How to Use NAT | Network Fundamentals (Part 21)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
for the most part we use private IP addresses in our networks but the internet uses public addresses so how do we make these to work together we need a device to translate between these two types of addresses and for that we have network address translation or NAT let's see how this works and how its configured think of the header on a packet this contains the source IP address that the packet was sent from as well as the destination IP address that the packet is being sent to now is the technology that can take an IP address in a packets header and replace it with a different IP address the most common use for NAT as mentioned at the beginning of this video is to translate between public and private IP addresses this is part of a strategy to save public IP addresses across the globe decades ago the intention was that every device would have a public IP address however there's a limited number of public IP addresses available and we started using them far too quickly so these days we mostly all use the same private ranges in our networks but to connect to the Internet we need public addressing so a router between our network and the Internet will translate private IPS to public IPs and back again and if you're wondering we will generally have public IP addresses given to us by our internet provider and they often won't give us very many how does this work it's all based on the IP header every packet has this header which contains a source address and a destination address a router has a set of rules about which traffic should be translated and which traffic should be left alone when a packet arrives at a router the router will examine the IPS in the header to find traffic that matches and that rule if a packet matches a rule then this router will rewrite the source or destination IP address in the header and send the packet on its way we can even configure not to change port numbers in a TCP or UDP header if we want to but we'll save that one for later there are two types of note these are source net and destination net source now is the most commonly used type of nut as the name suggests source nut changes the packets source IP address this is generally used for internet access as we explained earlier where we are using private IP addresses in our network the router takes the private IP in the header and replaces it with the public IP devices on the internet see this packet is coming from a public IP and they are able to send traffic back the router will change the IP address back to a private one as the packet passes through the alternative is destination net which is a bit less common as you've already guessed this is where the router changes the destination IP address rather than the source IP we might use this if two organizations have merged and they were already using the same IP space normally this wouldn't work as they need to have unique IPS however we could use NAT so each network thinks that the other is unique this scenario is a bit complicated so we'll leave this one alone some devices can translate both the source and the destination IPs this is typically the role of a firewall which has advanced NAT features we do have a video on configuring NAT on the a sa firewall if you'd like to see that in action it's a bit more complicated though but it's worth a look if you're interested but in this video we're only going to look at source NAT for internet access before we get right into the configuration there's a couple of terms to understand when we configure the router we specify which interfaces are inside our network and which are outside Cisco uses the terms local and global to describe the inside and outside keep in mind that different vendors will use different terms for this when a device first creates a packet it puts its own IP address in the header as the source this IP address is called the inside local address this is the real IP of the host inside your network and it is probably a private IP the outside IP is the destination address this is the IP of a device outside of our network technically this may not be the destinations host IP as nat may change it but this is what our hosts think is the real IP after a packet has a NAT rule applied different terms are used the source IP address is called the inside global address this is our hosts IP address after it has been translated for internet access this is now likely a public IP the outside global IP is still the destination address this would only change if we configure destination up which is not the case in this example as usual there will be some quiz questions throughout this video that you can come back to later to test your understanding we're now going to look at configuring static NAT also known as one-to-one nut or basic note a static NAT will take a local IP address and statically map it to a global IP address these two IPS are always a pair and the mapping does not change we would typically use this if we had a server on our network maybe a web server that we want to make available over the Internet people on the Internet can then access our web content using the public IP that we configure in the static now the downside to static art is that we use up public IP addresses very quickly as we need a public IP for every static NAT rule we're going to use this topology to configure several types of note in this video you'll notice that there are three areas the land where our workstations are the DMZ where our web server lives and the Internet we're going to start with a static node so our web server can access the Internet and so people on the Internet can access our server to start with there's no connectivity from our server to the Internet this is because the ISP does not have a route in place for our private address ranges to mimic what this would be like in the real world we will not touch the configuration of the ISPs router the first step is to get on our gateway router and define which interfaces connect to the inside and which connect to the outside of our network we can use the IP nut inside and IP nut outside commands to achieve this but notice that as soon as we enter the firstnet command the router creates a special interface called env i0 this is a virtual interface that optionally allows us to configure NAT in a very different way we're going to stick with the traditional lack of the Eurasian in this video as I think it's easier to learn I'll include a link in the description if you want to know more about this special interface the next step is to configure NAT itself the inside keyword a bit confusing but it basically means that we're configuring this now from the perspective of traffic passing from the inside of our network to the outside we'll talk more about this soon source refers to this being a source not static means we're configuring a static nut rule we'll look at dynamic zoom - next we give our router the inside local IP of our server that's the server's real IP address and finally the inside global IP which is the server's public IP if we go back to our server and try up here again will now see that it's working as we would expect back on the gateway router we can verify this with the show IP nut translations command this shows us the inside and outside IPS for each translation at the bottom we can see the static NAT that we configured this will always be here as it's well static the top entry is an example of how the router tracks each translation this is the ping we just ran this will edge out over time and will be removed from the list and just to confirm if we connect to the server that's on the internet we can ping our server's public IP what we've just seen here is an example of bi-directional NAT when we think of NAT we often need to think about where the traffic is initiated that is where traffic starts for example traffic may start on a workstation with a web server on the internet as the destination the web server will then send traffic back to the workstation this means that NAT is applied in a particular direction and that direction depends on where the traffic starts consider the example we just configured there is a web server inside our network and people outside our network need to reach it the server can initiate a connection to the internet if it needs to or something on the internet can initiate a connection to the server then that we configured will work no matter which direction the traffic is going this is a bidirectional net the opposite of this is called uni direction on that which we'll see at the end of the video but for now let's consider how to configure nap for our workstations usually we won't use a static nap for this as we have a lot of workstations and not many public IPs one option we could consider is dynamic now this does not use a one-to-one mapping between a private IP and a public IP instead we can create a pool of public IP addresses and let the router map an IP to each workstation as they're needed just as before we need to consider which interfaces are inside and which are outside our outside interface is already configured we just need to add GI 0/2 as another inside interface notice that we can have more than one interface configured as inside or outside there's a bit more work to configure our dynamic now one thing we have to do is define an app pool this is our group of public IPs most of this is self explanatory pool tells the router that we're configuring a pool of IP addresses and public pool is the name of our pool 203 0 1 1 3 100 is the first IP in our pool and dot 110 is the last IP net mask is the subnet mask that goes along with the IPS in this range the next part is an access control list or ACL we've used these before to allow or block traffic but ACLs can be used for far more the real purpose of an ACL is to identify interesting traffic we do this to define which traffic should have not applied to it so in our case interesting traffic is any IP address in the workstation subnet to do this we've created an extended ACL called workstations we could use standard ACLs and numbered ACLs but I prefer named extended ACL as it makes a bit more sense when reading through the config we then use a permit statement to match anything coming from the 192 168 0 0 network with any destination you'll also notice that we've used a wildcard mask for matching traffic check out the ACL video if you want to refresh our on wildcard masks for interest sake what do you think will happen if we added the denier statements along with the permit statement deny will simply tell the router not to match that traffic it won't block anything though we might use this if we wanted to match all traffic from one nine to one six zero zero except for one or two IPs this might be something you can try for yourself in a lab and finally we tie all our components together by mapping the private IPs that we matched with the ACL to the public RPS listed in our pool this command is very similar to the static nap command the main differences are the list and pool keywords heading over to our workstation we can use pin to confirm that this is working and just like before we can see the results of our ping and see that our workstation one on two one six eight zero one has been mapped to two zero three zero one one three one hundred we can dig up a bit more information with show IP net statistics we can see which interfaces have been configured as inside and outside interfaces we can see the pool that we can figure as well as how many IPS have been allocated and we can see hits and misses a hit is whenever the router needs to look for a NAT mapping for a packet and successfully finds one in the translation table a miss sounds like an error but it actually isn't this simply happens when the router looks up the NAT table finds air isn't already a translation in place and then needs to create one closely working hand-in-hand with in that is port address translation or Pat in fact they're so closely related we usually just use the term NAT as an umbrella for both of these technologies if you remember back to when we looked at TCP and UDP you will remember that they also use headers and in these headers our source and destination ports just as NAT rewrites IP addresses in the IP header Pat rewrites port numbers in a TCP or UDP header in most cases Pat and NAT will work together so one will be changing the IP address and one will be changing the port number this is quite common when we want to make a few services available to the Internet by port number alone rather than translating the entire IP address which exposes all of the service ports to the Internet we're going to see a particular Pat feature in the lab now called port forwarding we're going to get our server on the internet again but this time it's only the web service on port 80 behind the scenes I have reset this lab to default so we no longer have the static and dynamic Nats that we configured earlier of course members can download both of these labs from the website because I reset the lab we need to go back and configure the inside and outside interfaces again simple Pat configuration is very much like configuring a static NAT we've only added in some port numbers as well as a TCP key word TCP of course is the protocol that we're using with UDP as the alternative the first port is the real on the server and the second port is the translated port but wait aren't those two points the same what's the point of doing this if we're not actually changing anything in this case we're forwarding a single port from the Internet to our server just port 80 with no other ports so how is this different to the static net that we configured earlier the static NAT is not concerned with ports at all when we configure a static NAT rule we're telling the router to make all ports on the server available to the internet what we've done here is created an IP translation that only works for port 80 but we definitely could have translated from port 80 to some other port if we wanted to to see this working we can jump onto the server on the internet and we can use the Linux command see URL to connect to our web server this command uses HTTP to download a web page if there is one available and we can see that this is working boardies would try the same thing on a different port like 443 this simply doesn't work as NAT has not been configured to forward port 443 to the server but one last thought what if we try pinging from our server to the Internet this fails once again we have no NAT rules to translate this traffic for us so ping will not work before we move on here's a couple more questions to get you thinking there is one more technology we need to discuss which some may consider the most important of them all this one is called port overloading or masquerading or many-to-one NAT think of a case where we don't have many public IP addresses available to us maybe we've only been given one or two by our service provider in a case like this we can't use a dynamic NAT pool like we did earlier this is because dynamic NAT will map one public IP to each host that needs internet access we all very quickly exhaust the pool of IPs and any additional traffic will be dropped so it's clear we need an alternative this is where port overloading comes in this is still a form of dynamic NAT and Pat but the router will translate ports as well as peas in addition to the pool of IPs the router has a pool of ports that belong to each IP address there are about 64,000 ports in each pool now think of the first workstation accessing the Internet it sends a packet to the router which contains the source and destination IP and port numbers the router will rewrite the source IP with the public IP address and it will also rewrite the source port with a port from the pool the router keeps track of which ports have been used and which workstation is using them this way it knows where to send a return traffic now when the workstation wants to access the Internet it goes through the same process as before in our example it gets the exact same public IP as the first workstation but it will get a different source port from the pool in this way devices on our network can share a single public IP address as they each use unique source ports for each connection they open and as there are about 64,000 TCP ports and 64,000 UDP ports we won't run out of ports quickly before we move on to configuring this in a lab see if you can work out the answers to these questions right so port overload is not too hard to configure our inside and outside interfaces are already defined so he won't need to worry about them at this time first we'll create an ACL to identify traffic from our workstation subnet this is the exact same ACL we configured earlier next we create a pool of public IP s this is nearly the same but this time we've only put a single IP in there and finally we create our nat rule there's really only one new item here which is the overload keyword at the end this statement overloads more than one inside IP address onto the single public IP address as usual will confirm this is working by running a pin from the workstation which is working just fine and of course we can confirm this with the show.i peanut translations and show IP nut statistics command from here though I would recommend that you try this yourself in the lab and test it out with a few workstations rather than just one and of course here are two final questions to test yourself are with earlier we spoke about bi-directional nap where traffic can be initiated from either the inside or outside of our network port overloading behaves differently this is an example of unidirectional nap where traffic must be initiated from inside of the network return traffic is fine of course but the connection needs to start on the inside why is this because the router builds its table of port 2 IP mappings dynamically as connections are needed so if someone tries to connect to a workstation from the internet on a particular port it's highly likely that that port is not already in the translation table this concept is a bit complicated but the key point is this for unidirectional NAT the initial connection will only work in one direction in a nutshell a router configured with NAT can rewrite IP addresses and ports in the header of a packet typically for internet access if you'd like to see some more advanced examples of NAT take a look at the AAC net video on this channel
Info
Channel: Network Direction
Views: 22,627
Rating: 4.9771428 out of 5
Keywords: Network direction, Nat, Network address translation, static, Dynamic, Port overload, Masquerade, Source nat, Destination nat, Acl, Private ip, Rfc1918, Translate, Port, Tcp, Udp, Snat, Dnat, Inside, Outside, Local, Global, Bidirectional, Unidirectional, Nvi0, Pool, List, many-to-one
Id: n0UqAXu_GAI
Channel Id: undefined
Length: 20min 40sec (1240 seconds)
Published: Tue Jan 21 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.