Cisco SD-WAN 021 - Service VPN1 Dynamic and Static NAT

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
how's it going everybody in this video we're going to go ahead and take a look at our next net topic which is going to be both static and dynamic nat we're going to start off with dynamic nat when we go through and set up our deployment but they were also going to roll out static nat we're not going to deal with port translation in other words going from like 80 80 to 80 we're not going to do that but we are going to take a look at setting up a dynamic nat range as well as a static net configuration for allowing access from the outside inbound okay so the first thing we have to go do when we set this up is we actually need to take an address range from each one of our internet connections that we have and we need to come up with something that we can leverage for the address block that we're leveraging okay so now by default all these internet connections on the v edge side r.2 so that means that dot 3 through dot 254 are pretty much available now because we know that on both sides vh3 and vh4 that's the option in my testing i can't say that i've ever seen it in documentation i could be there but i just haven't seen it where you can only have for dynamic nat i'll just put dyna 32 ips it can be allocated for a dynamic allocation that simply means that whenever say user one wants to go out to the internet and he sends a traffic outbound that whatever ip address is first available let's say it's 20 then he'll get the ip address of 20. the public ip address of 20. and if user 2 goes out then he'll get 21 and at 22 23 and so on as the traffic goes out and users start needing to go out and use internet connectivity right and then when user 1 is done he'll 20 20 will be released back into the operational capacity now we're going to have to come up with an address range or figure out what it is that we're going to go do so we're going to go max it out with 32. so 32 is actually a pretty easy number to subnet in this particular case so the way i broke it down as i figured this out ahead of time so if 32 is our range right we have 32 let's actually let's do it over here if 32 is our range then 0 is going to be the beginning because that's going to be the network id for the 192.1.3.0 32 is our range so that means that the next one is going to be 64 then 96 then 128 then 160 then 192 then 224 then 256 right so i took one right here in the middle so that the back half could be used for whatever we want the lower half can be used as well so this is going to be our range 96 through 127 okay now on top of that when we have that defined the other thing we have to to keep in the back of our minds is when we're doing our static nat configuration so allowing external access internally so whether it's opening up a http session or whatever the case might be we have to grab an ip out of the dynamic nat range so i'm going to allocate 127 to be able to talk to the loopback of ios 13 which is going to be 1031 3013 and then i'm going to do the same thing here for ios 15 which will be 1 10.4.15.15. so those are both going to get 127 public ips so when we go to ping say 10. all right when we go to ping 192.1.3.127 we'll actually be pinging 10.3.130.13 and we open up a web connection that's where that will go and that's basically how that will operate i'm going to keep the static pat configuration in play which will still mean that we go to test it that when we telnet to 0.2 so 192.1.3.2 we're going to be able to connect to 10.3.13.13. so with that all in play and us understanding all of that let's go ahead and clear the screen let's go ahead and get this set up so i'm going to go ahead and pull up vmanage we're going to bring vmanage over i'm going to go ahead and log in to vmanage so admin and admin so now that i'm logged in i am going to come over here to the templates page i'm going to click on feature i'm going to expand this out organize them i kind of wish they would be automatically organized but it's whatever i'm going to come down to single site and i'm going to click on g0 0 okay i'm going to go ahead here to edit go ahead and let that pop up real quick we're going to come down to nat and underneath that since we already have it enabled one of the first things we have to do underneath the nat pool range start this is where our first ip address is going to go so here i'm just going to click device specific because it's going to be specific per device so i don't want to go in and manipulate it here do the same thing with your device specific so now that i've got that in play i can go ahead and click on update and that's going to apply to both vh3 and vh4 i'm going to comment in here and edit device template and i'm going to give it the start which is going to be 10 sorry this case here it's going to be 192.1.3.96 through 192.1.3.127 okay i'm going to go ahead and click on update and then do the same thing over here on vh4 be 192.1.4.96 and 192.1.4.127 click on update and then click next and configure devices go ahead and push that config down and then after a moment or so we will be in good shape i'm going to pause until this guy is committed all right so the configuration was pushed so i'm going to go ahead and minimize that and pull up the cli for our devices i'm going to bring this guy over and we're going to go ahead and take a look at our configuration we'll go ahead and log in real quick to the edges show run vpn0 0 interface ge0 and so what you can see here at the top is we have a nap pull range 192.1.3.96 through 127. now throughout this the rest of this configuration we go to do our testing things are going to be it should do when i do not 96 and so on and so forth so let's go ahead and test this out so if i go to ios 13 and i try to ping 1.2.3.4 that should work there it goes took it a couple seconds for it to do its thing if i do a trace route to 1.2.3.4 numerically i go out my local internet connection right if i come back over here to vh3 and i do have to give a quick shout out to the dark knight serious screen name not a not a pun at all uh subscriber and someone that watches the videos on a regular basis has given me some feedback through the comments on some of the outputs so this is a shout out to you so i'm gonna go ahead and show ipnat filters and then pipe tab so you'll see that we have some communication going out back and forth we can see that vpn1 we have a communication coming 0.96.97.98 so on and so forth from 10 30 13 13. so we can see as more traffic is generated we can see that it's working the way that it's intended to if i go back to 13 i do a telnet to 192. i'm sorry let's do 1.2.3.4 rob and cisco and well as soon as i type the password incorrectly rob and cisco uh and then who we can see we are dot 96 so it's working as we would expect it to we're going to go ahead and exit out and that's how you do dynamic nat now if i was to try that from router 15 be the same concept right we come in here we do a ping to 1.2.3.4 the ping takes a couple seconds for it to respond back because we're trying to build an ad statement which we did if we look on vh4 and we look at the this output right here we can see an active icmp ping going out and everything looks pretty good in that respect so awesome stuff now the next thing for us to go test that would be the dynamic or sorry the static nat because we're doing dynamic nan at this point so i'm going to jump back over here to the edge or v managed excuse me oh no i'm sorry b manage well you see they'll get it right come back over here to templates i'm going to go to feature template and then i'm going to open this up a little bit to get zero zero for single site vpn 0. come back over here to this guy and go to edit and then underneath the nat construct i'm going to click on static nat and this is where you would create a new static net remember that the whatever ip address you want to use for your static data entry has to be inside of the net range pool just keep that in mind so i'm going to go ahead and create new static nat the source ip in this case here will be i'm going to come in will be device specific and the translated address will be device specific as well the source vpn will be i'm going to say device specific in this case here will be one but i'm just trying to show you that you can do it either way and then the static nat direction we're going to go ahead and say global is going to be inside okay now this is not the same thing this will not be used for allowing say the inet router to telnet into router 13 or router 15 for example this will be for communication for an outbound so an external device that wants to reach an internal source for example if the inet router wanted to open up a web connection to the ios 13 device with the router running the web service that would be allowed that's what this is enabling this is not the same thing as doing a static pat and a lot of the communication through at least in my testing static pat the static net doesn't allow the communication to go through that way so the ip address that we point to on and here for our connectivity internally so web access and things like that will be to whatever the public ipa address we give it in the static net config so dot 127 for both vh3 and vh4 however if i wanted to telnet into router 13 from inet that would be a different configuration that's going to be the static path which we'll take a look at as well so i'm going to go ahead and click on add and click on update and i'm going to go over here to update the device template we have some entries added so the source ip address that we're going to be doing this for will be 10.3.130.13. this the public ip will be 192.1.3.127 and then the source vpn will be one click on update do the same thing here edit this will be the internal ip so 10.4.150.15 and then 192.1.4.127 and then down here this will be vpn one click on update go ahead and click next to push that config out and i'll show you the config once it's been pushed so while that gets pushed out i'm going to go ahead and say i'm going to pause the video all right so the config was pushed if we go back over to the v-edge devices pull up the cli if we look at ios 13 if i was to try to telnet let me go ahead and do a telnet to 1.2.3.4 rob and cisco and type in who you can see it's coming from dot 96 but if i exit out and i do a telnet and i whack the source from loopback zero that should go out as well there goes rob and cisco of course i typed in the password wrong rob and cisco who you can see it's coming in oh it's not 97 that's weird it should be natting over to let me check the config vh3 so if i do a show run vpn 0 interface ge 0 0 that should be coming from 127 is where that should come from so let me go back to 13 and exit out loopbacks here show ip interface brief oh sorry not loot back zero uh 130. my my mistake 130 not loot bag zero my apologies let's try that one more time we're going to try that one more time rob and cisco and then who 127 okay there it's working if we go back to bh3 and we do a show ipnat filter pipe tab we'll see that there is an active connection going out to it go into this ip this is my source public ip is 127. so it is working as a the way that it's supposed to and you can see that 13 13 13 13 when it went out to a destination of 1.2.3.4 via telnet it had the ip address of 10 192.1 dot so you can see it's working the way that it's expected to right now here's the the part that gets a little interesting let's go ahead and exit out now if i was to go to the inet router for example and try to telnet to 192.1.3.127 when i tested this configuration out it would not allow telnet ironically now it's working so look i tested this out i kid you not last night and i did a telnet connection to this it did not go through i was like but why i don't know why now it's working we type in rob and cisco of course i type in the wrong password rob and cisco now i'm on 13. so go figure this is what it's supposed to do but it did not when i originally tested it so let me go ahead and exit out real quick i'm going to go ahead and oh darn it one second while i wait okay so i tested that out and it does work so we're in good shape there so now this also means from the inet route let me go ahead and exit out if i come in here and i do a telnet to that same ipad address 192.1.3.127 via port 80. that also opens if i go check back vh3 and do the tab we can see an inbound connection coming in right and that's what we want to see it's coming from the public source address is this ip address so we know that it's the the destination address looks a little bit weird but um it is working the way that it's supposed to so we have an inbound connection coming in if we look on 13 we do a show ip http connections server connections we can see that 192.1.3.1 is the remote ip address and that it's working the way that it's supposed to so that's basically what i wanted to test out and make sure that it was operational before we move forward okay this ladies and gentlemen is how you configure dynamic nat and static that at the same time this is what you should see so when you are on the outside looking in now again um wait i'm sorry let me finish my statement when uh when you're on the outside you're trying to gain access to the inside the static net is what allows that to happen okay i don't have a static pad entry on vh3 so if you look back over here and do a show run vpn 0 interface ge0 i do not have a static pad entry so i'm not doing a port forward i'm allowing that traffic to come through naturally so but that being said in this case here it's working the way that we need it to right so that means that if i need to go through and do any additional configuration there are options for that for me to do but right now i don't need to go and create a static path for doing port forward because it's not necessary but when i did my testing on it last night i was like uh let me see if i can't find that real quick for you and show you what i'm talking about okay i did find it it's actually right up the road here a little bit let me scoot up here just a little bit so right here i was actually testing the config let me scoot up just a little bit higher right here i tried to do a telnet blam connection reset by user i couldn't connect into it like it would not allow me to do so but i came down a little bit and then uh i was just like i literally i laid down to go to sleep and as i'm sitting there i'm like okay why is that not working so you know how things you know your mind keeps wandering why it's not working then i did the telnet blam it worked right and i was on ios 13. i'm like oh well i just have to have a static pad and problem solved and then i go test it with you guys and blamo it works without a problem right and it's just ironic that it did what it did and of course i type in the password wrong again but the point being here is that i wanted to prove that it would work a static nat should allow bi-directional traffic to go back and forth and when we do a who we can see that and i have domain lookup turned on on this guy that we should be 192.1.3.1 is where we should be coming from so with that being said we know we're in good shape there which is that is where we're coming from the point being is we look on here in vh3 and we do a do the tab we should see an active connection coming in and that it's going to telnet but the i'm coming from 192.1.3.1 but i'm going to the destination of 10.3.130.13. so i'm coming in through the vh3 jumping over to the ios 13 and i'm hitting the loopback address which is going to simulate an internal network right so it could be a different ip not connected to the router but as long as the router can reach it that's really all that matters so that would be a server sitting behind the router this this the loopback just happens to be an address that's being advertised that is reachable via ospf because if i was to look at do a show ip route for vpn1 we're going to see that 10 30 right here this address right here is coming in through ospf so i have an internal route to it so with that being said ladies and gentlemen that is static nat and dynamic nat not terribly difficult we're going to take a look at looking at a little bit of a different scenario in the next video but until next time guys take it easy thanks for stopping by and we'll catch you guys in the next one
Info
Channel: Rob Riker's Tech Channel
Views: 1,875
Rating: undefined out of 5
Keywords: cisco, sd-wan, nat, sd, wan, viptela, dynamic, static
Id: sX_aRr0SxSY
Channel Id: undefined
Length: 19min 50sec (1190 seconds)
Published: Tue Oct 06 2020
Related Videos
Cisco SD-WAN 006 - Service VPN Overview, Connected and Static Routes
Rob Riker's Tech Channel
5.4K
Cisco SD-WAN 019 - Service VPN1 NAT Dynamic PAT Local Internet Breakout and OMP Internet Fail Over
Rob Riker's Tech Channel
2.3K
Cisco SD-WAN Security, Components, Architecture, Firewall, IPS
I-MEDITA (IT Training Academy)
4.6K
Real World Networking - What is it like to be a REAL NETWORK ENGINEER
Rob Riker's Tech Channel
3.6K
Cisco SD-WAN 022 - Service VPN1 NAT Policy with Centralized Data Policy
Rob Riker's Tech Channel
1.6K
Cisco SD-WAN: DIA NAT Tracker and Fallback
Cisco SD-WAN and Cloud Networking
1.5K
Cisco SD-WAN 030 - Service VPN1 Hub and Spoke Overview and Setup
Rob Riker's Tech Channel
1.3K
Fundamentals of SD-WAN
Kevin Wallace Training, LLC
126K
Cisco SD-WAN 024 - Service VPN1 Standard and Extended ACL via CLI
Rob Riker's Tech Channel
1.2K
How I am going to approach the new CCNP Exams
Rob Riker's Tech Channel
6.3K
Cisco SD-WAN 005 - Bringing up MPLS Transport
Rob Riker's Tech Channel
5.9K
Cisco SD-WAN 003 - SD-WAN VPNs Overview and SD-WAN Controllers Setup
Rob Riker's Tech Channel
13K
CompTIA A+ Certification Video Course
PowerCert Animated Videos
2.8M
Generate your own Cisco Viptela Serial Files with Cisco PnP Connect
Jon Spindler
1.4K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Cisco SD-WAN 025 - Service VPN1 Standard and Extended ACL via ACL Policy and Templates
Rob Riker's Tech Channel
1.4K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.