Cisco NAT (Network Address Translation) | Cisco CCNA 200-301

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

appreciate it I I owe you one all right hey welcome everybody to see seen a Sunday we are gonna focus on Nat network address translation if you ever wonder hey what's Keith like when he's not presenting I'm a lot like this what I'm not presenting I'm pretty much the same person all the time I'm so glad to have you here so in the world look now let's talk about what it is why we need it and then we'll actually implement it and I'm gonna use some drawing tools right here and I have some notes I do have some notes from yesterday when I went to a dress rehearsal the lab I wanted to do alright so let's imagine that we have a company let's call it Acme Incorporated I also want to get your opinion on this too so this is me a little high I mean the little circle the top right-hand corner of my screen alright so let me know but feedback on that whether I should keep that out in the future all right so going back to the desktop okay back to Acme incorporated we have several sites maybe we have a site we'll just call the headquarter site and at the headquarter site they've got an IP addressing space of 10 1600 with a 24-bit mask so what we know that means that this is the network portion 1016 0 and the last part is the host addresses and we also have another site and let's couldn't put the site that will call it site 1 and at that site they're using actually you don't like to take a little bit of that off you guys be able to handle this let's say they're using 1016 0 dot 0 / 1 less that's the address space I want headquarters to go ahead and use and let's say for site one they're using 10.16 8.0 it's last 21 and at site 1 and at site 2 they are using 1016 16.0 / 21 so we have three sites geographically different locations and that's their mask so join me in subnets Sunday our subnet Saturdays and we'll talk about about the masks include that one they just mr. eel that should be a 21 bit mask great so let's imagine we have computers at each of those sites say we have PC here and its IP address is 1016 0.10 and at site one we have a PC out here somewhere off the 1016 network or 10 16 16 Network and we'll call that PC 2 and we'll call this PC 3 all right so what is in common with all of these networks the answer is what's in common is is that they all have start with a private RFC 1918 address so RFC 1918 is a standards document that was written a long time ago that basically says that here are some addresses you can use internally and the benefit of that is that if we have a company and we need to do IP addressing in the company we can use these sets of addresses so anything that starts with a 10 is a private RFC 1918 dress everybody can use it and a lot of people do another range of addresses that's private from that same RFC is is 170 2.16 through 172 31 anything that starts with that can be is that our C 1918 address and the third one is a 192 168 anything address those are all private so there's nothing wrong with private addresses inside of a company because you can reach everything it's wonderful however when you try to go out of that company or you try to reach somewhere else the internet doesn't like those private RFC 1918 addresses nothing doesn't like them but it won't forward them so if this is the internet and you might be thinking you know Keith I thought the internet was gonna be a lot bigger than that well in this case this we are internet and so with this internet if we have any addresses that come from those private RFC 1918 addresses 190 I'll put in order 10.0.0.0 with a slash 8 or 170 2.16 dot 0 dot 0 with a slash 12 or one ninety two dot one sixty eight dot zero dot zero with a slash 16 that's the actual beginning parts that represent the bat RFC 1918 addresses so the challenge is we can use those internally in our companies but if a comforter outer person with an IP address like this wants to go to the internet the Internet does not route private RFC 1918 addresses they need a real address so the real addresses would be everything or a lot of addresses outside of these ranges so what we do is we get a device between our networks and the Internet and we'll call this let's call it router 1 and we do this game called lie that's the game that's the game of network address translation and there's a few flavors of it and like to share one of them with you it's called source napped source network address translation and I'm gonna judge something up source mat ok with source nap what it means and if this is this is pretty cool because a lot of people don't get this even people who work with computer networks for a long time source net means that when a person like Bob the user is gonna send a packet out if we're going to translate that IP address his source address Bob source address like on this computer here 1016 0 10 if on the initial flow of traffic we're gonna swap out that IP address for one that can be routed on the Internet that's referred to as source now because we're swapping out these source address on the initial flow of traffic vessel remains so let's imagine Bob's computer here is 10 16 0 10 before it goes to the Internet we're gonna go ahead and swap it so if we looked at the packet the Bob Bob's back it would have a source address of 10.16 0 10 before nat and let's imagine that he's going to a server now it might little pretend internet here I'm gonna use some an RFC 1918 address space of 192 dot 168 that one but that's just for a little lab so in this topology and time you see 192 168 that's just representing my little pseudo internet right here so if Bob is going to his a web server and his source addresses 1016 0 10 and his destination address is let's go ahead and make it one ninety two dot one sixty a one dot 100 let's imagine that that is a server out here on this little pseudo Internet now the internet is not going to allow Bob to use a source address of 10 anything because it's a private address and so what happens is we train this router router 1 to do network address translation and we simply give it rules and those rules are gonna say things like please translate Bob source IP address before you ship it out to the internet and there's there's like not eleventy billion ways to configure it but there's several and so in this demonstration I'd like to go ahead and talk about a couple of those demonstrate them and then make confirm you know what we did with the network address translation so one of the options is we can create a pool of addresses that we can use with NAT and so it would go something like this let's imagine our service provider gave us a pool of addresses of 192 dot 168 1 dot 2 a1 through 254 so they gave us about 50 what is that 154 addresses so they gave us 50 for our dresses that we could use for the benefit map so we could do is we could make a pool on our Cisco router and specify our pool ranges 192 168 1 dot 201 through 254 so that's our pool and then we'd specify who we want to do the translations for if they're traffic and I'll use a different color here if their traffic is going in this direction outbound well I mean out to the Internet so let's let's make a plan together do we want this router to do network a translation for everybody on the 1016 0 network and the 1016 8 network and the 1016 16 Network or do we want to just do network address translation for one of those networks or check this out and if you've been with me in subnet Saturdays you're gonna love this we could just say to the router hey if any of the source addresses begin with ten let's go ahead and translate any of those source IP addresses to start with ten as they go through the router and to do that we're going to use an access control list and a wildcard mask they're not just for breakfast anymore so even though we use wildcard masks with OSPF statements Network statements we also use wildcard masks in ACLs and then we're using ACLs part of this net statement so let's take a look at all the pieces we would need to do and then we'll we'll just do it live on this lab so we need to identify the interfaces involved on router one I'll put them in in blue so the interface is here that go up to the corporate network this is gig 0/0 and this will be important in just a moment so we need to know which interfaces we're expecting those two at that traffic to come in on and this would be I hope that's right this is this is gig 2/0 and what I have is the gig 2/0 actually covers both of these networks here so pc2 and pc3 when they come in they're gonna be coming in on a 2-0 interface so there could be lots of other routers between there but they'll be coming in and the reason that's important we need to tell these interfaces on our one that from an app perspective those are internal or inside facing interfaces and we do that with a little command called IP NAT inside and I'll label them here so in the rules that we're gonna give this router we're gonna say hey dear mister router any traffic that comes in on one of these inside interfaces and if that traffic has the source IP addresses of ten anything and you're going to be routing those out to the Internet then we want you to go ahead and swap out that source IP address with an IP address from the pool before you forward the packet now the client has no idea that this net is happening but what happens is the router that's doing the mat it also could be a firewall in many cases the gnats often done on firewalls as well but the device is doing the network address translation remembers the details about the source IP address the destination IP address and it's also tracking all the ports involved what layer for protocol is being used is that TCP is it UDP is it something else because there's a few more other than just those two and then it memorizes all the all the ports the source port did a station port because when that server on the Internet responds back and goes back to that IP address that the NAT device you know used the NAP device has to do an untranslated way to think about it untranslated then puts the original IP address back in and then sends it back to Bob the user so the initial flow of traffic we're gonna swap out the source address and on the reply when it comes back that same nap device is going to undo his tangled web and so respond back to the client with his normal address so again to the client it doesn't really know that there's this magic happening it just knows he has connectivity so I think what I would like to do is I'm gonna I'm gonna write some of this down because we're gonna have to configure it and this won't be on the screen while we configure it so the pool is gonna be 201 through 254 awesome and we are going to translate anybody who has a source IP address on 10 so that's great I'm making a note of that these two interfaces gig zero zero and two zero are going to be in site interfaces from the perspective of NAT and that reminds me of something critical that's this this interface right here which is gig 1 slash 0 we're going to label that as outside and that way as the router is making a routing decision and the way it goes is like this the routers are router first and foremost and so it's making these when it gets a packet it makes a routing decision so when a packet comes in a certain interface it looks at this routing table and says okay how do I need to forward this to move this packet on its way after that routing decision is made then that after the routing decision is made but before the packets if there's net rules in place that's what it says oh this packets coming in on an insight interface it's going to an outside interfaces can be rocks going to be rounded out an outside interface I need to apply the rules well does it start with ten yep do I have a pool of address as I supposed to use yup and then it goes ahead and swaps them out and then forwards the packet with the light about source IP address and that's how dynamic source NAT works on a Cisco router so I think I have all the details here I'm going to very carefully hide this screen but not delete it because we may need to come back to it and let's go - lets go - a couple devices first just to make sure what we're working with the password you entered is not correct all right so this is one of our clients I'm just gonna do some couple of verifications of IP addresses and one way of doing that is just going to a command prompt and typing in ipconfig on this Windows 10 computer okay so this is 1016 0.10 at corporate headquarters I've got some other machines that we can play with I've got one and uh Nevada PC one that'll do he's got an IP address of ten sixteen eight dot 101 I'm gonna jump this down 10.16 to 8.1 oh one and that is nevada pc one and our in our drawing which i will bring back front I called him PC - but PC one is going to play our role of that device in the 1016 eight Network and great so we hide that again and let's also choose Florida PC one so Florida is our other site Florida PC one its IP address oh wow okay ten sixteen twenty good to know all right so I have their IP addresses and if we set up our rules so that we're going to match on the first octet the ten it won't matter what the second third or fourth octet are all right also from one's perspective well we'll be doing this I want to make sure I have routes if we don't have routes on a router it's really hard for it to do its job so this is the full routing table on this router and the way we would read this the command is show IP route and the way we would read this is there's well we've already had videos on that so this is the routing table I sought to make sure we had reach ability to basically everywhere and and on this router we do some of us pay off route some static routes some directly connected routes it's all wonderful all right so let's first all create the pool addresses that we're gonna use for the translation and to do that syntax is IP napped pool and then we simply create a pool name how about our - pool just like that so we've created this pool and we have a identify the details about it so the range I'm going to bring that expects just for a moment the range we're going to use is 201 through 254 for the pool of addresses that we can use for the translations so what we'll do is we'll simply specify that we'll specify one ninety two dot one sixty eight dot one dot 201 space and then the ending range which is one ninety two dot one sixty eight dot one dot 254 based on our plan and again in our peak here just looking at our plan okay that's our pool range of addresses and we're also going to specify the net mask this is one of the few times by the way where if you use the keyword prefix length you can do a slash 24 or if you want to use dotted decimal mask you just put in the keyword net mask and then the free octet mask on that we're gonna use in the last octet off where that mask all right good to go all right one one step down no we I guess T we have our plan we created this pool next let's create an access list no now when I was first learning Cisco back in the 90s early well maybe was late eighties anyway went as first learning Cisco I I didn't really appreciate the value of an access list I because I was taught Oh an access list you create it you can put on an interface of a router and then it can control traffic whether it be permitted or not that's all true but the access list as it makes that identifying fact the identification of traffic like yes this matches or no that doesn't match that aspect of matching on traffic is really the most important part of an access list so what we're going to do is we're going to create an access control list that we're going to use as a part of that and then this access control list will simply tell it hey we want to match on everything that begins with 10 and not care about the second third and fourth octet and that's and then we'll use that as part of our nat rules so if we go to the desktop again here and we create an access list so do show access list this is a huge hugely important thing to do be here's why before before we create an access control list we ought to verify if that access list already exists because the mistake that a lot of people make is they'll they'll not know or not check to see if an access list exists they'll create one and what they're doing is they're adding lines to the bottom of this access control list which is a nightmare so whatever you're using the access control is for it's going to be messed up if you start adding lines accidentally so I did this show command right here into the show of access list just to see that we have no axle is currently on this router then to create an access list which we haven't done in our subnet Saturday are are we have not done this yet in our live streams for CCNA Sunday and we'll do a whole section on access list but the syntax the syntax one of the ways of doing it is access list and then we use the number of one which is a standard access list and the difference between or what a standard accesses can do let's talk about that a standard access list can only match based on source IP address information that's it so if you and I were going out to lunch with the standard access list we said hey how you doing can you manage on a layer 4 protocol like TCP or UDP and say I don't know that is ok if we said hey can you match on a destination IP address it would say nope all I do is match on source IP information that's it that's all I do is a standard access list and for our purposes I thought we need we're doing source net we should want to match the source IP address information so that's all we need so we'll do a sort access list one and then we'll specify permit which means we want to match on this and allow it we want to permit anything that starts with ten so here's some more context-sensitive help so we'll put in ten anything and then look at this this is so fun wildcard bits are next and here's how a wildcard bits work wildcard bits simply say I don't care that's what they say and so we're gonna say zero for the first octet because we want to match on that 10 so this 0 here corresponds to the first octet in the IP address that we're trying to match we want to match on 10 but we don't care about the second octet or the third octet or the fourth octet hence we're gonna put 24 wildcard bits on I only have 10 10 digits here we're gonna but 24 on for the rest of that which means to the whatever whoever uses this access control assists ok I'm neat I'm matching on the source IP address of 10 dot anything that's what this means and we'll press ENTER it's all we need for our access control list is matching on 10 all right so we've made a plan we've created a pool and we can affect our pool is right here on the top of the screen with the range we made our access control list we have not yet identified the interfaces by telling them their IP net inside or IP net outside when they do that as well but the other thing we need to do is make a rule and it basically goes like this it's a cute it's a not cute that's the wrong word for it it's a fun little statement that says dear mister router if you see a packet and if that source IP address matches 10 I want you to go ahead and translate that source address with one of the available addresses you have in that pool before you forward or route that packet out and that's only if the traffic came in from a user on your inside interfaces and you're routing that traffic out on an interface that's been identified as an outside interface from an app perspective so the syntax goes something like this IP that and leave some context-sensitive help here inside so inside simply represents for a heavy traffic that's sourcing or coming in from the inside meaning it's going into the router on interfaces labels as inside and we are going to be a source address translation meaning we're swapping out the source addresses and we are going to go ahead and do I P net and say source we're using access list that we just made and then we're gonna point to that access list that we just made and then we're gonna use a pool that we also just made well a few moments ago and then the pool name this is important if you get the pool name wrong it won't work so what did we call the pool name we called it our pool I'm gonna copy paste that literally scroll down and right-click and paste it in space and then we have this keyword here which I'm not going to use yet but let's talk about I'll bring up my video in a circle here let's talk about not enough IP addresses if we had a hundred clients in our company and in our organization and they all wanted to go to the Internet there's not enough global globally routable separate IP addresses for each one of them to have their own so what we do is we use a game where we're gonna use one IP address on the outside and we'll simply have all those hundred clients so they go through will tell the router just you reuse that IP address over and over and over yet so Bob and Sally and pc-1 pc2 and everything else is going out to the Internet as they go out their source addresses being translated to that same IP address that is we told that to use and the challenge here as well well if you have a hundred clients and they're all going out for the internet with one IP address when the internet comes back and when they respond and all those packets are coming in how in the world does the router know which you know which clients - untranslated is foreign send it back and the answer is ports that's most of the answer but the official answer is ports it's tracking on all the port information and that's and keeping them unique and so when a packet comes back to port 38,000 20 the path device the router running network address translation is gonna say well oh I see that that port that I and associating with this session belongs to this client it will untranslated and forward it back to the client that is actually called Pat port address translation and so when people talk about that NAT most of the time what's going on behind the scenes is probably some level of Pat because we're overloading on one IP address and that's why it's called overload right here in this syntax if we use the key word overload the router to say okay great I'm just gonna start loading up on one IP address and we can also point to the interface there's also an option of saying map all these translations to the IP address mister router that you have on your outside interface that's an option as well but in our case I want to demonstrate NAT this is dynamics or snap meaning every client on the inside as they go out are gonna get their own IP address from the pool and and it's done dynamically so what this would be called is dynamic meaning the translations don't show up until the clients actually show up and say I have traffic going out so this would be called dynamic source net because we're giving a one-to-one mapping from the pool and we're also doing source address translation and it's happening dynamically based on client traffic going through dynamic source net all right so let's press enter and then let's do a do show IP nap statistics okay so hit this here's what we have so far this is showing us we have a pool called our pool this is showing us we're using access list one here's the pool range oh yeah we haven't told the router about its interfaces yet so let's go ahead and bring up the visual here for a moment we need to go to these interfaces gig zero zero and two zero and say that they are inside interfaces from the nap perspective of NAT and on this interface 1/0 that is the outside interface so we'll do that now and you know I'm not gonna guess at this I'm gonna do it do show IP interface brief I want to verify the interfaces all right so this interface here gigs zero zero is the one that goes up to the client PC gig to zero as the interface based on IP address in this topology that I'm fairly familiar with this goes out to PC one in Nevada and PC one in Florida the other two sites and then this gig 1/0 is my little pseudo internet that I have so we'll go ahead on this interface well specify that it's an IP net inside let's specify to zero is IP nut inside almost as Phi 1 0 is IP net outside so let's just do it so look at interface I just wanna make sure you the interface is right 0 0 gig 0 0 measure twice cut once all right an IP mat inside just like that and we'll go to interface gig to slash 0 and IP net and what we just did right there was we just told these two interfaces as they checked my work 0 0 and 2 0 perfect that they are both in site interfaces from the perspective of NAT and will go to interface gig 1 slash 0 I need to click here there we go interface gig 1 slash 0 which is gonna be our outside interface and do I pee mat outside right now I peanut outside let's have another okay either way it would work because it's unique um I think that's it if you do a show IP and that statistics that's a really great high-level overview of showing us our outside interfaces or insight interfaces the pool the range and the access list involved and then we could do a show access list just to verify what that was ok so anything that starts with 10 is gonna be a match and this that rule should kick off and that's the live stream now this is the point of the show I dropped my paper now this is the point in the in the live stream where we yeah the pucker factor what is it gonna work I hope it's gonna work I I think we have routing in place we've configured we made a plan we did the access list we did the IP net inside outside we did the IP net inside source static command to tell it to do it so let's test it and to test it we can do this we can go ahead and do a show IP net translations nothing and that's because it's on demand oh it's dynamic well there won't be a translation so we have clients who are generating traffic so let's go to our client PC and let's do a trace let's do a trace RT so trace RT is how you spell trace on a Windows 10 computer - d4 don't bother doing name resolution and one ninety two dot one sixty eight dot one dot one hundred does the server's address so it's being routed through the oh look at that yeah okay so it got to the server at dot one hundred if we go back to router one and now we hit the up arrow key look at that nice nice so when Windows does traceroute it uses ICMP so to the end of ice it kind of looks like a ping request but there we go so there's our translation so this host at 10:16 zero ten on the inside was assigned the IP address for the translation of 192 168 1 dot 201 and because we're using that not Pat the next client the next different client that we send traffic through should use a different address let's go ahead and well let's actually this lets up the yeah let me demonstrate on client that week you open up a browser let's open up a browser go to the same server one ninety two dot one sixty eight dot one dot one hundred there's a beautiful web page from that server we'll go back to our management computer hit the up arrow and boom so look at this I love this there's our translation that hasn't changed but now we have TCP traffic that's being tracked that it's being used for so the client used the source port of 1546 going to the well-known port of 80 and the other ones that the ICMP it timed out so based on the actual sessions that are in use after not seen for a while they'll time out but the mapping is still here so perfect all right let's go to a different device let's go to and bring my topology here let's go to the device on the six ten sixteen eight network that's going to be represented by Nevada PC one so we'll go to Nevada PC one here and its IP address is ten sixteen eight 101 let's first do a do a ping to one ninety two dot one sixty eight dot one dot one hundred to verify if it works or not I'm pleasantly surprised and let's go back to our one oh I moved a meta position what is that okay hold on again I want to go back to our one I want them up here oh please okay I'll split screen it let's do that okay so here's all one all by himself and here's the rest of the world so on our on our one if we do a show IP net translations I need it bigger hold on a second I want you right there all right okay against this not all crunched in so here's our translation for our PC the the Windows client and this is the translation that was just invoked for the device at ten sixteen eight 101 which is our Nevada PC and there are the translations that it's using for that ping request so back on this one of the things I like about this Virtual PC that we have is if we do a trace we can do that trace with some options we can by default it uses UDP but we can also specify TCP for the trace and so that way we can see those that path that path that path ik I'm try traffic at the network address translation so let's do a trace to one ninety two dot one sixty eight dot one dot one hundred and let's go for TCP so we'll do a dash p4 I want to use the protocol protocol number six that is the decimal protocol number for TCP at layer 4 so you see that command will go back and take a look at r1 and we should see that with that same translation of 202 for the client at 101 that it was doing some had a session in place with TCP traffic let's do one more and let's go to Florida PC one so this represents yet a different client on a different segment of our network and we'll just do a let's do that same trace to one ninety two dot one sixty eight dot one dot one hundred and this time let's use UD be so - P and UDP is protocol oh man eleven yeah no 17 okay so let me tell you why I did that sometimes need look at protocol analyzers they'll show 17 as hexadecimal 11 which is a 16 position and a 1 so that makes 17 so I didn't know if it was asking for it so decimal 17 is the protocol for UDP and that's my story and I'm sticking to it alright so that worked I'm going to go ahead and do it again that will look at our translation table here on r1 and we should have a new translation for that new client and we do so there's the PC the Florida PC we just worked with and there are some of its GDP information but once these sessions all time out the actual UDP information we're going to have separate translations one for the Windows client this is for our client in Nevada this is for our client in Florida and that's how dynamic translation works with source net on a Cisco router so I think we got all the pieces let me bring up the topology again actually me let me clean off the back here buh-buh-buh-buh-buh alright so we are able to create the pool identify the interfaces if they're inside or outside create the access list create the NAT statement that said if traffic matches sources rest of 10 and it's being routed from inside to outside go ahead and translate them and make a translation for them from their original source address to an IP address in the pool and that's it so I think we I think that there may I wanted to cover in this session so I do want to thank you all for joining me for network address translation this is at the CCNA level for CCNA they're not going to ask a lot more than what we've just seen here the other option would be just using Pat and you know using a single IP address but this is as hard as it's going to get as far as configuration and understanding how it works at the CCNA level now when we get to the professional level and ie level there's all kinds of interesting stuff like destination that and port redirection and all bunch of other options that can happen on different appliances but for us this is what we need to focus on so thank you very very much for joining me today for this live stream of net and with that I'm gonna sign off

Info

Channel: Keith Barker

Views: 15,572

Rating: 4.9194632 out of 5

Keywords: cbt nuggets, cbt training, ccna, ccna 200-301, ccna certification, ccna study, ccna training, cisco, cisco ccna, cisco certifications, cisco training, network address translation explained, network address translation cisco, network address translation in computer networks, network address translation table, network address translation tutorial, network address translation configuration cisco, network address translation, nat, pat

Id: MrslAxSNJkI

Channel Id: undefined

Length: 36min 44sec (2204 seconds)

Published: Sun Feb 02 2020