Cisco NAT Lingo | Cisco CCNA 200-301

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Music] [Music] [Music] and welcome everybody it's great to have you here on CCNA Sunday in this livestream we are gonna focus on some techniques and attributes regarding network address translation that have frankly been plaguing the world for a long long time because I bet you that six out of ten times when I hear somebody explain these concepts of inside local insight global outside local outside global it's not correct a lot of times or it's a textbooks definition and they're like just reading it I'm like oh let's do something different today and what I would love to do in this focus session as we take a look at the a show the I show output of IP net translations I would like to share with you a way that you and I can get our frame of mind around this understand it better so going forward whenever you see that output you think oh I know exactly how to decode this I get it because I learned it based on analogies based on something we know and that's that's our objective so before we take a look at the show IP NAT translations output let's take just a moment and chat about network address translation what it is some options for setting it up we have a previous session in the stream for NAT and we did with source NAT and I just want do a quick like recap to make sure on the same page and then we'll take a look at the show IP net translations and you'll be pleasantly surprised at how good you'll be able to interpret that output after this short session today all right so let's take a look at the desktop and let's start with this let's imagine I bring my pen up and I'm having a crazy hair day by the way I just got the shower and it was like no it's not cooperating like give me give you a full view here beaker style all right yeah it wasn't cooperating so there you go I'm looking at myself in the feedback monitor all right back to the desktop so if we have a client or advice that is on a local network let's just imagine a computer right here and that computer is Larry's computer I have a couple fond memories of a person named Larry Larry Roberts who I worked with many many years ago he's a maybe a triple CCIE these days super smart so I'd add my herbal and I see him like once a year at Cisco live and say hi it's always great to see him but so I thought of Larry I also have another friend named Larry who is never gonna see this video because he's that 90 anyway guys this is Larry's computer and Larry starts with L we'll just remember that for a moment and then Larry's on this network and Larry is got a an IP address and he's got a default gateway it looks something like this a router now that router could be that layer-3 router could be a multi-layer switch it could be a traditional router and also this represents right here this segment represents a VLAN so physically Larry's computer is probably connected to a switch and that router is connected to the same switch in the same VLAN or a switch in the same VLAN and they've got connectivity then this router can go out to the world so we'll say this is the other networks maybe that includes the Internet great so if Larry has this IP address let's use this network 10.16 dot 0 dot 0 with a 24 bit mask join us for subnet saturdays for that full discussion and we'll have Larry B attend so that's his IP address he's happy he's got a default gateway of his deep router dot one this imagine that's the default gateway address and so if Larry wants to talk locally on this network with other devices no problem he's on the inside of his network and from a company perspective and he can chat with these devices if he needs to send packets to another network maybe we have the 10 dot crazy crazy crazy pen Keith got crazy pin 10 dot 16.6 dot network that's a different network and maybe there's a host over here at dot 101 if he wants to talk to that computer that I saw that server he would forward frames to his default gateway at layer 2 and at layer 3 the destination would be that IP address 10 dot 16.6 not 101 the router would give that frame look at the destination IP address make a routing decision all happening the routing happens at layer 3 and the switching forwarding happens at layer 2 and it would then forward it on to his destination so that's all well and good until until Larry going through the network is trying to get out to a server that's on the Internet and the problem with an address that starts with 10 is that it's a private RFC 1918 address so RFC is our request for comment it just means that it's a group of IP addresses that everybody's allowed to use internally in their companies but on the Internet service providers will not forward that those packets not because they can't it's because they won't it's like nope those are RFC 1918 addresses and those are simply anything this starts at 10 is one of those private addresses that anybody can use inside their company and then you could submit that to smithereens there's plenty of room there or the 172 dot 16 through 31 anything and the one ninety two dot one sixty eight dot anything so those are three of the private address ranges that Bob's company or Larry's company is using as they do this so if we're going out to the Internet the challenge is we need to translate Bob's I'd be Bob force of habit sorry about that we need to translate Larry's source IP address into a routable Internet address so maybe this router is connected to the Internet maybe it's got a knife let's pretend just for a moment let's pretend that this outside network the pseudo Internet is 192 168 that 1.0 slash 24 now you might be saying Keith I see that's a private eye RFC 1918 address so in a lab environment you can use those private addresses in your own environment and make a pseudo internet out of it and have pseudo server's IP addressing his IP addressing and in this case we're just going to play imagine with me pretend with me that that network address space represents something that's globally routable on the Internet and so if we want Larry to go ahead and be able to communicate me we have a server here at dot 100-192 wants to see one at 100 we'd have to have some type of network address translation that would swap out Larry's source IP address and replace it with a routable address that the internet could use or in this topology that could be routed out here and so to do that what we'd do is this let's let's just make a little table here let's imagine that we'll call this r1 r1 is going to be our router that we are going to be doing network address translation on now this doesn't have to be a router it could be a firewall it could be some other device at layer 3 that's swapping out the IP addresses but somebody has to do NAT network address translation between Larry and the public internet that doesn't allow that type of routing so NAT another word format is lying we're lying about an IP address so we're gonna play a switcheroo game and let's imagine that they make this a little bit bigger a little bit bigger eraser and by the way every who's answering questions and chatting in thank you very much for all that feedback we'll have a little Q&A at the end so if you have questions directly for me you can save those or repeat them once we get to that point and be happy to go ahead and take it on so so Larry's address if we're doing network address translation for Larry's packets as they go through this router let's say this is the inside network I use it yeah it's good assesses the inside Larry's local world and outside we have the outside world where we're translating addresses too so inside just as the concept outside as a concept and as Larry's packets are going through the router if we're doing something called source NAT where we're translator changing the source dress let's just walk through that so this line represents before and that pair is after so before and after the network address translation so before Bob source IP address is May 10 dot 16.0 10 that's his source address and the destination address is the server in this case the server is at one ninety two dot one sixty eight dot one dot one hundred so that's the before picture so that packet is traveling here on this inside network is source address destination s no problem but the magic of NAT is we're gonna a source that is that this router running that is going to have some rules in place that say hey if I see any source addresses in the ten network or whatever the we have the rules to be in this case the ten network go ahead and swap those out and replace them with a routable address on the internet so on this router let's imagine we have dot five as its IP address and this again for the moment of this discussion let's imagine that the 192 168 1 network is routable on the Internet and if we have this IP address dot five we could actually train the router to go ahead and swap out bobs for some have it for swap out Larry's source IP address of 10 16 0 10 and put its own IP address of 192 168 1.5 as the new source address before setting it out they'll be doing that and that flavor of that is referred to as port address translation in Cisco we implement that with the overload command or if we want to do a static translation we can just say hey Larry we're gonna translate your address from 10 16 0 10 to and I'll put in a slightly different color to instead of being 10 will translate you to one ninety two dot one sixty eight dot one dot 10 so that would be the mapping and if we did that and that's referred to as a static NAT where we're just doing one IP address on the inside meaning before translation one dress on the outside then after the source address would be 192 dot 168 110 and the destination address would still be the server we haven't changed that is still going to one ninety two dot one sixty eight dot one dot one hundred so this is before we implement network address translation and after and this is referred to now look at this output real quick what is being swapped out what is being translated or changed from the before and after picture is it the layer 2 addresses specifically in this layer 3 header no and in this layer 3 header this layer 3 information what's being swapped out and you might say well Keith this is you just swapped out this guy which is the source address of of Larry is now mapped which is a great way of thinking of it swapped out to this IP address so network address translation is swapping out an IP address as it goes through that map device in this case it's router 1 acting as our net device and we needed there's some terms that we could use for this and because we're swapping out on the initial flow of traffic because we're swapping out the source address this is literally an example and I'll put this in a different color so it's readable this is an example of source NAT because we're on the initial flow of traffic we're swapping out the source address Larry's address was 1016 0 10 we're swapping it out to 192 168 1.10 and then we're forwarding that packet on its way so on the initial flow whatever is being swapped out that's the type of network address translation that we're doing and it gets a little bit interesting as we take a look at some other options for that but that's source nap also if we create a static translation or we say Larry your IP address of this is always going to map to this one-to-one that's also an example of what's called static NAT because we are hard coding it there's no if ands or buts that's the rule now if we set up dynamic translation that said ok Larry when anybody in your subnet based on your source IP addresses when they go and their traffic is being routed out to the internet or across this NAT device from the inside to the outside what we'll do is well have a rule in place but we won't create the translations until you start using them that's referred to as dynamic NAT D yn am IC NAT and again the NAT refers to one-to-one translation so one computer on the inside has its own IP address on the outside there's also the options for overloading which we talked about it just basically means we could tell the router hey listen you don't have any IP addresses on the Internet spare you've got this one IP address that you've got on your outside interface just use that and what it'll do based on the rules it'll take all the traffic that's going through it and it'll map it to that one IP address and to track all that it's gonna play with the port identifier as the port numbers like for TCP and UDP ports to keep track of all the sessions that way it can make hundreds or thousands of different IP addresses going through and it can track and translate them all to its own source IP address and then it can go and keep track of those based on all the ports and that's referred to as port address translation where you have many on the inside map - one on the outside so those are all mix and match flavors and there's more there's several more but I just want to give you a heads up on some of the options that exist here and it's called source now because we're swapping out the source IP address on the initial flow now what is often not described in my opinion which should be the second discussion here after NAT is untranslated that address because here's what happens when the server gets that packet when you use a different color for this use kind of a golden color if this server on the internet and so on the under global internet on the global network like not not where Larry is this is the local side of the house out here we have global so we have a global Internet everything else it's not Larry locally companies like Google parent company alphabet Google is an example of a big company that's not inside local Larry's local environment so Google and other large players are considered global players global enterprises the other networks that are not outside of Larry's control so when it's server like this at 192 once you get 1.1 hundred when it gets a request in if we've done translation for Larry the internet sees this request as coming from 192 168 1 10 and as a result that server if it sees that request it's going to go ahead and respond so if Larry makes a request to the web server and we're using this as a translator yes all the internet knows all the global side of the house knows is that heyy I got this request from 192 168 1 10 and the internet for all intensive purposes thinks that's Larry's address or their address he should respond to anyway and so he responds back to that address which should be routed back to this router that's an important part of that ok if we're doing that and we're mapping to addresses that don't belong to us where the internet can't route back to us those packets are it's like the roach motel packets check-in but they never come back they don't check out so the return path path would come to router 1 who would then take a look at this thing called a translation table and here's our translation table right here it's a fancy way of saying keeping track of what I did for a network address translation and this reply when it comes back to 180 wants to see 8 1.10 then that device is gonna say oh yeah I have that translation in my translation table I know that's really 10.16 dot 0 to 10 so what it does for the return traffic it unn translates it so now we're taking the destination address going back to Larry and we run translating it back to the real address then forwarding it on now why would that still be an example of source NAT this is an important discussion it's the initial flow the initial translation which was generated by Larry going out to the Internet that's our major intent that was the the packet that was translated and so it's referred to as source translation and our source NAT and that's a great way to think about - and when you're just learning network address translation you hear the concepts of source or destination net just think on the initial flow what's the intent whose IP address is being translated if it's the source address for the initial flow of traffic its source NAT even though the return traffic will be untranslated and sent back to the client all right so I have a question for you it's pretty important too people can disagree on a lot of things I've been wrong in my life on very major things more than once and so I've learned over time as I hear something else's point of view it really would serve me to learn more about what they think why they think that you know every is looking at their life at the world through their own map and it's important to learn what other people think and so I just thought to myself if we had a situation where we had we couldn't hide my pin for a moment and let's imagine we had two people that were chatting these are two kids but they agree to adults based on their backgrounds and so forth they could be arguing about many things seeing things very very differently mmm let's imagine that they're looking at a tree and that tree is leaning right so I'm a just leaning this direction so is it leaning towards the right or is it leaning towards the left and they could be arguing about that okay well those lists right no it's left well it depends on the the context which is a fancy way of saying it depends on your viewpoint if you're standing like on this side of the tree it might look like it's leaning right if you're standing on this side of the tree the other side it might look like it's leaning left you with me it just depends on your point of view also like a wall that has a curve to it is it convex or is it concave meaning is it curved in or curved out it depends on which side of the wall you're on your perspective and we have that same exact challenge when we're dealing with network address translation because the internet like where Google is and all the rest of the world they may see our dresses that we're sending our source addresses as one IP address that's the one we translated and then Larry on the other hand on the inside of the network from a local perspective he may see it as something else because Larry thinks hey my IP address is 10.16 dot zero to ten where Google or the outside world may see it as the mapped address you with me it just depends on your perspective where where are we looking at the IP address whose eyes are we looking through it from so here is what I would like to offer as an idea that is gonna be very very helpful as we discuss network address translation I'd like you to think of Larry and I went through this many times with okay should I use Louis here but he's Louis as a user example I'm gonna stick with Larry and I'm gonna tribute this to Larry Roberts a good amazing technician who I met and got to know about almost 20 years ago so this is not a picture of Larry this is a stock photo so because she has to meet Larry Roberts do it he's a good guy so Larry's local meaning he's local to the network he is a local like in Vegas sometimes locals have a different attitude or perspective of Las Vegas than tourists do because they were coming from the outside so I would like you to think of Larry's local Larry's a local Larry's a local and I'm using the word Larry the name Larry because it starts with L and the word local starts with L and Larry's a local it's gonna be hard in fact if you tried right now to think I'm not going to remember Larry's a local Larry's a local I can't think about it some other context it's gonna be hard there is a local meaning he's on the inside of the network he is like an admin or a user on the inside network so IP addresses the he deals with are from his perspective there's a local and then everything outside Larry's Enterprise like the internet and everything else from a global perspective I use Google as an example or parent company alphabet think of Google as a globe from a global perspective the Google doesn't know the details unless they're acting him the details of Larry's local network they don't care but they they do have a perspective like if Larry sends a packet out to the Internet and we map it the global perspective of what that IP address is going to be different than what Larry's local real address is because we've done translation on it so I'd like you to think of this as the two kids that are looking at something from different perspectives and I'd like you to remember that Larry's a local and that companies like Google and the rest of the world out there are looking at it from a global perspective they're looking at from two sides of the house that's gonna become very important to us and useful as you'll see here in just a moment as we take a look at network address translations so let's do this let's bring up let's bring up well not that let's bring up this topology this would be a good discussion point for us so we're gonna imagine that we have r1 which is a router a layer 3 router could be a multi-layer switch with three inter with three VLANs it doesn't matter so it's a routing device at layer 3 and up off of it I put little clouds because the actual details of the individual switches and other routers off of those interfaces isn't really important from a perspective of NAT it's just that off of 0/0 on our one it has reach ability to a network called 10 16 0 and that's where Larry's computer is a little L therefore Larry and off of gig 2 zeros are off of gig 2 0 it's got reach ability to a Las Vegas network which is 10 dots 16.8 and it's also got access to a network in Florida I know those are geographically pretty separate but you know with LAN technologies as possible so we have a network of 10 16 2008 the dot 101 for a Florida device and these are all considered on this left hand side to be the companies we're using private RFC 1918 address space we're doing routing and we may have OSPF running we may have static routes perhaps we have ipv6 as well on these networks but all of this is from the local perspective for that organization who designs and manages those networks all right so far so good then off of gig 1/0 on our one we're connecting to an outside world like for this in our pseudo internet we're gonna pretend that this address of 192 168 1.1 we're gonna pretend that's the internet and other addresses that are not in our control that are out there that we might have to do nabbing for and so one of the key elements is if if our topology kind of looks like this let me bring up a pen or this if our outlook kind of looks like this where everything to the left here is the inside that's our network our local domain if you want and then everything that goes out to the Internet is considered outside that's a concept that will hold true for a lot of things including firewall services so in a firewall we set up domains or areas or regions that are like trusted inside although we don't really trust everything inside and then untrusted outside and then perhaps a DMZ from a security perspective just to kind of give a flavor of which interfaces lead to what type of networks and so with now which is the focus here here's what we could do we could just say well we want to tell these interfaces here zero zero and two zero zero and two zeros that I've been working on a few different models of switches and routers lately with three characters for the port numbers so two zero and one zero zero we could say that hey dear mr. router those interfaces from an app perspective are going to be considered inside interfaces meaning anything off those interfaces go ahead and consider that our inside network and to do that we just need to do IP NAT inside I'll put a little spaces there as well so that's the command an interface config mode we do on zero zero and two zero zero and two zeros to make it happen ooh I think it's simple water mm-hmm all right and while I'm taking a sip of water I'd like you to guess what would be the command on this gig one zero interface if we were gonna tell that interface that it was associated with the outside world just take a wild stab thank you for that so if you were saying well Kiki I think the command here on 0 1 0 would be IP nap outside you'd be right and that's how we define or delineate the inside networks from the outside networks from the perspective of nap that's way that way the router has a clue when a packet comes in and it makes a routing decision if the packet is coming in on 0 0 or 2 and based on the routing it's gonna be forward out 1/0 then from an app perspective that traffic would match any NAT rules for traffic going from starting on the inside and going to the outside that would be for an inside source NAT for example that's how it knows it makes a routing decision looks at the interfaces involved and says oh is just going into out or is it going out to end do I have any nat rules that match that and if it does it uses those net rules and does the translation so that's part of the part of the story there and I think what we had to do is let's do an example let's help reinforce this right now yes do that let's do a nat rule and I would ask for volunteers as far as what we should do first but there are so many potential options here including Pat and NAT pools that let's just spell one out that says we're gonna take Larry's computer that's coming from the inside and going to be routed out and the specify that we want to translate that from 1016 0.10 to let's map him out to something on the outside let's do 192 dot 168 stop I'm just doing this for my own benefit 110 just like it have a visual so we'll create that mapping it would go something like this and we'll verify the syntax in the CLI it be IP NAT good start Keith good start keep going and make sure I didn't okay I've been out inside which basically says traffic that is sourced on the inside as it goes to the snap device I can aside source because we're doing source address translation we're going to swap out the source address might be an inside source and we want to lose static now instead of using static we could call on an access control list which then matches based on those source addresses that match the access control list and then that would be matched here I'm just going to do a hard code mapping just for Larry so IP nut inside source static and then the address that we're going to do the translation for 10.16 0 10 and that's and then the IP address that we want to map him to which is one ninety two dot one sixty eight dot one dot ten and then we'd also do the interfaces and say IP net inside egg Panetta outside to make sure it knows it knew which interfaces were in and out so let me go ahead and let's go ahead and do that I'm gonna I'm gonna hide the screen for a second point and let's go to an interface if I have one mmm give me one moment and let me line this up alright I just loaded this lab a few minutes ago so hopefully it'll cooperate with us doo doo doo doo that looks like it's lined up alright put in the password and I'm gonna go back to our diagram for a moment just to verify the interfaces so 0 0 & 2 0 are going to be inside NAT interfaces 1 / 0 is going to be outside so let's configure that first so we'd go back to the command line interface and let's make sure we're on the right device yeah based on my knowledge of this router we are on the right device and there's our interfaces so just as a reminder we're gonna do 0 0 it's going to be an IP nut inside interface gig 2 0 is going to be an IP nut inside interface and gig 1 / 0 is going to be our IP net outside interface for the purpose of this lab and this topology so we'll go to configuration mode let me go ahead and put my camera back on headed a to again interface gig 0 / 0 IP nat inside that uh and we'll go to interface gig 2 0 and we'll do IP NAT inside I could use the up arrow key for that and then we'll go to interface gig 1 / 0 and we'll do an IP NAT outside so what that lets go I'll back out one level so what that command just did for us it now the router has an idea okay I don't have any net yet but I know that if I do have an out rule I have an idea of which interfaces are associate with the inside as Larry's domain and which interfaces are associated with the outside world that global world that Google and the rest of the world is in although we could do nap inside of our network and it also works the same as far as the concepts of setting up the rules of having a match so at this point what's a good idea to do is to do because we're in configuration mode so we'll do show IP NAT statistics and it's good to verify as you go this just verifies that our outside interface is gig 1 0 let me check our topology here that's this guy right here that's good and then our our insight interfaces our gig 0 0 to 0 you don't check our topology that's this guy and this guy ok I just want to make sure that we are on the right track so our next step would be to create that translation for Larry's computer now before we create that translation for Larry's computer let's do let's do some due diligence and verify that Larry's computer is what we think it is so let's go to a command prompt here on Larry's computer and just do an IP config which on Windows is how you see the IP information and is 10 16 0 10 and also just for grins I want to make sure that we have access to that server that's across r1 which is at 192 168 1 dot 100 just just to verify we have basic connectivity first so they'll ping to one ninety two dot one sixty eight dot one dot one hundred okay we have connectivity and I'm just gonna go for the holeshot then let's open up a browser and let's go to that IP address again now when we use a browser and we put in an IP address it assumes that the application layer that we want to use HTTP and that's why I don't have to add HTTP in front of it it's going to assume that as a default and it will forward the frame the TCP syn request the three-way handshake is going to happen so the TCP syn is going to be sent to the layer 2 address of the default gateway with the layer 3 address of the server and then the routing will happen the packet will show up at the server I'll respond back with the syn/ack and then finally we'll have a final acknowledgement from the client and then the actual conversation for the webpage can happen and because the magic of networking it just happens so darn fast it's great but we can verify it too check this out on this Windows computer we can do a net stat space now if we don't want to do name resolution or show the protocols we can do a - it's either D or n it's not D so if you do a traceroute TREC ERT - d that's don't do name resolution and this is I'm looking at right here the option is display the addresses and port numbers in numerical format rather than there so I'll do a - n press ENTER and what this shows us is that we have a current session from our local address 1016 0 10 going to 192 168 1 dot 100 our source port is 1545 for that session and the destination port is 80 which is the well-known tcp port for a webserver and it's an established state and I imagine that will timeout after a period of time or if we shut the browser that will go away but I wanted to verify that works and if we go back to router 1 which the traffic is going through and do a do show IP NAT translations I'm making shortcut that I just spelling it out just because you'll see this so you see the whole command this is showing us our current map translations in place and we don't have any because we haven't created anything yet so the traffic is flowing it's not being translated by not yet let's fix that by creating a translation so to create a translation we did it on the screen earlier we'll do it here IP NAT inside so I sprite type that correctly IP nap inside source so we're doing source address translation we're swapping out Bob's source IP address as it goes through or will be if this rule matches yeah I pin that inside source and if you had an access list we can use the keyword list if we are gonna call on a route map for some tricky matching we could call them that if we want to just a static mapping one-to-one with that that's what we'll do just put it in and then it's asking for Bob's address Larry he's dress forgive me for that so Larry's address is 10 16.0 about 10 and then the address that we want to map him to and I will give you some context sensitive help on that which is what did we plan on let me bring up my lair I wanna make sure I'm doing the same thing yeah so our here's our mapped addresses 192 168 1.10 that's what a map entry one ninety two dot one sixty eight dot one dot ten which in our in this lab environment the inner the pseudo internet knows how to reach back to that address space and that our one owns it and we'll press enter now we have IP if we do a do show IP nat statistics now here's what we know we have the outside interfaces gig one zero the inside interfaces our gig zero 0 into 0 and we have one static translation so that says right here and if we want to see that we can do a do show again the do is only required because I'm sitting in config mode if we're at the privileged mode prompt pound symbol all by itself we can just do the straight up command show IP net translations I'd be great do show IP napped translations okay so there's our translation that's this address right here the inside local address and the inside global address and I'd like to pause here and I'd like to talk about these with you because this is the discussion that every time I like I reassure I looked at these online at like three or four different examples and most of them were just the instructor or the trainer saying and the done is like I don't think a student I mean in my heart I don't think a student who saw that would get it and be able to interpret around that table after that discussion so we're gonna solve that and we're gonna do it in a very creative ways with some things that you all ready know check this out I'd like you to imagine Larry where does Larry live think about that Larry's on the inside of his Network his own local stuff and we'll put Larry's local and we'll put Google representing an outside entity somebody on the outside world everybody else even the whole internet will represent Google Google that's a combination of Google and global and when we're Google as global and you recall the discussion we had about perspective like what do they what do you believe is the tree leaning left or is it leaning right it depends on your perspective so any time and this is the the takeaway for for now and then we'll apply it here in a moment any time we see the word and get out of highlighter here ready any time we see the word local did I say any time yeah any time we see the word local I'd like you to think of oh that's from Larry's perspective that's what Larry believes his point of view based on which side of the tree he's on or which side of the mat he's looking at IP addresses on so whenever you see local every time just think of Larry's local perspective the local view what he believes think of it as belief and then whenever you see the word global I would like you to think of that from the perspective of the outside world like Google what do they think where do they think you're coming from if you if we sent a packet from our home networks and we went out to google.com at 8 8 8 or ping that address Google would not see our own private IP address Google would see our translated address so they Google and the rest of the world these global these global entities they would see us as that translate address whatever happened to be they wouldn't see us as ur so the perspective is different so in this output right here show IP net translations every time you see the word local it's Larry from his local perspective it's a perspective it's what they think is what they believe based on how they're working with IP addresses and so let's take this local and global global being the perspective from the outside world and let's look at this translation or air so in measurable terms we've got a user Larry who's at 10:16 0 10 he really is and then we've got a router router and then we've got the rest of the world including including global every else but we have one server that we're pretending is on the internet now is one ninety two dot one sixty eight dot one dot one hundred so I've got a question for you is this really Larry's IP address that we just demonstrated yes it literally is and on the server that we're hitting is just literally the IP address one ninety wants to get one dot one hundred of that server and in this lab environment yes it is it really is and so if we were to ask the perspective of Larry and saying hey Larry what's your local address or what's your address he would say 1016 zero ten and if we asked Larry hey what's the dress of the server you're hitting he would say oh it's 192 wants to see it 110 100 so it's a lot like let me draw one more layer here it's not like the perspective of the inside and the outside from these perspectives so it's Larry saying I think the inside is this and I think the outside is this and on the other side of the coin we have from a global perspective what they think the outside is and what they think the insight is and the thing I would like you to remember as we look at this discussion as the bells and the lightbulbs start to go off is that whenever you see the word local it's from the perspective of Larry inside the network what he believes the IP addresses are which is gonna change here in a moment so the having the word local in your mind that's Larry's perspective so right now if we asked there hey Larry what's the inside what's your what's your IP address on this PC and Larry would say oh it's 1016 0 10 and if we ask Larry hey what is the IP address of the server you're going to he'd say oh it's 192 168 1 dot 100 now if we ask Google or if the global community what that what the addresses are the global would say from his perspective or its perspective hey the outside address is 192 168 1 not 100 but the inside address does the global Internet think that Larry is at 10.16 dot 0 10 no because we we did the translation it's right here we translated 1016 0 10 as it went through NAT to this address 192 168 1 . 10 so Google so the global perspective would be okay our dress out here is 192 168 1 . 100 and we've got a connection coming in thinks the global perspective that's coming from an inside address that appears to be 192 168 1 . 10 because that's what it believes and here's how that can help significantly now that we have been slightly indoctrinated on those terms let me show you why those are so stinkin powerful look at the output of show IP net look at the output of show IP net translations right here I'm gonna highlight a few pieces including local which I'm going to write Larry right there local Larry and that's Larry's perspective if we've every time says local that's Larry's perspective so let's just do this exercise right here with Larry hey Larry hey oh you know what let me do one more translation and I'll put the same spot I need to get a little more this will work this will work so from Larry's perspective we'd say hey Larry what is the inside address basically saying Larry what do you think the inside address is he says it's 10.16 dot zero dot ten which it is and currently we aren't playing any games or lying about the outside so if we did it if we sent more traffic and we have the translation present for this we could also see the outside resource would appear from local Larry's position as 192 168 1 dot 100 and I will bring that up because that's important to see so I'm gonna hide that not gonna race it just gonna hide it let's go back to the PC and I'm gonna just hammer this a few times all right so I just did refresh like four or five times we're gonna have several connections there we'll do a show IP nut translations there we go so the previous ones timed out and I'll put my overlay up here there we go through the magic of editing and a couple movements of the mouse there we go so now from Larry's perspective if we asked Larry what is the local what is the hey Larry from the inside was the IP address he'd say 10 16 0 10 right here see that and if we ask Larry hey what is the IP address you're going to from your perspective what's that IP address on the outside he would say it's 192 wants to take one dot 100 which it is so anytime in the show IP net translation it says local I want you to hone in on that as local means the perspective of Larry local Larry what he believes the IP addresses are and that's the that's what it means so it's representing now let's undo that and let me go ahead and clear that and let's take it respective oh you know what I'm gonna undo that undo because I wanna I want to leave some of that up so let me erase Larry for a moment here thanks for your patience on that and now let's ask the same question but let's ask it from the perspective of Google or global or something on the outside hey hey what do you think is happening here and if we wanted to focus on the global perspective which is all this is from the global perspective some a on the outside Network looking at the IP addresses here's what we're gonna do we're gonna focus on that word global in this output they are on the far ends not my fault that's where they are and this is the global perspective this is like the Google outside world perspective of the addresses so if we went to the outside world and we said hey what is the server that's trying to be hit here from the output outside perspective is say hey it's right here this one names you wants to see it one dot 100 and so that's the global view of the outside IP address for this translation it's 192 wants to see it one dot 100 I mean that that part is pretty straightforward because we're not doing destination that yet I'm gonna change that up here in a moment so you can see it and still use the concepts so and then we asked hey yeah mister outside world this server just got a request from Larry hey what do you think what do you believe from your outside global from your global perspective what do you think that source address was that the dress that was coming from the inside network of where Larry's machine is what do you believe that is and that's over here in this column and the from the global perspective the belief is that the packet came from this IP address which is the one we translated on behalf of Larry this will serve you well forever if you want it the global simply means what's the perspective from the outside looking at the addresses the local means you're looking at from the perspective or the belief system of the inside users like Larry Larry's local Google's global that'll help remember those terms and then as we're looking at the inside outside remember how on the router we said IP nut inside over here and IP net outside here that's all it's referring to which side of the translation are you talking about and or what is the belief regarding before and after now so from a global perspective they don't know the real address but they believe it was coming from the address of one I need to 168 110 so that's that's the key element in memorizing or learning the show IP net translations and making sense of it you know I think we should do I think we should do another example where we're lying to both sides because that one I rarely get to see and a demonstration and I think it'd be important because you can use this concept like go ahead and go the big screen format you can use this concept that Larry is a local it's his perspective of the IP address inside and the I Peter Southside or global its perspective of the IP address inside or outside based on the mappings it's not very often we get to see just the other side of the coin with the destination server also being translated so what I think we should do is this let's add another translation rule in and we're gonna lie to both sides meaning we're gonna do translation on both sides well translate Larry's address which we've already done we'll also translate from the outside going in will also translate the IP address of the server at 100 and that way we can see both assets of addresses being mapped in chain changed when there's a communication path between them I think it'll be fun to do I hope it works out great I'm thinking it will yeah I'm thinking it well let me clear off this and let's go to our whiteboard and let's plan out what we're gonna do and then I'll then we'll do it our tension is we have a mapping for Bob for Larry oh my gosh I guess tickle Larry today so Larry's translation is from 10.16 0.10 going through the router and the mapped address is tenth one ninety two dot one sixty eight dot one dot ten so that translation is already done that source nap from inside to outside what we could also do is we could do a translation for the server at one ninety two dot one sixty eight dot one dot one hundred as it goes through we could make it look like 1016 dot I need something routable six dot one hundred so routing has to work by the way if your router routing makes routing decisions are made before in that decisions so if the router doesn't know how to forward a packet or doesn't think it should router packet it won't go through the pair of interfaces and it won't check for NAT rules so you're going to trust me just for a moment that this router knows how to get to the ten sixteen six network actually it's hanging off of one of these two right here it's directly connected I think it's off of gig zero zero but so it has reach ability to that so for the server what we're what we're about to see is an example of two-way NAT where traffic going from Larry this way if it's actually so it's going to the server I'll put that in yellow if Larry goes to this IP address of ten six six one hundred it's actually gonna be sent to the server and when the server responds to this address it's actually gonna be forwarded back to Larry yeah it's not pretty but that's literally what's going to happen we've seen you add one more translation rule to make that make that happen and then we can actually see the translation table and the whole goal of this this session is that you understand Larry's local his perspective of the addresses and then Google Google's global in this perspective because that will serve you every time you look at IP nap translations so make clear off that screen and hide that Mouse and let's add another translation so let's take a peek of what we have so I do show IP net translations so the reason is currently not showing any current sessions is because there's no traffic and use the with the HTTP session from the client has timed out so this is just showing us the static NAT rule that we have currently it's not being used otherwise we'd see the connection information on TCP and UDP it shows the ports as well for ICMP as a tracking mechanism it shows ICMP for ping but current we have no translation so let's create a translation and we can also use the context-sensitive help now that we know that Larry and Google global the local and global options they'll make sense here more now when we do the commands so we'll do an IP NAT outside because we're doing outside NAT we're going to translate the source IP address of traffic coming in on the outside meaning our server as it's being routed a font for it through an insight interface so IP not outside we're gonna make source address translation and that source we're gonna do static and we'll put in the server address of 192 dot o contacts yep check this out look at this for a moment let this sink in outside global IP address is when many people meltdowns yeah give me an example so I can figure it out well what is the word global mean it means the perspective from the outside so imagine your Google or somebody on the outside network sitting there and now they're asking for the actual address on the server that's outside it's the literal address on the outside as seen from the outside that's of the global means so it is one ninety two dot one sixty eight dot one dot one hundred space context-sensitive help and that's asking for the outside local IP address let's take a moment let's just bask in this for a moment what is local mean let's start there there's like two words heat really need work to remember to kick this off and that is global which is the Google's perspective in the outside world and local which is Larry's perspective so whose perspective are we asking about now Larry's local so from the local insight network what do we want this outside address to appear as that's effectively what saying from Larry's perspective what server would he go to what are we doing this mapping to that Larry would then use and believe is an outside address from the local perspective and that address is give me ten bouts 16.6 dot 100 local and global every time you see the IP IP net translations it says local or global think of those perspectives and this is a little a smidgen above CCNA but I'm gonna do it so it'll work I'm gonna add a route and you might say Keith why do you have to add a route good question just let's talk about that let's imagine that you and I are a router and we're directly connected to a network and somebody is an ARP request looking for an address on that network or somebody else when that same network is trying to talk to another device that local network we're not going to bother forwarding it because it's for the local network well the mapping that we just did for the outside server at 192 168 1 dot 102 an inside address of 10 dot 16.6 dot 100 that's on the inside and so the router would say yeah that networks over here I don't need to route it and that ad route command says oh by the way for the static route at a 32 bit static route that says if anybody's looking for this IP address the mapped address the inside local address go ahead and actually forward it over to the outside network and to the outside host at 192 168 1 dot 100 we'll save that discussion for ccnp and very likely CCIE you won't need do not need to know that that's not required knowledge for the CCNA but if you want bi-directional nap to work and have the interfaces where I have them and the networks involved you got to do it if you want to work so that's that and we could also see that by doing a do show IP route static and there is our static route so it basically took the map to dress right there 10 16 6 100 and it says hey to get to that 32-bit address go ahead and forward it to 10 192 168 1 dot 100 which is the real server on the other side on the outside alright so let's do this to us to a show IP I'm so excited to do show IP net translations so these are examples of static translations we've got two of them if we do a do show IP NAT statistics there shows our - static translations now at the moment none of them are in use because we don't have traffic flowing through but it's ready it's like ok I've got these rules if traffic comes in from either the source address of 10.16 dot 0.10 or it comes in from 192 168 1 10 100 I'm gonna go ahead and do the appropriate translations so if we want to see this filled out actually in use which I would like to let's go back to our client PC and from our client PC I'm gonna close that browser I'm going to do a ping to the the mapped address which is 10 dot 16.6 dot 100 so that would be an example of Larry's position Larry's perspective of local outside Larry believes that's the address or he should because we just mapped it that's the address of that outside resource the outside server although we've mapped it to an internal IP address so that's Larry's perspective of the outside address so a little pain I'm so glad that worked ok because you can't get a translation in place and see it less traffic so I'm actually gonna do a - a - t let that run for a moment - t simply says just keep them coming and then we'll also bring up a browser and that way you can see multiple translations going through the same time so here's a browser and we'll go to one 0.16 dot six as I think about it dot 100 which is the mapped address that we set up for the outside host and that's working and I'm gonna run over here to the server real quick and do a do show IP net translations great got some of both and I can go and stop our ping we'll come back to this in just a second okay mm-hmm now most people who are most people who would be working with this I was who are fairly new to IP net translations would look at this table and they would say I don't know they would just give up say I'm not sure how it works but here's how we can approach it you and I now that we have our information about Larry who has a local perspective on the IP addresses and also Google which has a global perspective on those addresses so I would suggest that we take a look at just one perspective first don't look at both of them like haha what's Larry think what is the world think let's just take a look at one of them and so let's take a look at Larry so we're just gonna find the two columns in the middle that have the word local that's Larry's perspective and we have two sides of the network inside and outside as defined by our IP net inside and outside statements on the router so we could draw a router here there's our one there's the inside there's the outside and from Larry's prison perspective he believes that the low the inside addresses are 10.16 dot 0 10 and that's the only translation we haven't use right now it's the only one that is there here's the whole list of the ones that are news so ICMP is being used we have a couple of sessions for tea CP using these two respective ports as source force and that's what I so Larry believes Larry believes that source addresses are this column Larry also believes that the device that he's talking to on the outside world is this column which is ten dot 16.6 dot 100 that's his belief system so these middle two columns that's Larry's belief system about where he's coming from the dresses on the inside and the addresses on the outside from his perspective and I will use a different color as we discussed the global option which is from Google or the outside world's perspective we can forget about Google now I just wanted to get it into your minds that global Global global means the perspective from the outside world so as the was the outside world believe the addresses are well us we have two columns for we have this one and this one because they both have the word global in them so from a global perspective they believe that the outside IP address of the server is one ninety two dot one sixty eight dot one dot one hundred just like that that's literally how it works so they think they the outside world thinks yeah that servers it literally at 191 seat one dot one hundred and as they take a look at the Bob's address on the inside they don't see Bob's dress is 1016 zero ten they see it as the mapped address so as we communicate with that mapped address if you take a look at the from the global perspective the inside addresses from their perspective we're looking at 192 168 1 10 again it's a belief system so this one here is the belief system from the global perspective and this one here is the belief system from the local perspective and that's what these two four columns are showing us this is absolutely something that I wish I had come up with as far as explaining it with Larry local and G global and at Google global I wish I had thought of this two decades ago it's it's a little sad actually that I've never taught it this way before I thought I just need to spend like an hour to figuring out a way that when any human who wants to decode what this means can do it and if you start with Larry and his belief of what the IP addresses are and then global meaning the outside what their belief is of the addresses involved you can sort it out every single time all right so that's it inside local outside yeah yeah inside global inside local outside local outside global I'm done too long didn't read gotta go but that's how you can decode it just think of local meaning it's from the inside perspective on the addresses involved Global means it's from the outside perspective the address is involved on both sides and when you're doing bi-directional map which is exactly what this is we're lying to both sides and that's how it works like keith is this gonna be on the CCNA no not at this level but I can tell you this if somebody showed you an output of show IP net translations which is fair game for the lab or for the for the CCNA you'd get it right you can say oh this is the this is what it means the global means the perspective from the outside world and the local means perspective from Larry on the inside world and you could then reverse not reverse-engineer but answer a question based on that all right I think I said that's an hour I didn't intend on spending an hour on that but I did want to give you examples hard-coded examples of bi-directional Lant and lead up to it with the story of Larry and Google as local and global on their perspectives all right I'm not gonna lie I had a lot of fun and putting this together so again some regrets that 15 to 20 years ago I didn't come up with that story or that idea if you are pursuing your CCNA we are so glad to have you here if you already have your CCNA and a lot of us do in this channel but we're going to brush up or like oh I'm gonna get this tip or I'm gonna help other people in the channel we're glad to have you to all the people who are supporting each other and helping each other great we're all coming from different backgrounds and different levels of experience our focus in this channel is see and a which is the associate level Cisco certification for 200-300 won the other day I was I got it I got some feedback on a video says well your intro was like 10 times louder than the actual content and so I did two things one is I went back and I snipped off that beginning part because there's just some music in a banner and I toned it down and then secondly I responded and said I'm so sorry that was from I think it was from 2005 maybe no no no no no mm it was from Overton many years ago maybe five or six years ago when that video I said please check out our new content here's the CCNA playlists enjoy it and I did both of those things I wanted to fix that I always like to get better and better and I'm amazed when I come up with an old I look at an old video I think oh yeah I mean the technology is accurate I'm teaching it correct um my teaching is better these days - it comes with practice but so it's fun - it's a little fun it's a double-edged sword look back to those old videos so if you enjoyed this session or if you want to learn CCNA I would encourage you to do three things number one if you haven't already click on subscribe secondly when you did subscribe hit the alert bell it'll let you know in the livestreams happened they usually happen three times a week and then I add them to the playlist secondly schedule time get packet tracer which is free or if you have live gear that's fine too but schedule time to both study with a book or videos or whatever mechanism you want to use and then do hands-on practice don't just take it for granted that oh yeah I see how that works it's good go ahead and lab it up and get that practice because in certification and in the real world it's gonna be helpful the faster you can respond is it's all about stimulus pause response you know the stimulus something happens how long is the pause is going to be before you can respond correctly and in production environments we want that stimulus pause response to that paused to be very short and be very accurate so we know what to look for and allow being up will help with that also mm-hmm because it's on top of mind right now a few sessions ago we did very linked subnet masking and we started with the biggest networks and worked our way down which is the way I've always done it always always done it and somebody asked well could we start with this look the smaller subnets and work are way bigger and I thought and I just never never done it lab it up try it out maybe that would work and then this is so great I mean learning just never stops so Bob and a few other people or just an van or a I think I apologize there's several people discussing it and they said in packet tracer I tried to go in very link subnet masking and join us for subnet Saturdays for that I went from smaller to larger and it claimed there was overlapping networks and so I looked at it I looked at the IP address ranges on paper and I thought oh well let me let me lab this up I put in packet tracer and it said overlap when it didn't really overlap the IP addresses were unique to mask it was when you're going from low to high smallest networks the biggest so I thought ah this is one exception where a packet tracer didn't get it right and then somebody he was Bob in the audience are in the in the discard Channel said you know I just lab this up on live gear it does the same thing like what so i lapped it up and I was I was the most surprised ever because I did the submitting in reverse order I used loop backs I did a reverse order smallest to largest and on live gear it barked about an overlapping IP address with one my first another these do not overlap these do not overlap these do not overlap but it's true so I went back I said oh um packet tracer didn't lie packet tracer was telling us that they wouldn't work so I learned something brand-new in the last 48 hours and that is been doing custom subnetting I've always done it from the largest subnets to the smallest that's how I've been trained and done it for decades that way never tried it the other way and if you try it the other way it fails which which is a great at least it did in the scenario we had in discord so check that off you want so which is a great reminder for us that when you're curious about something lab it up spend a few minutes lobbing it up like I did and then verifying it for yourself oh my gosh this doesn't work why is that how is that possible which is still my which was my question and still is a little bit like why why these IP addresses do not overlap why is it giving me grief but anyway small large didn't work so I wanted to pass all my my thanks to the discard channel for help me discover that brand-new thing after working with Cisco since 2009 our 2008 yeah - thought no no no I got my first CC since 1999 you slipped a decade there Keith yep so I'm grateful for that okay here's what I'd like to do for the QA regarding this session I would love to take any questions we're gonna get short break and they'll grab some water I'd like to have any questions that are related to NAT at the CCNA level which basically is gonna be the basic foundations of NAT like you know static NAT dynamic NAT using a pool always source NAT they're not gonna ask you about destination at inside of CCNA I demonstrated by directional NAT just so I could show you the inside outside global local perspectives which is important to know so anything regarding that would be great at the CCNA level if you want to help other people you can answer questions also I'd encourage you going forward from this point on I'm not instead of scrolling all the way back to the list which there's been lots of great comments please feel free to ask and if you have a question for me directly just do an app keith barker in this chat and then I will I will see it and then be able to answer it and that includes you have questions about the concept of local and global I'm happy to go over that again but the idea is that you're gonna have different perspectives if you're on the inside of the network or the outside of the network you're gonna have different perspectives on what the IP addresses are and so when you use word local you're asking from the perspective of the inside network and regarding the inside and outside addresses and if you have the word global you're looking at the addresses the inside and outside perspective from the perspective of somebody on the outside network from a global perspective so using the key word local for Larry will help that's the two middle columns those are focused on the perspective from inside the company for gardens regarding the translations and then global represents some and the outside Network regarding the addresses involved so local and global that's the two keys and then everything else is perspective based on local or global perspective all right I'm gonna take a quick break grab some water real quick we've been going strong for 70 minutes and we'll be right back and we'll take some questions Thanks [Music] [Music] okay and we are back let me bring up my my section here for QA so over on my left is my Q&A and I will be will move the mic over just a little bit so I'm going to be focusing here to read the questions pick up the questions and if there are any questions I'd be happy to take a look at him again CCNA focus would be preferred anything outside of CCNA I like to put in the discord server okay uh I had a great weekend by the way there was a lot of fun work hard and play hard sometimes is a great thing within moderation all right let's start with dharshan okay Darsh and your questions about bi-directional NAT and talking about asymmetrical routing that's way beyond CCNA so I'm gonna I'm gonna pause that one and if you want to put in discord in the other section I'd be happy to have the team look at it and think about that and answer those questions but again I want to make sure I'm focused on CCNA related are level topics and if I think it's close to CCNA I will definitely elaborate on it here alright and John we're working at CVT Nuggets we are working on the Encore and the other courses for ccnp we're pedaling as fast as we can so thanks for the interest alright moving down okay I've got a question from Norman asking how can somebody join your discord server and let me bring up the link it let's paste it real quick and I'm hiding behind the mic sorry about that dudu discord is discord as free as is this YouTube channel and we encourage everybody to cooperate and ask questions and learn there is a set of rules on that discord page when you when you log on and subscribe you'll be made a member a little bot that does that for us and then take a look at the rules make sure you agree and the basic element is be a nice person help other people and don't disclose or share anything that you shouldn't be disclosing or sharing based on any agreements you've made with Ciscoe or vendors if you purchase their products we wanna make sure we're keeping everybody authentic and real alright so there's a link norman for the discard server thank you for that question okay Adolph Oh Thank You Adolf Adolf Singh by far is the most easy to remember explanation I've come across thank you very much Adolph this discussion we I just did today about the Larry local and Google global and having those two perspectives I created I created that in the last 48 hours and I did it as I'll tell you I only just reveal I did it in preparation for encore because I'm teaching this concept at the CCNP level and I thought I just need some way for somebody's doing that to absolutely every time they look at that whether it's bi-directional NAT or source NAT or destination that or whether it's you know source NAT from the outside coming in or source not inside coming out which are both bi-directional I want to make sure they can understand it so thank you for that feedback I appreciate that okay let me see if there's anything else if you do have a question and you asked it before I'm just starting from here going down so please do an at Keith Barker if you have a CSUN a related question and I will be happy to look at it alright shady networks asking shady network I love it that's a fun name this what I mean what are some practical scenarios for bi-directional map versus Oh what are some practical scenarios for directional map versus bi-directional map great question and the answer for that is most companies are going to be using well let's a little bit and let's imagine you're at your home and at home it's very likely you've got internet access through Wi-Fi let's imagine that's the case you've got Wi-Fi access and then we got that is we have an Access Point in our home it may be built into your router but some kind of a Wi-Fi signal in the 2.4 gigahertz range or the 5 gigahertz range using 802 using whatever technology you're using maybe it's n or ax alright cetera anyway using some Wi-Fi technology when your your computer gets an IP address via DHCP and it gets a default gateway of your router and let me make sure I stay on topic practical link right so you're being given by DHCP by default on most home networks and the small office home office is something in the private RFC 1918 address space which could be the 10 network or once any to 16 through 31 or 192 168 anything and those addresses are great for your local I mean your Amazon echo I don't say her name because she'll talk to me and I was on echo your Google home you're smart Samsung Samsung smartthings your home automation your refrigerator that has an IP address your TV that has an IP address all those things can communicate with each other directly on those local network that local network but if any of those devices try to go out to the Internet those source IP addresses lets you have the 10 network with 192 168 network address space the Internet Service Providers if you're using those source IP addresses they won't allow those on the Internet now there could be several layers between us and the Internet so I could be connecting my current provider here in Las Vegas is Cox Communications and so with Cox Communications they could have several layers of routers and NAT and things that they're doing as well but somewhere in the path between my home network and our home network and the internet somebody's doing that and that would be an example of directional or standard NAT network address translation specifically it be source NAT because as our packets are going out to the Internet our source addresses let's say we're going to Google at 88.8 today we're doing a ping or we open a browser to some internet resource we do a DNS resolution for the IP address the packet goes out our source IP packet has to be translated some point before it goes out to the Internet otherwise the internet devices the Internet routers phone search routers and they see it they'll say yeah I'm killing that this guy's trying to source the packet from you know a private RFC 1918 address base and I can allow it so it'll kill it so our service provider or our home router actually will do a flavor of address translation and it's probably Pat port address translation where has one IP address on its outside interface and then it considers everything coming in to be inside and so it'll do dynamic NAT source address we could call five things we can call source address translation we can call it dynamic NAT we could call it dynamic Pat because we're mapping all these inside addresses your your IP TV your refrigerator your internet of things devices that communicate out they're all being translated to the one IP address on the outside interface of your router which may also have a private RFC 1918 address and then further down the road your service provider is doing that again to swap out that source address so most of the time most of the time I wouldn't say 99% but I probably say 95% of the time we're gonna do single direction translation like source not going from your home out to the internet or if a service provider has a server we could have destination NAT where clients are going to this global routable IP address but we're doing destination you have to swap out the destination IP address on that initial flow to the actual IP address of the load balancer or the server on the inside and then of course whenever there's a translation whether it's source NAT or destination at a unidirectional translation there's always a nun translate so somebody did the initial translation of a source address for the return traffic we're going to untranslated address to put back on the original dress if we're doing destination now meaning we're swapping out the initial IP address for the destination like somebody on the internet like Bob now I can say Bob going to an internet resource at a public address behind the scenes they're probably doing destination that which is swapping out that destination address we put in our packet right before it gets to the load balancer or whatever the device is and then it actually translate the destination to the real address of the server and then on the way back they're doing a nun translation as well so the experiences I've had with bi-directional not usually involve somebody screwing up with some lashes they spring up somebody who has to make a terrible situation work like I mentioned Paramount Pictures that's that was my first exposure to that Paramount Pictures got bought by Viacom they kept the name but or VY comes the parent company and they had ten networks we had ten networks meaning the ten address space and how do you get ten tenten over here to talk to ten ten ten over there the answer is you don't they're two separate VLANs then not the same VLAN they're across the country and so we have to involve DNS for resolving names to certain IP addresses and then we have to make both sides appear as different subnets so maybe this in the side of the network thought it was talking to ten ten twenty and this I thought it was talking to 10:00 10:30 but in reality we're doing des station at and source NAT to make those communication paths lie to each other nasty business but possible it's in the tool set a little bit above beyond the CCNA but that's those are the cases so shady Network thanks for that question all right let me look at Dino's question real quick okay so Dino's question is a good one and that's asking when doing that and say in general he's asking on a firewall what is the order of execution routing NAT or ACL great question it does depend on the vendor so routing is a routing decision like here comes the packet in the ingress interface looks at the IP header do I know how to route do I make a routing decision and then what's my exit interface what's the next layer to header and routing that's routing now if you have an access control list in the mix the question is oh are we going to do a routing decision first or are we going to check the access control this first and that's going to depend on the direction of traffic and where the access control list is so and these are both CCNA topics do so if you have a packet it's going this direction and you have a router in the middle here if you have an access list inbound on this interface where the packet is coming in the ingress ID it's going to be the access list first this checked to see that package should be allowed and if it passes the access list then the router can make a routing decision and then make its forwarding decision if that same scenario but we have the access list as an outbound access list on this interface and the packets coming in here unfortunately well depends on how you slice it the packet coming in the router would make a routing decision and then I'll identify the exit interface and then see the ACL on that exit interface or egress interface and then do the blocking and there's reasons for both and routers these days are so darn fast they've got caching and Cisco Express forwarding and hardware that you know like two decades ago Oh so depends on where the access list is then furthermore NAT the routing decision has to happen before NAT because if you have an insight interface and an outside interface and two other interfaces unless the packet is coming in on the I the 1 net interface and being routed on layer 3 routing decision out the other interface so this is it IP not inside open it outside then exhale it matches let's see if we have a NAT rule or an existing NAT translation that's in use that I can go ahead and use that's important now if the traffic was coming in this interface and going up another interface or down another interface that is not enabled for an out there'd be no NAT translations or not rules in place so the way it works is there's NAT rules that we can have in place and then once those rules are matched then the translation happens and if there's an existing translation the router is gonna say oh there's an existing translation for this I don't need to make another translation it's already are you there and the ports involved when you do a show IP net translation those ports let me show you this this is pretty darn cool the ports involved and let me log back into this again so if we looked at this if we did a I can go out of configuration mode because I'm done just show IP nap translations these I think these should all timed out okay so what we're seeing here is we're seeing our rules in place but they're not in use at the moment there's no traffic flowing through them that would cause them to be used if we want to cause them to be used we could go to a device I will close this window for ping I will close sometimes you get refresh here one time it won't actually go to the server so I'm going to spam it and I do like three or four times just to refresh and let's go down to our one which is our NAT device hit the up arrow key and and that's because I I hit enter I hit refresh four times and so it actually went out made four connections and it used these ports so I forget how's this work again remind me he says with a little bit of a chuckle how does this whole thing work again as far as I know we have router and I know we have the inside I know we have the outside we define those with our IP net inside outside we have our rules in place then we send some traffic through but what's this whole thing about the local perspective versus the global perspective which I will put in a different color because that's really the two things I want you to pull out from this this session is that just looking at the word local I want you to think of what Larry Ron color back stop let's go back to this color oh wait I want you think of what Larry what his belief is from the local perspective regarding source and destination so Larry believes the inside address is 10 0 1016 0 10 for this session and he believes the outside address is 1016 6/100 that's not literally the address of the outside server but that's the belief system because we mapped it we have bi-directional Matt we mapped the 192 168 1 dot 100 over to this IP address and that's all Bob that's all there he knows all he knows is his perspective of the inside if we go back to the other side of the camp and we go to global was global belief about the addresses well from the global perspective and the global believes the outside address is really the address of the server 192 wants to see it one not one hundred and from a global perspective on the outside of the network it believes that the divert the the entity who's coming and connecting to that from the inside of our network is this bad boy 192 168 110 which isn't true that's not really Larry's address but from the perspective of the global outside we're getting where that packets coming from that's what it believes it's all about perception Larry is looking at it from the inside Network what does he believe the inside and outside addresses are Global is from the Google or outside world's perspective what a zip leave the inside and outside addresses are just what do they believe what are the mapped addresses and doing the bi-directional not only the only reason I did it in CCNA is because I wanted to give you a hard coded example that you can use for CCNP for CCIE for the production environment and just every time you do it a show IP net translations say okay there's a lot of out by air but let's take a look at this from the perspective of the inn of the local the inside was their perspective of these addresses and then separately what's the perspective from the global outside view for the inside and outside addresses and that'll help so what was the question there I started ranting Keith you're ranting um let's see here let me go back to my questions oh that was all about NAT on a firewall with the order of execution routing NAT and ACLs which I think we dressed thanks for the question and thanks for letting me elaborate on the local and global options and Larry Roberts hope see you at Cisco live cisco live they cancelled it mayor melbourne not too long ago because of the cove in nineteen so we'll see about cisco live in june whether they hold it or not i don't no idea if it's gonna go or not i hope it does i'm teaching there are two classes with jason gula it's gonna be fun alright alright TGA 499 1 you are very very welcome alright Murray's asking can you please explain source snap versus static net let's talk about that for a moment great great question let's go to the whiteboard and let me let me use this topology right here or let me use this backdrop right here now let's keep extending it that way I'll leave this here bring my mic over okay so the question is source NAT versus static NAT I think the best way to approach this and see if there's room for my face on here barely okay hi the best way to approach this is one at a time and let's take a look at static NAT static NAT is when we put a rule in place like this one right here this is an example of a static NAT rule it we're not dynamically saying oh if somebody shows up from some source address and we're being routed through interfaces with now then we'll create a translation form that would be an example of a dynamic network address translation a case in point if we said something like let's say we have access list one that says permit 10 anything and here's how we spell 10 anything with a wildcard mask like that so we have this access list that says permit anything and then we could do and this router let's imagine I'll just draw right here so we're there's router 1 hour outside interface I believe what I need to look at my outside interface real quick that's gonna put the same one so it's consistent oh it's it's one zero alright let's imagine it is so one zero here is our outside interface going to the outside world and then we have some insight interfaces that go to the inside world so we'll leave a light in and out from in that perspective just from an app perspective so if this is an access list that matches it says anything that's the 10 is a match thumbs up yay that's it then we could include that access list as part of our napped rules for dynamic net and dynamic snap means I'm not creating a translation in my translation table I just have this rule and if it's matched then I'll kick into gear and I'll make a translation I'll start using that so a translation rule could look like this and global config we could type in IP not inside source list now you may ask well Keith how do you hear not even at the command line there's no context-sensitive help how do you memorize this I've done this a few times that's literally why I can do this because I've done it a few times and that's the same reason we should lab things up in practice it just becomes more familiar and if I write something out and it's not quite right at the command line I can solve it but you'll get more familiar with the commands you don't need to memorize all the commands but the more you lab up and practice with them the more you'll have them available so I peanut I want to do inside source meaning I want to do source address translation from traffic originating on the inside which means traffic would be routed in ingress on an interface that's associated the inside from that perspective and I'm making a routing decision and that packet happens to be routing out an interface associated with the outside interface sometimes we call those ingress and egress once I was taking my Cisco lab and they give you a lunch break and they this is a bad joke anyway there is um so you get your lunch than the use of the tray I there's a place to return the trays with the flatware and civil run there's the stuff the remainder of your lunch eating process why is this so hard for me to say you know you go you have lunch and you're done and there's a plate in a glass and maybe a spoon or fork okay so you take that tray of remainder and you walk into this little alcove area and you put it on this like a conveyor belt and it takes it to the kitchen staff so they can deal with those dishes wash them and so forth and you're supposed to go in one way and out the other it's very it's very easy because every goes in one way they drop off their tray and they go out the other and I walked in the wrong way I walked in the outdoor okay and I just afterwards I bumped into somebody I almost bumped in sighs stopped and said oh sorry I'm gonna go in the wrong direction and then I I went back to the table and I said if they had signs that said ingress and egress I would have been set and that's a you know like enter here exit here that's all the ingress and egress means but when you have a lot of studying on the brain and that's all you're thinking about the word ingress simply means where it comes in and egress means where it's going to be routed out in this case based on routing decision so think for that little story alright so going back to this IP net inside source list one meaning any traffic that's coming in on the inside I'm gonna take and based on the source address matching list one which says starting with ten ten anything so ten to ten five ten seventeen 1099 tax time that would match and then you have to say what you want to do I peanut inside source list one and if we just want to overload those on the outside interface we can just say interface and then gig 1/0 overload and here's what that means in English it says if this is a dynamic NAT rule and it specifically it's an inside source NAT dynamic rule and as soon says IP now inside source if it matches list one so Larry's packet coming from 10.16 dot zero dot ten would qualify if that matches and we're going from inside to outside which is what this IP net inside command says go ahead and map it to the existing IP address on this outside interface which is gig one zero so we've already identified that as an IP nut outside interface where somebody's saying use that IP address and overload says do it again Sam do it again you mean do it again well if you got Larry and Lois and Bob and Sally and Jeff and everybody else Bob and Gus and every else on this form who is on that inside network and they're all going out and that traffic's being routed off that interface if their IP addresses start with ten just start overloading and use that same IP address over and over and over again for source nat address translation and then as those packets go out to all the cool sites like CBT Nuggets comm or ESPN or twitch calm or YouTube calm the router is keeping track of all those sessions with unique port numbers and if it's not a TCP or UDP segment it also keeps track of it just for grins and that way when the replies come back because all this traffic is coming back to that one IP address then the router is going to look at those incoming packets and say okay based on the ports I used as I sent those packets because it's gonna play with all those port information it will then identify who it goes to on the inside over on this side of the network untranslated PSA's back to the original addresses involved and then send them back to their respective clients hundreds of thousands of times per second sometimes based on your network traffic and how much you're doing that so this is an example going back to Marie's question I appreciate him asking that for the group is this is an example of dynamic network address translation and specifically it could be called dynamic Patt because we're actually using port address translation with one single IP address being overloaded and the examples we did in class where we just hard-coded and say inside source static which is this guy here and this guy here those are examples of static NAT and in all cases these are all examples that everything everything I just described and we did earlier is all an example of source NAT because on the initial flow we swapped out the initial source address and one thing about map two is that sometimes it's important to realize that if you do a translation is that translation good for both paths and the answer is it can be and many times is so if we do source address translation where we have the inside address and the outside address sometimes not every time but many times that address can be initiated from the outside meaning and outside device could hit that mapped address and have the translation work to the inside address with static NAT and with port address translation with dynamic port address translation that's not going to be a problem because the translations don't exist until there's traffic that source that matches the rule and then that translation is used so there's a lot to talk about with that again the focus was local means from Larry's perspective about the inside and outside addresses his belief system G global think of Google or some big entity on the outside looking at those same addresses from the outside what is the outside address and the inside from their perspective on the outside and that will help you decode show IP show IP net translations all right let's continue our questions I appreciate you being here wow we have almost 200 people today on a Sunday oh they may not be a Sunday where you are I realized that too because the world a big place and it's getting smaller all the time I'm very grateful to have you okay and Dan Oh Dan thank you it was enjoyed life for me it was me with the vlsm small the large lab tricky wasn't it Dan thank you very much for three things one for bringing that up in discord and then showing the results asking the question and encouraging me to validate it because so I'm giving Dan all the credit for the vlsm small to large which I've never done in my lifetime I've always done it large to small and now I know why yeah Dan when I was doing that I did it in packet tracer first because why packet races right right they're just up and then it failed like that ah poor packet tracer and it's just can't handle it's not right I looked at all the ranges there was no overlap there wasn't but doing it small too high broke it and I thought okay Cisco routers not gonna make that same mistake so I got up a real smooth oh I say real here I brought up a virtualized environment of live gear and two there and I was so shocked I was so shocked to see that going from low to high just does not work Wow it's sort like the ham story this couple got married and I'm like I'll give you the short version they got married and one of the spouses cooked his ham and before she before he or she cooked it doesn't matter they always cut off the end like a third of it before they put in the oven and so the other spouse says why you yeah it's just curious well you always cut off a third of the hand before you put in the oven and that person said I don't know but my parent all we just did it that way and then they were visiting you know their parents and asked the parents how come you cook I cut off that third of the ham every time before you bake it and they said I don't know our parents the long story short they are at Grandma's and Grandpa's house one day and and they were asking the question how come he always cut off 1/3 of the hand before you bake it and the grandma or grandpa whoever was cooking that they look suspiciously and says because my panel is too small why do you ask that's such a weird question so for three generations you've got people doing something that wasn't needed because of some original cause that the original person did it for and everybody just buying into it and so ipv4 vlsm which we covered in subnets Saturdays I've always done it one way and that is from large to small I didn't realize I did not realize the implications of trying to do it from slip from smallest networks to largest and till dad so thank you for that and offered me to study it so I guess I'm staying with my old dog old trick method of large to small and thanks for reminding me Dan okay okay and Darshan's asking a question about dynamic NAT okay it looks like a statement awesome thank you Darden Thank You dharshan looking for my name still going down a little more okay in the command IP net outside source are we translating the outside global addresses to an inside local address okay let's take this one step at a time I think it's great great question because I'm going to think about it using the techniques that I just shared with you about local and global in the command IP net outside source so that means we're doing the initial translation on traffic that's coming in on an interface from the outside that's going to be routed to an interface on the inside and IP net inside so that's what the IP net outside command is about and then the source keyword says we're gonna swap out the source IP address of that traffic of that packet so then the question reads on are we translating the outside global address which is the real outside address from the global from the Google perspective what the real address is to an inside local address and local is from the perspective of Bob I'm sorry Larry the inside user and that is exactly correct Michael I just want to make sure I'm not gonna mislead you there that's exactly what we're doing we're translating it in fact let's go to a command line and I'll show you the context-sensitive help which confirms it so in the syntax for IP net statements it's like Oh outside global outside local inside what does that mean now as we do the IP nat commands for static NAT or other than that as we use a context-sensitive help it says local inside we're gonna say Oh local insight that's from Larry's perspective the inside address great which is going to be the real address and if it asks us for the outside global address that's can be from the global position from the outside Network what they think the outside addresses which once again would be the real address for that device on the outside Network has seen the outside let's do that let's go ahead and do a IP net outside source and we'll demo that because this is a great learning opportunity which I want to take advantage of after I log back in okay so we'll do a config T IP NAT and do we want to translate traffic as it's being sourced from the inside going out or the outside going in and or do we want to create an app pool and there's other options here as well so let's do I peanut outside to match the question and then it's asking us what type of network address translation are we doing we're gonna translate the source traffic for packets as they're coming in from the outside and then it's asking us for if we had a list we could make an access list for matching on or we could just say static we'll do static for this example and now it's asking us for the outside global IP address think about it global whose position is that whose perspective it's on the outside so from the outside perspectives world it is the address that we're going to see for that address it's going to be translated which in the case of our server was I'll use another rest one ninety two dot one sixty eight dot one dot I'll say 101 I don't think that'd I don't think that device exists it doesn't but from the outside perspective using the context-sensitive help from the global perspective from the outside perspective what is the outsides IP address and so we'll pretend that's the real IP address on the server on the outside of the network and then we use a question mark and what do you want to map it to we want to map it to from the locals perspective what that outside of us would like to appear as so if we ask Larry hey Larry you're gonna go to this device in fact you know what let's do this I'm gonna map I hope this works I'm gonna map 55 only backup I like to see if I can get this to work so outside global IP address so let's imagine we have a device at one ninety two dot one sixty eight dot one dot five on the outside Network and from the outs from the global perspective that's its real IP address and we want to map it too I'm gonna back up one more time because my brain just did a slip I just wanna make sure I'm going to do this correctly outside global address okay so from the outside position what's the real life you dress one ninety two dot one sixty eight dot one dot five and now it wants the outside local address so from Bob's perspective after the translation is done from outside to inside which cuz we're doing outside source now what do we want that IP address to appear as from Bob's position local what's what's Bob gonna think of that IP addresses and I think I would like to use this I need something routable routing has to work 10.16 dot 6.99 and I'm also going to add a route for that too so that syntax right there is the mapping the from the global perspective the outside address to Larry's perspective of what that outside address is going to be from Larry's perspective yeah that's right okay I just want to look at it make sure so let's do a look at our look at our rules again I want you to take away the local and global if you have those two down then you can look at those perspectives for any of your mappings so 2a do show IP net translations okay so now we have three rules three static mappings three static Nats we have one that's inside source static for this guy we have two that are for outside source NAT which is this one and this one the top one we just created and from the outs from from local from local Larry's position it's reachable at 10.16 dot 6.99 that's his belief because that's what he believes the external or outside device is but the outside world knows that as 192 168 1.5 now do I have an address out there at 1.5 let's do let's see if I do and I do so what I just did I did a mapping and I simply said this outside address of 191 68 1.5 is mapping to the internal or what looks like from Bob's perspective the address of 10.16 dot 6.99 and so if we went to Bob's computer and we went to a command prompt this is where this is where my life changes all right let's do a ping to 10.16 dot 6.99 I just can't take check my translation table again real quick so from Bob's perspective local he thinks that outside addresses ten sixteen six nine nine which should really map to 190 once you see it 1.5 that should work so let's go ahead and test it Oh hello they intend that 16.6 that 99 survey says we have a reply and let's go check out our translation real quick before it times out it timed out mmm yeah let me let me do a continuous ping - tea please alright I would love to see a translation here if not we can force it so that's the router itself let's do this let's remove let's remove that and I will change it so let's just a control a and a no and I hit the up arrow key again and I'm going to take off the 1.1 hundred map 210 16.6 dot 100 and I'll make sure I got both of those alright so let's go ahead and add a translation to something that's reachable and IP net let's go up a little bit more okay so what I'm doing here is I'm gonna go ahead and map the address of the server again just for grins and I'm gonna map it to the outside local address of 1016 6.99 so from the perspective of Bob some tips are hard to forget from the perspective of layer he's gonna think the IP address of 1016 6.99 from his perspective so I'm going to add that will do show IP NAT translations and he circle he's real quick and then we'll test it oh did I did that route that's good so from Bob's perspective he thinks that there's an outside IP address reachable at 10:16 699 and the outside world from the global perspective knows the outside address is really one HP wants to see it one dot 100 and so as we forward traffic from Bob's computer it's going to be it's going to have bi-directional nat again except we're going to be doing source net here with this rule and source net here with this rule one inside source net one outside source net and let's test it alright so let's go back to Bob 1016 699 is the address that Bob believes is reachable as the server address they can reach so let's get the ping going to that address of the trends mm-hmm stop stop stop stop all right I'm gonna close that and let's bring up the browser and let's go to 10.16 dot 6.99 and that works let's also do a net stat - and just take those ports 1558 and 1559 so bob believes my inside address is 1016 610 dot 16.0 at 10:00 on these source ports bob believes that the destination IP address is going to on the outside world is 1016 6.99 and our nat table should reflect that so show IP net translations there they are also we have an ICMP 1 from our earlier pinks is fine so there is the inside local from Bob's perspective Oh for pete's sake Larry come on just earth is the only discussion I use Larry consistently I tried to because of the link that Larry being local so Larry thinks his local at inside the rest of 1016 0 10 Larry thinks the outside world is going to as 1016 6.99 from his perspective and from the outside world the outside world sees those addresses as really 192 168 1 dot 100 and the global perspective does address on the outside or really what they are and from the global perspective it believes the outside world believes those packets that are coming in are coming from 192 168 1 10 with their respective ports and those ports match up exactly with what they were in that translation because it's literally what's happening all right so that was a great question thanks for give me a chance to elaborate on that and have some fun Larry's local good thing I love that Larry guy always looking at the local perspective what he thinks the addresses are on the inside the outside and then global what its opinions are of addresses on the inside and outside two different perspectives talking about the same flow of traffic but because the address has changed as they go through now it's important to see all right scrolling down for any other questions dharshan you're welcome and just see if there's any more here and John is mentioning I using that in VMware on home lab and using that again on physical router yes now you service providers are usually going to be performing that multiple designs before your traffic actually gets out to the internet so if you have a home router and you're connected and you look at your router and it says my IP address is 10 dot something or my IP address is 1 I need to something the the LAN interface not your local side but the way on interface and you're learning it via DHCP or PPP over ethernet if you're using DSL those addresses that they're giving you if they're private they are doing translation later down the path as those packets go out to the Internet so yeah multiple doing that multiple times is a common thing and very very common all right it is wow it's almost one o'clock Pacific time that makes it 11 12 a two hour stream one hour when I were and changed for the content and then one hour for QA I had a lot of fun and there's 167 people live right now so I appreciate all your time in joining me helping other people learn I'm having a blast doing this a couple tips out for the road before you leave with the new coronavirus kovat 19 I know this is old news but it's a respiratory infection and the only way it can really get in you is through your mouth and your nose and so the benefit of wearing a mask is not to prevent the vapour droplets from getting in you simply have to read sneeze right on you for that to happen but most the time people sneeze or they cough and there's a virus from an infected person if that happens on everything around them so they're touching their mouth their nose or that virus is getting on things and then we touch those things like man it's just terrorists tricky too it's tricky I went to a thing last night I was shaking hands and hugging people lots of people uh I think if this break is this outbreak happens more seriously in the country that I'm in and the state that I'm in I gotta be way more careful because so you touch things other people touch and then we put our hands in our mouth or nose or like me like this little thing I call a beard this say my beard I'm touching all the time I like this and that's a habit that if I'm out and about I need to be aware that anytime you're in a public space if you're concerned about not getting not infecting other people which is important also not getting affected is that you just gotta not touch anywhere up here unless you wash your hands very thoroughly for like you know 20 20 seconds or so thoroughly with soap and if you don't have soap you can use ice you know hand sanitizer if it's like sixty plus or 70 percent alcohol but that's just that's the interim solution until you can actually wash your hands so it's gonna change take some change of behavior on a lot of people in the country in the world and it's a it's coming so this is a nobody likes to get sick so a lot of people are not going to die from this but they will get very very sick and that's that's no fun so to protect yourself the mask if a person wears a mask it's not really to filter out the vapors so it doesn't have to be a high surgical mask or with vents and their nails that are you know to filter out poisons and chemicals it really is acting like a dog cone that helps remind a person that oh I've got a mask I can't touch my face my nose and my mouth because that's how the that's how this thing is infecting people so if you've heard that already great if you haven't heard that I want to point that out that the mask could be a good reminder about not touching your face wash your hands frequently and because the incubation period is pretty long where people have it and they don't know it yet when it breaks out it the infection could be pretty pretty hideous alright so that's my public service announcement so back to CCA I enjoy what I do love having you here if you haven't already subscribed let other people know you're watching this if there want to get their CCNA we have a lot of fun in these sessions I'm gonna be covering a lot of the topics on the CCNA blueprint probably not all of them in full totality but a lot of the ones where I can allow to add value that's where we'll be adding them coming up we're gonna have ipv6 routing which is going to be very important we also have subnet Saturdays we're rounding out and I also really appreciate your comments oh Marie's asking about my new studio and he asked me to either if you don't take pictures it's not real so I took some I took some pictures and let me see if it shows up here all right that's not my studio that's my cat but I do have a video of my studio let me show you some stamps so it's currently a workshop area and at least if I can get the focus on that just right oh oh no it's not going to happen all right I'm making a video or a documented process of me creating it and stuff is coming out new stuff is going in to probably take a few months but my goal is to get it done before the end of 2020 to have that fully operational fully functional so thank you for the recommendation it is coming along and it's give me a lot of fun I have one little question problem that I've got it I've cuz the workshop I've currently got the water softener in the corner and so I'm thinking maybe I leave it there because I don't have to replumb that and a whole lot it's like maybe I'll leave that there and maybe also have an elliptical that I'd like to have somewhere at that property which I currently have here so I was thinking maybe I'll put the elliptical like in one corner when end of the room and then have a curtain for noise deadening and then use the rest of it for the studio we'll see I'll let you know I'll build a collection of pictures and I'll put it all together in a video near the end so be several months of work in a four to five minute video yep Michael ight good observation and let's see here Victor's asking if I have a topology with several firewalls in several routers and several switches which device should do then adding for the network and the answer to that the cut that's a good question they give three devices that could do NAT which one should do NAT if you have a firewall in that mix that's the device that should be doing in that because it's purpose-built it's got better hardware for that purpose and it has more CPU ummph focused to the energies of defending the network and stateful filtering and because it's doing stateful filtering stateful filtering is a fancy way of saying let's imagine you and I go to an amusement park so we go to the amusement park we pay the more than the stock price to get in so we pay $100 or whatever you go in the music park and then we need to go out to our car well when we leave if we need to go to her car just for a few minutes and we want to come back we don't have to pay again we need some way of proving that we've already been there so what they used to do used to stamp our hands so we have this stamp and they could check it with an ultraviolet light and verify the stamp and that's sort of like how a firewall works today so Larry or Bob on the inside of the network as he's going out there's probably not involved and he's going out a stateful firewall is gonna remember that session it's going to allow permission wise for Larry to make that initial connection going out at the same time there's Mesa NAT who's tracking that session doing source address translation to a globally routable address so the traffic goes out and then when they return traffic comes back back to Larry it untranslated sus the NAT part and then the firewall is permitting that traffic from the outside untrusted world to come in from a permissions perspective because it maintained the state table like a rubber stamp that Larry's packets went out they got stamped on the way out remembered and then the reapply traffic if it's correct for Larry session it would dynamically allow it back in so I would say that if you have a firewall that is very likely and all your traffic is going through it that's very likely the best place to do your natin and a production network because their security benefits of that as well and also you just manage it all right there here's the NAT here's the security permissions and so forth so thank you for the question oh and Michael's all over it I should looked at Michaels feedback thank you thank Fareway is helping with other people's questions and Nason you are very welcome for the stream glad to do it never else for those kind words thank you thank you thank you for being here and I don't see any other questions so it is Sunday at least in this time zone Pacific time zone our next stream is on Wednesday and Wednesday we're covering another CCNA topic I haven't identified it yet but I will publish it out on discord and I also publish it out on LinkedIn and LinkedIn Twitter and Facebook so if you're on any of those platforms following me you'll know about it as well and enjoy your week have a great one it's great to get to know you better I feel like I have a better knowledge of of the people in this community based on your questions and in discord and I'm having a great time so persist in your studies it is definitely worth it you can definitely do it and I'll see everybody as I find my exit button I'll see everybody in the next live stream thanks everyone [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music]

Info

Channel: Keith Barker

Views: 15,737

Rating: 4.9782019 out of 5

Keywords: 200-301, 200-301 ccna, 200-301 cisco, 200-301 videos, 200-301 ccna certification, 200-301 study, cisco, ccna, networking, cisco ccna 200-301, cisco ccna certification, cisco ccna training, cisco nat configuration, Cisco NAT, nat, network address translation, inside global outside global explained, inside local outside local inside global outside global, outside local address, outside global address

Id: wLZ3_FuYDRs

Channel Id: undefined

Length: 127min 6sec (7626 seconds)

Published: Sun Mar 08 2020