 101, gateway initialization, and constructing networking environment of private network and public network.
Here, regarding the gateway, the gateway is the only channel for the private network to communicate with the external public network to which the gateway is accessed, that is, all the private network users and the private network devices on the private network side finally communicate with the public network through the gateway.
For the private network positioned at the inner side of the gateway, at least one private network access point is provided on the gateway, and a plurality of private network access points can be provided under normal conditions, so that the private network user and the private network equipment at the private network side of the private network access point are accessed into the gateway. Private network access points are provided with private network address information provided by a gateway for private network users and private network equipment; the gateway can support a plurality of subnet division functions of the private network; the gateway shields the networking information of the private network.
For the public network positioned outside the gateway, at least one public network access point for accessing the outside can be established on the gateway, a plurality of public network access points can be provided under normal conditions, and at least one public network address information is arranged on the public network access point.
The gateway provides a route forwarding mechanism to realize the route selection and forwarding of the message. The gateway itself also provides an NAT mechanism, which can realize the address translation function of the source address information and the destination address information of the message. The source address information may be information in address plus port format, and the destination address information may also be information in address plus port format.
Wherein, for the private network user and the private network device at the private network side, the private network user means: any network device that can operate on the internet is a client role in the client/server model. Private network equipment refers to: any network device that can operate on the internet is a server role in the client/server model. Moreover, the private network user and the private network device can be positioned under the same subnet of the private network on the same side, and can also be positioned under different subnets of the private network on the same side. Here, the ipsilateral private network means: the private network user and the private network device are mutually connected with the external public network accessed by the gateway through the same gateway. Private network users do not require or cannot directly access private network equipment; and the private network user knows the public network address information of the gateway, namely the private network user wants to or must access the private network device by accessing the public network address of the gateway.
102, configuring access rule configuration information by the gateway and storing the access rule configuration information on the gateway; the access rule configuration information includes: the private network user accesses the information of the private network device on the same side of the private network user in a public network access way of the gateway.
Here, in step 102, the specific implementation process of the gateway configuration access rule configuration information includes the following three ways. The first mode is as follows: and the user and/or the operator actively issues the access rule configuration information to the gateway in the form of a configuration file, and the gateway analyzes the configuration file, acquires and configures the access rule configuration information. The second way is: the gateway passively obtains and configures access rule configuration information from the user and/or the operator through the network. The third mode is as follows: and the gateway dynamically generates and configures access rule configuration information according to the network networking condition. Wherein, the networking situation described in the third mode refers to: networking conditions of a network where the gateway is located, network device environment as a hanging, routing information on the gateway, and the like. The specific processing procedure of the gateway dynamically generating the access rule configuration information according to the network networking condition is as follows: the gateway can know the user information of the down-hanging user, the address information of the down-hanging device and the capability information of the devices capable of providing the service through the self Dynamic Host Configuration Protocol (DHCP) service. The gateway can then associate the drop user with the drop device accordingly. And dynamically establishing or adjusting the corresponding access rule configuration information.
Here, the configuration requirement of the access rule configuration information is derived from: a user and/or an operator.
Here, the access rule configuration information further includes: private network user information, public network information and private network equipment information; the private network user information, the public network information and the private network equipment information have a mapping relation, and the expression form of the mapping relation is all data structure forms for identifying the mapping relation, including a table or an array.
Here, the private network user information is information that uniquely identifies the private network user, and includes: address information of the private network user, or access device information of the private network user. Public network information is the only public network information who marks public network, includes: and the public network access address information or the protocol information and the port information used by the private network user for requesting to access the public network to realize the access message of the private network equipment on the same side. The private network device information is information which uniquely identifies the private network device or the service provided on the private network device, and comprises the following steps: address information of the private network device, or information related to a service provided on the private network device. The information related to the service provided on the private network device may be protocol information and port information of the service.
And 103, controlling the private network user to access the private network equipment on the same side of the private network user by the gateway according to the access rule configuration information.
Step 103 is followed by: the access rule configuration information is updated according to a networking mode and a service mode, and the updating is manually updated in a static mode or automatically updated in a dynamic mode; and the gateway controls the private network user to realize the access to the private network equipment on the same side of the private network user according to the updated access rule configuration information.
When the updating adopts a static mode, manual updating can be carried out in a manual configuration mode; when the update is in a dynamic manner, the update can be automatically updated based on the change of the network environment. Here, the automatic update based on the change of the network environment includes: adding or deleting and updating access rules carried by online or offline of equipment in the network; services on devices in the network enable or terminate content updates with access rules, and so on.
In the above technical solution comprising steps 101 to 103, the specific processing procedure of step 103 includes:
step 1031, the gateway acquires the access message from the private network user, extracts effective information in the access message, and matches the effective information with the access rule configuration information; if the matching access rule configuration information is retrieved, go to step 1032; otherwise, ending the current control of the private network user to realize the access to the private network equipment.
Here, the valid information is information that uniquely identifies the access packet, and includes: media Access Control (MAC) address information of the Access packet, source address information/destination address information of the Access packet, Access device information of the Access packet, field information of DHCP Option of the Access packet, or domain name information accessed by the Access packet. The DHCP Option is a set of configuration information carried in the dynamic host configuration protocol. Moreover, the access message is: the private network user requests to access the public network to realize the access message for accessing the private network equipment on the same side.
And step 1032, modifying the address information forwarded by the access message through an NAT mechanism provided by the gateway according to the retrieved matched access rule configuration information, and controlling the access message to be forwarded to the public network by the gateway according to the retrieved matched access rule configuration information and then to be forwarded to the private network equipment on the same side of the private network user by the public network.
Here, in step 1031, when the source address information of the access packet in the valid information is specifically address information of a private network user, the destination address information is public network access address information; retrieving the matching access rule configuration information includes: the address information of the private network user, the public network access address information and the address information of the private network equipment; step 1032 is specifically:
before the step 10321, routing, the gateway modifies the destination address information of the access packet into: and the address information of the private network equipment in the matched access rule configuration information.
Step 10322, the gateway determines that the access packet needs to be forwarded to the private network device through the routing mechanism provided by the gateway itself.
Step 10323, after routing and before forwarding the access packet, the gateway modifies the source address information of the access packet into: and configuring public network access address information in the matched access rule configuration information.
Step 10324, the gateway forwards the access packet after modifying the source address information and the destination address information to the private network device through the routing mechanism provided by the gateway itself.
Fig. 2 is a schematic diagram of a networking structure of an example of a networking scenario used in the present invention, where fig. 2 includes: private network users 11 and private network devices 21 located under the same subnet of the private network on the same side, private network users 12 and private network devices 22 located under different subnets of the private network on the same side, a gateway 41 and a public network 61. The public network is the internet. Moreover, both the private network user 11 and the private network device 21 access the gateway 41 through the private network access point 31; the private network user 12 accesses the gateway 41 through the private network access point 32; the private network device 22 accesses the gateway 41 through the private network access point 33. The gateway 41 is connected to a public network 61, and two public network access points for accessing the outside are established on the gateway 41 and are respectively identified by 51 and 52.
The method comprises the following steps: referring to the schematic networking structure shown in fig. 2, in the embodiment of the method, an implementation flow of the private network user accessing the private network device on the same side is shown in fig. 3, and includes the following steps:
step 201, gateway 41 initializes, and constructs networking environment of private network and public network 61.
Here, the private network access point is usually provided with private network address information provided by a gateway for private network users and private network devices, and the public network access point is provided with at least one piece of public network address information. When the gateway 41 is initialized, the gateway 41 is started, and the gateway 41 accesses all private network users and private network devices; around the gateway 41, the gateway 41 establishes public network address information on all public network access points and private network address information on all private network access points, thereby establishing a complete networking environment of the private network and the public network.
Step 202, after the gateway 41 is initialized and a complete networking environment is established, the private network user is configured on the gateway 41 according to the requirement of the user or the operator in a manner of accessing the public network address of the gateway, so that the access rule configuration information of the private network device can be accessed.
Here, the access rule configuration information may be an access rule configuration table including a plurality of entries. And after acquiring the access message of the private network user, the subsequent gateway searches each item in the access rule configuration table, and if the matched item is searched, the address information of the access message is modified through an NAT mechanism according to the content in the item.
Step 203, the private network user 11 sends out an access message.
Here, the access message is used to: the private network user 11 accesses the public network access address information of the public network access point 51 of the gateway 41 to further realize the access to the private network device 21.
Step 204, the access rule configuration table starts to work, the access message sent out in step 203 is detected, and effective information in the access message is extracted, so that the access message of the private network user 11 requesting to access the public network access address information of the public network access point 51 is screened out, and further the access message of the private network device 21 is accessed.
Here, the access packet refers to an original access packet, i.e., an access packet that has just entered the gateway.
Here, the valid information of the access packet includes: source address information of the access packet and destination address information of the access packet. And the source address information of the access message is: address information of the private network user 11; the destination address information of the access message is: public network access address information of the public network access point 51.
Step 205, retrieving each entry in the access rule configuration table, and finding the entry matching with the valid information of the access packet.
Step 206, according to the access rule configuration described by the matching entry found in step 205, through the NAT mechanism on the gateway, the gateway changes the destination address information of the access packet, and modifies the destination address information to the address information of the service 1 of the private network device 21 described by the matching entry.
It should be noted here that the private network device and the service provided by the private network device are in a one-to-many relationship, that is, a plurality of services can be provided on one private network device. An example of the access rule configuration table is shown in table 1 below, and the access rule configuration table includes three items of contents, and the three items of contents have a mapping relationship. In table 1, from left to right, the first content is address information of the private network user; the second item of content is public network access address information; the third item of content is address information of a service provided on the private network device.
Figure GDA0000132193090000111
TABLE 1
Step 207, it is determined that the access packet is to be sent to the private network device 21 through the gateway's own routing mechanism.
Step 208, after determining the routing direction of the access packet and before the access is really sent, modifying the source address information of the access packet through the NAT mechanism on the gateway according to the configuration of the access rule described by the matching entry found in step 205, and modifying the source address information of the access packet into the public network access address information of the public network access point 51 described by the matching entry.
Step 209, the access message with the source address information and the destination address information modified is sent to the private network device 21 through the routing mechanism on the gateway.
Step 210, the subsequent interactive message between the private network user 11 and the private network device 21 will continue to perform message address modification and forwarding processing according to the access rule configuration described by the matching entry found in step 205, and the NAT mechanism and routing mechanism on the gateway, so as to achieve the purpose that the private network user 11 accesses the service provided on the private network device 21 through the public network access address information of the public network access point 51 of the access gateway 41.
It should be noted that, the private network user 11 accessing the other private network device or the service provided by the private network device except the private network device 21, and the private network user 21 accessing the private network device or the service provided by the private network device, may all be processed by adopting the technical principle disclosed by the technical scheme formed by the above step 201 to step 210, and will not be described in detail herein.
A realization system for private network users to access private network equipment on the same side comprises: a configuration unit and a control unit. The configuration unit is used for configuring the access rule configuration information by the gateway. The control unit is connected with the configuration unit and used for controlling the private network user to access the private network equipment on the same side of the private network according to the access rule configuration information by the gateway.
Here, the configuration unit is further configured to actively issue the access rule configuration information to the gateway in the form of a configuration file, and the gateway parses the configuration file, obtains the access rule configuration information, and configures the access rule configuration information. Or the gateway passively acquires and configures the access rule configuration information from the user and/or the operator. Or the gateway dynamically generates and configures the access rule configuration information according to the network networking condition.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.

Claims (11)

1. A method for realizing access of private network users to private network equipment on the same side is characterized by comprising the following steps:
gateway configuration access rule configuration information; the access rule configuration information includes: private network user information, public network information and private network equipment information, wherein a preset mapping relationship exists among the private network user information, the public network information and the private network equipment information;
the gateway obtains the address information of the private network user as the source address information from the private network user, the destination address information is the access message of the public network access address information, the destination address information of the access message is modified into the address information of the private network equipment according to the access rule configuration information, the source address information of the access message is modified into the public network access address information, and the access message with the source address information and the destination address information modified is forwarded to the private network equipment on the same side through a routing mechanism.
2. The method of claim 1, wherein the configuration requirement of the access rule configuration information is derived from: a user and/or an operator.
3. The method according to claim 1, wherein the gateway configuring the access rule configuration information specifically includes: actively sending the access rule configuration information to the gateway in the form of a configuration file, and analyzing the configuration file by the gateway to obtain and configure the access rule configuration information; or,
the gateway passively acquires and configures access rule configuration information from a user and/or an operator; or,
and the gateway dynamically generates and configures access rule configuration information according to the network networking condition.
4. The method of claim 1, wherein the mapping relationship among the private network user information, the public network information, and the same-side private network device information is represented in all data structures including a table or an array identifying the mapping relationship.
5. The method of claim 4, wherein the private network user information is information that uniquely identifies the private network user, and comprises: address information of a private network user or access equipment information of the private network user;
the public network information is the public network information which uniquely identifies the public network, and comprises the following steps: the public network access address information or the protocol information and the port information used by the private network user for requesting to access the public network to realize the access message of the private network equipment on the same side;
the same-side private network device information is information which uniquely identifies the private network device or the service provided on the private network device, and comprises the following steps: address information of the private network device, or information related to a service provided on the private network device.
6. The method according to claim 1, wherein the gateway modifies the destination address information of the access packet into the address information of the private network device according to the access rule configuration information, modifies the source address information of the access packet into the public network access address information, and forwards the access packet after modifying the source address information and the destination address information to the private network device on the same side through a routing mechanism as follows:
A. the gateway acquires an access message from the private network user, extracts effective information in the access message, and matches the effective information with the access rule configuration information; if the matched access rule configuration information is retrieved, executing B; otherwise, ending the access of the current control private network user to the private network equipment on the same side;
B. and the gateway modifies the address information forwarded by the access message through a Network Address Translation (NAT) mechanism according to the matched access rule configuration information, and controls the access message to be forwarded to the public network firstly and then to be forwarded to the private network equipment on the same side by the public network.
7. The method of claim 6, wherein the valid information is information that uniquely identifies the access packet, and comprises: the media access control address information of the access message, the source address information/destination address information of the access message, the access equipment information of the access message, the field information of the configuration information carried in the dynamic host configuration protocol of the access message, or the domain name information accessed by the access message;
the access message is: the private network user requests to access the public network to realize the access message for accessing the private network equipment on the same side.
8. The method according to claim 7, wherein in step a, the source address information of the access packet in the valid information is specifically address information of a private network user, and the destination address information is public network access address information; the matched access rule configuration information specifically includes: the address information of the private network user, the public network access address information and the address information of the private network equipment; the step B is specifically as follows:
b1, before routing, the gateway modifies the destination address information of the access message into the address information of the private network equipment through an NAT mechanism;
b2, the gateway determines that the access message needs to be forwarded to the private network equipment on the same side through a routing mechanism;
b3, after routing and before forwarding the access message, the gateway modifies the source address information of the access message into the public network access address information through an NAT mechanism;
b4, through the route mechanism, the gateway forwards the access message after the source address information and the destination address information are modified to the private network equipment on the same side.
9. The method according to any one of claims 1 to 8, wherein the access rule configuration information is further updated according to a networking mode and a service mode; the updates are manually updated in a static manner or automatically updated in a dynamic manner.
10. A realization system for private network users to access private network equipment on the same side is characterized by comprising: a configuration unit and a control unit; wherein,
a configuration unit, configured to configure, by a gateway, access rule configuration information, where the access rule configuration information includes: private network user information, public network information and private network equipment information, wherein a preset mapping relationship exists among the private network user information, the public network information and the private network equipment information;
the control unit is used for acquiring an access message of which the source address information is the address information of a private network user and the destination address information is the access address information of a public network access address information from the private network user by the gateway, modifying the destination address information of the access message into the address information of private network equipment according to the access rule configuration information, modifying the source address information of the access message into the public network access address information, and forwarding the access message with the source address information and the destination address information modified to the private network equipment on the same side through a routing mechanism.
11. The system of claim 10, wherein the configuration unit is further configured to actively send the access rule configuration information to the gateway in a form of a configuration file, and the gateway parses the configuration file to obtain and configure the access rule configuration information; or,
the gateway passively acquires and configures access rule configuration information from a user and/or an operator; or,
and the gateway dynamically generates and configures access rule configuration information according to the network networking condition.
CN200910079705A 2009-03-06 2009-03-06 Implementation method and system for same side private network device access by private user Expired - Fee Related CN101483657B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN200910079705A CN101483657B (en) 2009-03-06 2009-03-06 Implementation method and system for same side private network device access by private user
PCT/CN2009/073533 WO2010099680A1 (en) 2009-03-06 2009-08-26 Method and system for enabling private network user to access private network device at the same side

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910079705A CN101483657B (en) 2009-03-06 2009-03-06 Implementation method and system for same side private network device access by private user

Publications (2)

Publication Number Publication Date
CN101483657A CN101483657A (en) 2009-07-15
CN101483657B true CN101483657B (en) 2012-10-10

Family

ID=40880584

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910079705A Expired - Fee Related CN101483657B (en) 2009-03-06 2009-03-06 Implementation method and system for same side private network device access by private user

Country Status (2)

Country Link
CN (1) CN101483657B (en)
WO (1) WO2010099680A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101483657B (en) * 2009-03-06 2012-10-10 中兴通讯股份有限公司 Implementation method and system for same side private network device access by private user
CN102447747A (en) * 2010-10-09 2012-05-09 中国移动通信集团公司 Method, device and system for interacting with private network
CN104468280B (en) * 2014-12-19 2018-04-06 上海市共进通信技术有限公司 The method that standby upper down status rapid detection is hung under realizing in intelligent gateway
CN105376309B (en) * 2015-10-30 2021-08-13 青岛海尔智能家电科技有限公司 Access gateway allocation method and device
CN107547687B (en) * 2017-08-31 2021-02-26 新华三技术有限公司 Message transmission method and device
CN114301873B (en) * 2020-09-22 2024-11-29 华为云计算技术有限公司 Network intercommunication method and device based on private network and computer cluster
CN114340046B (en) * 2021-11-19 2024-03-29 南京瀚元科技有限公司 Multi-network card equipment networking communication method based on Android system
CN114007193B (en) * 2021-12-31 2022-05-13 亿次网联(杭州)科技有限公司 Communication method and system for distributed network nodes

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060493A (en) * 2007-05-14 2007-10-24 中兴通讯股份有限公司 A method of private network user access the server in a private network through domain name

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101483657B (en) * 2009-03-06 2012-10-10 中兴通讯股份有限公司 Implementation method and system for same side private network device access by private user

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060493A (en) * 2007-05-14 2007-10-24 中兴通讯股份有限公司 A method of private network user access the server in a private network through domain name

Also Published As

Publication number Publication date
CN101483657A (en) 2009-07-15
WO2010099680A1 (en) 2010-09-10

Similar Documents

Publication Publication Date Title
CN101483657B (en) Implementation method and system for same side private network device access by private user
US10715482B2 (en) Wide area service discovery for internet of things
US9769034B2 (en) Method and apparatus for policy based routing in information centric networking based home networks
CN105830395B (en) Session-based packet routing for analytics
KR100697419B1 (en) System and method for using an IP address as a wireless device identifier
JP7058270B2 (en) Routing within a hybrid network
WO2015117337A1 (en) Method and apparatus for setting network rule entry
EP3105902B1 (en) Methods, apparatus and systems for processing service requests
US8554946B2 (en) NAT traversal method and apparatus
EP3026872B1 (en) Packet forwarding method, apparatus, and system
CN103997479B (en) A kind of asymmetric services IP Proxy Methods and equipment
EP3457640B1 (en) Route establishment and message sending
US20040125801A1 (en) Intermediary device and forwarding method
US11196666B2 (en) Receiver directed anonymization of identifier flows in identity enabled networks
CN106375489A (en) Processing method and apparatus for MAC address
US11777851B2 (en) Methods and an apparatus for routing data packets in a network topology
CN101572729B (en) A method for processing virtual private network node information and related equipment and system
JP2013126219A (en) Transfer server and transfer program
JP2012010235A (en) Packet relay apparatus and network system
CA3047342C (en) System and method for enabling coexisting hotspot and dmz
JP4361446B2 (en) Multicast control method, multicast area management device, multicast control device, and program
US11962502B2 (en) Control apparatus, communication system, control method and program
CN104780237B (en) A kind of Address requests method and apparatus
JP5810047B2 (en) Communication system and packet communication method
JP6270383B2 (en) Access control device, access control method, and program

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20121010

Termination date: 20180306

CF01 Termination of patent right due to non-payment of annual fee