What is the main purpose of NAT in networking?

The main purpose of NAT is to conserve public IPv4 addresses and allow private IPv4 addresses within a local network to be translated to public addresses for external communication.

What are the different types of NAT?

The different types of NAT are Static NAT, Dynamic NAT, Port Address Translation (PAT), and NAT64.

Why is NAT used extensively despite IPv6 availability?

NAT is extensively used due to IPv4 address exhaustion, as it allows for the conservation and efficient use of limited IPv4 addresses.

What does Port Address Translation (PAT) do?

PAT allows multiple devices on a local network to be mapped to a single public IPv4 address but with different port numbers.

What are the advantages of using NAT?

NAT allows for the conservation of public IPv4 addresses, hides local network addresses for security, and maintains a consistent internal addressing scheme.

What are the disadvantages of NAT?

NAT can increase forwarding delays, complicate VPN tunneling protocols like IPsec, and cause loss of end-to-end IP traceability.

How does Dynamic NAT differ from Static NAT?

Dynamic NAT uses a pool of public addresses assigned on a first-come-first-serve basis, while Static NAT uses a fixed, manually configured one-to-one address mapping.

What is NAT64 used for?

NAT64 is used for protocol translation between IPv6-only and IPv4-only networks to facilitate communication.

Is NAT a solution for IPv4 address exhaustion?

Yes, NAT is a temporary solution for IPv4 address exhaustion by allowing multiple devices to share a limited number of public addresses.

How does NAT affect security?

NAT can hide internal network addresses from external observers, providing a basic level of security, but it's not a comprehensive security measure.

CCNA3 Module 6: NAT for IPv4 - Enterprise Networking Security and Automation (ENSA)

01:25:44

https://www.youtube.com/watch?v=ZGarEpHFEnE

Résumé

TLDRThe lecture covers Module 6 of the Cisco NetAcad CCNA 3 course, focusing on Network Address Translation (NAT) for IPv4. It explains how NAT is used to address IPv4 address exhaustion by translating private IP addresses to public ones, allowing devices to communicate over the internet. The lecture delves into the different types of NAT, including Static NAT, Dynamic NAT, Port Address Translation (PAT), and NAT64 which is used for IPv6. Static NAT involves a one-to-one mapping of local to global addresses, useful for consistent access to internal devices like web servers. Dynamic NAT uses a pool of addresses for on-demand translation. PAT allows multiple devices to share a single public address using different port numbers. The session also highlights the advantages of NAT, such as conservation of IP addresses, and disadvantages like end-to-end connectivity issues. It describes how NAT configuration is done on Cisco devices and discusses NAT64 for IPv6-IPv4 translation. The lecture concludes with verification steps for NAT configurations and mentions of practical exercises and resources for further learning.

A retenir

📚 NAT is essential for IPv4 address scalability.
🔄 Types of NAT include Static, Dynamic, PAT, and NAT64.
🌐 NAT helps in conserving global IPv4 addresses.
💼 NAT configuration can be performed on Cisco devices.
🔍 NAT has both technical advantages and limitations.
📈 PAT uses ports to differentiate local IP addresses.
👥 NAT hides local IPs from external networks.
🚧 NAT may complicate IPsec tunneling protocols.
🔗 NAT64 enables IPv6 and IPv4 communication.
🧠 Understanding NAT terms is crucial for network setup.

Chronologie

00:00:00 - 00:05:00
The lecture series for CCNA 3 covers enterprise networking, security, and automation. This particular module focuses on NAT for IPv4, discussing its configuration on edge routers to enhance IPV4 address scalability. Key areas include the characteristics and types of NAT, advantages and disadvantages, and various NAT techniques such as static NAT, dynamic NAT, PAT, and NAT64.
00:05:00 - 00:10:00
NAT characteristics are discussed, particularly how IPv4 address space is managed with private addresses as per RFC 1918, which cannot be routed over the internet. NAT translates these private addresses into public ones, allowing devices to access external networks. Three classes of IPv4 addresses - Class A, B, and C are also mentioned, with Class C being common in home routers.
00:10:00 - 00:15:00
NAT's primary function is to conserve public IPv4 addresses, making use of private addresses internally and translating them when public addresses are needed. It acts at the network edge, translating private to public IP addresses, often implemented in home/business routers to manage IPv4 exhaustion and maintain private-public communication across networks.
00:15:00 - 00:20:00
The NAT translation process is illustrated with a scenario where a PC communicates with an external web server. The process involves mapping local to global addresses, sending packets with translated addresses, receiving responses, and translating them back to local addresses, exemplifying how NAT facilitates communication between private and public networks.
00:20:00 - 00:25:00
The NAT terminology includes Inside Local Address, Inside Global Address, Outside Local Address, and Outside Global Address. These terms are explained from the device's perspective with the translated address, highlighting the IPv4 address translation process and ensuring proper communication channels within and outside a network.
00:25:00 - 00:30:00
Static NAT involves a one-to-one mapping of IP addresses, ensuring consistency and accessibility, especially for servers requiring remote access. This static method requires enough public addresses for simultaneous user sessions and allows for consistent address assignments without frequent changes. It's an essential feature for publicly accessible devices.
00:30:00 - 00:35:00
Dynamic NAT, in contrast, assigns IP addresses from a pool on a first-come, first-served basis. This flexible allocation still requires sufficient public addresses for users, allowing dynamic assignments without manual configuration. Its efficiency depends on the availability of public addresses, adapting to the changing needs of network access.
00:35:00 - 00:40:00
Port Address Translation (PAT) or NAT overload allows multiple private addresses to map to a single public IP. PAT distinguishes communication sessions using different TCP port numbers, handling multiple sessions across the same public IP. It’s common in home networks, adjusting to port availability and pool allocation to facilitate multiple connections.
00:40:00 - 00:45:00
PAT manages ports efficiently by preserving and reassigning port numbers if needed while accommodating simultaneous sessions across fewer public IPv4 addresses. Known as 'NAT overload', it’s crucial for conserving address space, allowing many-to-one mappings, and supporting extensive network sessions, enhancing flexibility and connectivity.
00:45:00 - 00:50:00
Verifying NAT operations involves using commands like show ip nat translations and show ip nat statistics, allowing administrators to monitor dynamic and static NAT processes. These commands aid in ensuring the proper allocation of address pools, clearing statistics for accuracy, and generally verifying network configurations are functioning as expected.
00:50:00 - 00:55:00
Dynamic NAT with pools entails configuring address pools and associating them with access control lists (ACLs) for address translation, dynamically assigning addresses to devices based on requests. Verification through command line confirms the effective translation and availability, facilitating network traffic efficiently with minimal manual oversight.
00:55:00 - 01:00:00
For PAT configuration using a single IP or a pool, the process involves adding the 'overload' keyword to enhance dynamic translation for multiple internal devices using few external addresses. The communication sessions are uniquely identified by different port numbers, supported by the NAT overload capability, ensuring efficient network management.
01:00:00 - 01:05:00
Analyzing PAT operations reveals the extensive use of IP and port modifications, accommodating both PC-to-server and server-to-PC communications. The use of the same public IP with differing ports exemplifies its efficacy, essential for port flexibility and ensuring sustained connectivity across diverse network configurations.
01:05:00 - 01:10:00
Verification of PAT, similar to NAT, uses show ip nat commands to review translation statistics and address allocations. It emphasizes the sharing of IPv4 addresses, distinct port numbers for transactions, ensuring network operations are optimized for multiple simultaneous connections while maintaining clarity of operation.
01:10:00 - 01:15:00
NAT64 facilitates IPv4 to IPv6 transition by allowing communication between IPv6 and IPv4 environments. Although designed to make NAT obsolete, IPv6 NAT64 focuses on transitional solutions rather than prolonged reliance on address translations, providing protocol translation where needed without extensive NAT dependence.
01:15:00 - 01:20:00
The lecture wraps up by summarizing NAT concepts, reinforcing the need for address translation due to IPv4 scarcity, and clarifying the terminologies and processes through dynamic and static NAT, PAT, and NAT64. Emphasis is placed on understanding NAT’s role in networking, its operational principles, and practical configurations.
01:20:00 - 01:25:44
In conclusion, the comprehensive exploration of NAT in this lecture addresses configuration strategies, verification methods, operational nuances of NAT, PAT, and NAT64. It emphasizes understanding network address translation's significance in managing IPv4 address limitations and ensuring seamless transitions toward IPv6.

Afficher plus

Carte mentale

Questions fréquemment posées

What is the main purpose of NAT in networking?
The main purpose of NAT is to conserve public IPv4 addresses and allow private IPv4 addresses within a local network to be translated to public addresses for external communication.
What are the different types of NAT?
The different types of NAT are Static NAT, Dynamic NAT, Port Address Translation (PAT), and NAT64.
Why is NAT used extensively despite IPv6 availability?
NAT is extensively used due to IPv4 address exhaustion, as it allows for the conservation and efficient use of limited IPv4 addresses.
What does Port Address Translation (PAT) do?
PAT allows multiple devices on a local network to be mapped to a single public IPv4 address but with different port numbers.
What are the advantages of using NAT?
NAT allows for the conservation of public IPv4 addresses, hides local network addresses for security, and maintains a consistent internal addressing scheme.
What are the disadvantages of NAT?
NAT can increase forwarding delays, complicate VPN tunneling protocols like IPsec, and cause loss of end-to-end IP traceability.
How does Dynamic NAT differ from Static NAT?
Dynamic NAT uses a pool of public addresses assigned on a first-come-first-serve basis, while Static NAT uses a fixed, manually configured one-to-one address mapping.
What is NAT64 used for?
NAT64 is used for protocol translation between IPv6-only and IPv4-only networks to facilitate communication.
Is NAT a solution for IPv4 address exhaustion?
Yes, NAT is a temporary solution for IPv4 address exhaustion by allowing multiple devices to share a limited number of public addresses.
How does NAT affect security?
NAT can hide internal network addresses from external observers, providing a basic level of security, but it's not a comprehensive security measure.

Voir plus de résumés vidéo

Accédez instantanément à des résumés vidéo gratuits sur YouTube grâce à l'IA !

Sous-titres

Défilement automatique:

00:00:00
welcome back to the cisco netacad ccna 3
00:00:04
enterprise networking security and
00:00:06
automation lecture series
00:00:08
if you haven't seen my previous lecture
00:00:10
series covering ccna1 and ccna2 i will
00:00:14
leave links in the description for those
00:00:16
playlists
00:00:17
i would recommend that you go through
00:00:19
the previous ccna lectures before you
00:00:22
move forward with this course
00:00:24
today i will cover module number six
00:00:27
which is nat for ipv4
00:00:31
the objective of this module is to learn
00:00:33
how we can configure nat services on
00:00:36
edge router to provide ipv4 address
00:00:39
scalability
00:00:41
i will cover nat
00:00:42
characteristics types of nat
00:00:45
nat advantages and disadvantages
00:00:48
static nat dynamic nat
00:00:51
pat
00:00:52
and nat 64.
00:00:57
nat characteristics
00:01:01
ipv4 address space
00:01:04
networks commonly implemented using
00:01:07
private ipv4 addresses as defined in rfc
00:01:12
1918 standard
00:01:14
so remember networks are
00:01:16
commonly implemented using ipv for
00:01:18
addresses
00:01:19
but based on the rfc 1918 standard
00:01:24
private ipv4 addresses cannot be routed
00:01:27
over the internet and are used within an
00:01:29
organization or site to allow devices to
00:01:32
communicate locally
00:01:34
to allow a device with a private ipv4
00:01:38
address to access devices and resources
00:01:41
outside of its local network the private
00:01:44
address must be translated
00:01:46
to a public address
00:01:48
so the network address translation or
00:01:50
nat provides the translation of private
00:01:53
addresses
00:01:54
to public addresses
00:01:56
and on the right hand side
00:01:58
we have three classes of ipv4 addresses
00:02:02
we have class a class b and class c
00:02:05
and you see the range in the middle
00:02:07
under the activity type
00:02:09
the range of ip addresses associated
00:02:11
with these classes
00:02:13
in most home routers
00:02:15
you probably have seen the class c which
00:02:18
is the 192 this this ips address range
00:02:22
because that is typically the default on
00:02:24
d-link and cisco and many other ip
00:02:27
address schemes built into some of those
00:02:29
routers and modems
00:02:32
but however you may also have come
00:02:34
across the other ip addresses listed
00:02:36
here
00:02:37
these are like different types of
00:02:38
classes
00:02:40
associated with the ipv4 rfc 1918
00:02:43
standard
00:02:47
so what is
00:02:48
nat the primary use of nad is to
00:02:51
conserve public ipv4 addresses
00:02:55
in my previous lectures i have mentioned
00:02:57
numerous times how we are running out of
00:03:00
ipv4 addresses
00:03:02
that can be routed globally
00:03:05
so the nat is actually a temporary
00:03:08
solution that we use uh to prevent ipv4
00:03:12
address exhaustion
00:03:14
so nat allows networks to use private
00:03:17
ipv4 addresses internally and translate
00:03:21
them to a public address when needed
00:03:24
a net router typically operates at the
00:03:27
border of a stubbed network
00:03:29
when a device inside the stub network
00:03:33
wants to communicate with a device
00:03:35
outside of its network the packet is
00:03:37
forwarded to the border router which
00:03:39
performs the network address translation
00:03:42
process translating the internal private
00:03:45
address of the device to a public
00:03:47
outside routable address
00:03:50
so the primary purpose of the nat
00:03:53
is to sit
00:03:54
right at the edge of that private
00:03:56
network
00:03:57
and then translate the private ip
00:04:01
addresses into a publicly routable ip
00:04:05
address hence the nat stand for network
00:04:07
address translation and these are
00:04:09
typically
00:04:10
this is a process typically happens in
00:04:14
the router at the edge of your private
00:04:17
network so at
00:04:19
in small businesses and in homes this is
00:04:22
typically done in the router modem
00:04:24
combination devices
00:04:26
or on the router at the edge of your
00:04:29
network which is connected to your the
00:04:32
internet service provider
00:04:38
so how
00:04:39
does the nat works so pc1 in this
00:04:42
situation on the right hand side this
00:04:44
diagram
00:04:46
wants to communicate with an outside web
00:04:48
server with a public address of
00:04:50
209.165.201.1
00:04:54
so the pc one
00:04:56
which is this one which is not really
00:04:58
labeled as pc one but this is the pc one
00:05:00
connected to router one and it wants to
00:05:02
communicate to the
00:05:04
web server with ip address 209.165.201
00:05:10
which is outside of its uh private
00:05:13
network so the the web server is not
00:05:15
within the pc one's private network
00:05:18
so what happens is a pc one sends a
00:05:20
packet
00:05:21
address to the web server
00:05:23
next the r2 which is this edge router
00:05:27
receives the packet and reads the source
00:05:30
ipv4 address to determine if it's if it
00:05:33
needs a translation
00:05:36
r2 adds mapping of the local to global
00:05:40
address to the nat table so it actually
00:05:43
going to get the local ipe and then map
00:05:46
it to the global ip for that nat table
00:05:50
then the r2 sends the packet with the
00:05:52
translator source address towards the
00:05:54
destination then it's going to get
00:05:55
forwarded towards the destination of
00:05:58
this
00:05:59
you know server
00:06:01
the web server responds with a packet
00:06:03
address to the inside global address of
00:06:06
pc1 which is a 209.165.200.226.
00:06:11
so it's going to get addressed back to
00:06:13
that inside address with this one
00:06:16
then the r2
00:06:18
receives the packet with the destination
00:06:20
address 209.165.200.226
00:06:24
that to checks the nat table and finds
00:06:26
an entry for this mapping
00:06:29
r2 uses this information and translate
00:06:32
the inside global address
00:06:34
209.165.200.226
00:06:37
to inside local address which is going
00:06:40
to be the 192.168.10.10
00:06:44
and the packet is forwarded towards the
00:06:46
pc one
00:06:47
so
00:06:48
what happened here
00:06:49
if i described in plain simple uh
00:06:53
english
00:06:54
what happened is that this device want
00:06:56
to communicate outside of its network
00:07:00
and the what this device is trying to do
00:07:02
is to communicate to this web server in
00:07:05
the uh in the internet or in a different
00:07:07
network
00:07:09
however
00:07:10
this
00:07:11
device cannot see
00:07:13
this
00:07:14
server
00:07:15
so what it needs is a nat a network
00:07:18
address translation so what the network
00:07:20
address translation is doing is that it
00:07:23
is matching the ip address of the
00:07:25
internal device
00:07:27
to an external device is trying to
00:07:30
communicate
00:07:31
so that it can be
00:07:33
you know used
00:07:34
for communication between the external
00:07:37
and the internal device
00:07:39
so that is the simplest way i look at
00:07:41
the how the net tables work
00:07:44
so
00:07:45
basically you have a net table simulator
00:07:48
like this so you have a net payable will
00:07:50
have an inside local address which is
00:07:52
the address of the device that trying to
00:07:54
communicate to outside you have an
00:07:56
internal insight global address so that
00:07:58
is an internal global address and then
00:08:00
you're going to have a outside local
00:08:02
address
00:08:03
and then you have an outside global
00:08:05
address and using that information in
00:08:07
that table this pc is now able to reach
00:08:10
the internet
00:08:12
even though its internal ip address is
00:08:15
not globally routable because it is all
00:08:17
done through the net translation so
00:08:19
that's how i look at this
00:08:21
six step process
00:08:25
so let's look at some terminologies
00:08:27
associated with nat
00:08:30
the net includes four types of addresses
00:08:32
you will hear the inside local address
00:08:36
inside global address outside local
00:08:39
address and outside global address so
00:08:41
you will hear those four types when
00:08:43
somebody is talking to you about nat
00:08:46
so the nat terminology is always applied
00:08:49
uh from the perspective of the device
00:08:51
with the translated address so remember
00:08:55
the nat terminology so when if you want
00:08:57
to know how this terminology is being
00:09:00
applied or used it is always applied
00:09:02
from the perspective of the device with
00:09:04
the translated address
00:09:06
so that means the inside you know
00:09:08
whatever the device that been getting
00:09:09
translated in the inside the local
00:09:12
network
00:09:13
so the inside address is the address of
00:09:15
the device which is being translated by
00:09:17
the network address translator so the
00:09:19
nat
00:09:21
the outside address is the address of
00:09:23
the destination device
00:09:26
in our previous example
00:09:28
the outside address going to be the
00:09:30
address of the web server the inside
00:09:32
address going to be the address of the
00:09:34
yeah the computer the pc one that is
00:09:37
trying to communicate to that web server
00:09:40
the local address is a address is that
00:09:44
is any address that appeared on the
00:09:46
inside portion of the network
00:09:49
so the local address
00:09:50
is the address that is the inside
00:09:52
portion of that nat table so the net
00:09:54
site the global the global address is an
00:09:57
address that is in any address that
00:09:58
appears on the outside portion of the
00:10:00
network so remember if you go back in
00:10:02
here so the inside address is right here
00:10:05
the outside address is right here and
00:10:08
the the other options that we have
00:10:11
in here is the uh the inside um
00:10:15
sorry
00:10:16
local address sorry local address
00:10:19
and the global address so the the local
00:10:23
address is here global addre you know
00:10:25
local
00:10:26
global address is outside and then you
00:10:29
have the inside local and the outside
00:10:31
local so you actually see all of that
00:10:32
information appear on the nat table
00:10:36
so remember those terms and remember
00:10:39
that the terminology is applied from the
00:10:41
perspective of the device with the
00:10:43
translated address so that's very
00:10:46
important
00:10:51
inside local address
00:10:54
the address of the source as seen from
00:10:57
the inside of the network is the inside
00:10:59
local address
00:11:01
this is typically a private ipv4 address
00:11:04
the inside local address of pc1 in this
00:11:07
example is the 192.168.10.10
00:11:11
because that is the local internal ip
00:11:14
address of that pc so that is the inside
00:11:16
local address
00:11:17
the inside global addresses
00:11:20
this is the address of this source as
00:11:23
seen from the outside network
00:11:26
the inside global address of pc1 in this
00:11:29
example going to be
00:11:33
209.165.200.226. so this is the address
00:11:34
of the source as seen from outside of
00:11:37
the network so if somebody looking from
00:11:39
outside to the inside of the network it
00:11:40
doesn't see the
00:11:41
192.168.10.10 instead it sees that
00:11:43
209.165.200.226.
00:11:48
outside global address is the address of
00:11:51
the destination
00:11:52
as seen from the outside the network so
00:11:55
from outside the network
00:11:57
whatever the address that is seen
00:12:00
as the destination um you know
00:12:02
as address of the destination scene from
00:12:04
the outside is what we call the outside
00:12:06
network which is outside of this so the
00:12:09
outside global address in this example
00:12:11
for web server is 209.165.200.1
00:12:16
which is that one
00:12:18
the outside local address however is the
00:12:21
address of the destination as seen from
00:12:23
the inside of the network so the outside
00:12:26
local address is the address of the
00:12:28
destination as seen from the inside of
00:12:31
the network so the pc one sends traffic
00:12:33
to the web server at ipv4 address of
00:12:36
209.164
00:12:40
so that would be
00:12:41
the outside you know the local address
00:12:46
while it is uncommon this address could
00:12:48
be different than the globally routable
00:12:50
address of the destination so remember
00:12:53
that
00:12:54
even though it is very uncommon to see
00:12:56
that this address could be different
00:12:58
from the globally routable address of
00:13:00
the destination address so that now you
00:13:02
can see
00:13:03
those different addresses and how we've
00:13:05
been used on the right hand side so we
00:13:08
have the inside local address in a
00:13:10
graphical format you see this here and
00:13:12
you have the outside
00:13:14
local address when the data is going
00:13:15
this way and then you have the inside
00:13:18
global and outside global when the data
00:13:19
coming back you have
00:13:21
the and the outside global address
00:13:24
inside global address outside local
00:13:26
address and
00:13:28
inside local address so you can see that
00:13:31
in a graphical format on the right hand
00:13:33
side
00:13:37
types of nat
00:13:41
static network address translation or
00:13:43
static nat
00:13:45
uses a one-to-one mapping of local and
00:13:48
global address configured by the network
00:13:51
administrator that remain constant so
00:13:53
just like the term static
00:13:56
you know what it stands for in english
00:13:58
it is a static statistical statically
00:14:01
assigned sorry statically assigned that
00:14:03
mean an administrator
00:14:05
manually assigned the nat in static net
00:14:09
static net is useful for web servers or
00:14:12
devices that must have a consistent
00:14:15
address that is accessible from the
00:14:18
internet
00:14:19
such as a company web server or a
00:14:22
company email server ftp server etc
00:14:25
it is also useful for devices that must
00:14:28
be accessible by authorized personnel
00:14:30
when off-site but not by general public
00:14:33
on the internet so because you don't
00:14:35
want those ip addresses and information
00:14:38
to change
00:14:39
for those resources that has to be
00:14:41
accessed by someone remotely outside the
00:14:44
network you can create that static nat
00:14:47
entries
00:14:48
so on the right hand side here's an
00:14:51
example of that you have an inside
00:14:52
network with a server and
00:14:55
several end devices connected to a
00:14:57
switch
00:14:58
and you can have a static net
00:15:00
translation
00:15:02
assigned to this particular server so
00:15:05
that it won't change
00:15:07
its ip addresses and other
00:15:08
configurations associated with that net
00:15:11
translation
00:15:13
by you know
00:15:14
by configuring it in the administrative
00:15:16
sections of the router so you can go
00:15:19
into the net table and you can enter an
00:15:21
entry so that the the entry for this
00:15:25
server will remain the same in the
00:15:28
inside global address
00:15:30
you know
00:15:31
with respect to that ip internal ip
00:15:33
address of that server
00:15:35
please note the static network trust
00:15:37
that
00:15:38
enough public addresses are available to
00:15:40
satisfy the total number of simultaneous
00:15:43
user sessions so if you are creating
00:15:45
these kind of static nad entries you
00:15:48
need to have enough public addresses
00:15:50
available to satisfy the total number of
00:15:52
simultaneous uses in the in a session so
00:15:55
remember that
00:15:58
the other option is called the dynamic
00:16:00
nat
00:16:01
so that's another type of nat so in
00:16:04
dynamic nat uses
00:16:06
a pool of public addresses and assigns
00:16:09
them to a first come first serve basis
00:16:13
so just like it's what it sounds like it
00:16:16
is dynamically assigned
00:16:18
you know
00:16:20
method
00:16:20
so when an inside device requests access
00:16:23
to an outside network the dynamic net
00:16:25
assigns an available public ipv4 address
00:16:29
from a pool
00:16:31
the other addresses in the pool are
00:16:33
still available
00:16:34
for use
00:16:35
but the it's gonna assign dynamically as
00:16:38
the request comes in
00:16:40
please note the dynamic net request that
00:16:43
enough public addresses are also be
00:16:45
available to satisfy the total number of
00:16:48
simultaneous user session so just like
00:16:50
the static nand the dynamic net also
00:16:52
requires uh that enough public addresses
00:16:55
are available um for simultaneous use so
00:16:59
on the right hand side uh the you can
00:17:01
see a situation where we have the
00:17:04
dynamic net
00:17:05
configured now in this case
00:17:07
the router will be
00:17:09
dynamically assigning those uh
00:17:12
nat translations uh based on the request
00:17:16
it gets from the inside network
00:17:21
port address translation
00:17:24
port address translation also known as
00:17:27
nat overload
00:17:28
maps multiple private ipv4 addresses to
00:17:32
a single public ipv4 address or a few
00:17:35
addresses
00:17:37
so with pat when the nat router receives
00:17:40
a packet from the client it uses the
00:17:43
source port number to uniquely identify
00:17:45
the specific nat translation
00:17:48
pat ensures
00:17:50
that devices use a different tcp port
00:17:53
number each session with a server on the
00:17:56
internet
00:17:58
so
00:17:58
in other words if these two computers
00:18:01
try to reach the exact same server
00:18:03
through this one router it still can use
00:18:06
the same public ip address but because
00:18:09
they're coming from two different ports
00:18:12
the pad gonna associate those
00:18:14
ports
00:18:16
so that both of these devices inside the
00:18:18
network can access the same server at
00:18:21
the same time
00:18:23
if you look at your home network
00:18:26
and your isp provided router it is
00:18:29
actually running pat instead of nat so
00:18:33
you probably have like one or two uh
00:18:36
publicly facing ip addresses so most
00:18:39
likely for most home users is going to
00:18:41
be one publicly facing ip address
00:18:45
and then
00:18:46
you are using the pat the port address
00:18:50
translation method
00:18:52
for communicating with the outside world
00:18:54
so what it what is the key feature with
00:18:56
the pad is that with pat when the nat
00:18:59
router receives a packet from
00:19:01
the client it uses the source port to
00:19:04
uniquely identify that nat translation
00:19:07
so that everybody can use this like a
00:19:10
multiple devices can use the same ip
00:19:12
address
00:19:13
but associated different ports with it
00:19:16
to communicate to the outside world
00:19:19
so that's the way i look at the nat
00:19:21
and
00:19:22
what actually nat doing is that
00:19:26
the the nat is
00:19:28
modifying
00:19:29
the layer 3 headers
00:19:32
while the pad is modifying both layer 3
00:19:35
and layer 4 headers
00:19:40
next available port
00:19:43
pat attempts to preserve the original
00:19:46
source port if the original source port
00:19:49
is already used pat assigns the first
00:19:52
available port number starting from the
00:19:54
beginning of the appropriate port group
00:19:57
so it could be from 0 to 5 11
00:20:01
512 to
00:20:03
1023 or one thousand twenty four to
00:20:06
sixty five thousand five hundred thirty
00:20:08
five so what pat going to do is pat
00:20:11
attempts to preserve the original source
00:20:12
port but but if the original soft spot
00:20:15
is already used then what's pat gonna
00:20:18
assign
00:20:19
a
00:20:20
available port number starting from the
00:20:22
beginning of the appropriate port group
00:20:25
so if the original part is fall between
00:20:28
in here it's going to find an
00:20:30
appropriate port within here if it is
00:20:32
false in here it's going to find an
00:20:33
appropriate port in here
00:20:36
so when there are no more ports
00:20:37
available and there is more than one
00:20:40
external address in the address pool pat
00:20:43
moves to the next address to try to
00:20:45
allocate the original source port
00:20:47
the process continues until there are no
00:20:50
more available ports or external ipv4
00:20:53
addresses in the address pool
00:20:56
so in this example we have the inside
00:20:59
network with three end devices we have a
00:21:02
router with the pad configured and we
00:21:05
have the outside internet and if you
00:21:07
look at the net uh table with overload
00:21:09
because nat or with overload is the same
00:21:12
as pat remember it's the same term uh
00:21:16
like the same concept
00:21:18
uh so um
00:21:20
not overload or the pat pat
00:21:23
is basically have that you know inside
00:21:26
global ip address and the inside local
00:21:28
ip addresses but however what differ
00:21:32
this from you know the
00:21:34
typical nat table is that these ip
00:21:37
addresses have port numbers associated
00:21:40
with it because remember the nap pad is
00:21:43
modifying both the layer 3 and layer 4
00:21:47
as opposed to nat only modifying the
00:21:49
layer 3 headers right so layer 3 header
00:21:52
is associated with just the ip address
00:21:55
and the layer 3 f4 is associated with
00:21:58
the port number so the type of port that
00:22:01
being used so
00:22:03
in
00:22:03
pat we are modifying both the
00:22:06
layer
00:22:07
3 ip address and the layer 4
00:22:11
port number so remember that that is a
00:22:13
difference between nan and pad
00:22:16
so in the next page we are actually
00:22:18
looking at some of the differences um
00:22:20
in a table
00:22:22
so on the right hand side there is a
00:22:24
summary
00:22:25
of differences between nat and pat
00:22:28
so nat one to one mapping between inside
00:22:32
local and inside global addresses while
00:22:34
pat
00:22:35
one inside global address can be mapped
00:22:38
to many inside local addresses because
00:22:41
now we have port number association
00:22:43
nat uses only ipv4 addresses in
00:22:46
translation process while the path uses
00:22:49
ipv4 addresses and the tcp or udp source
00:22:53
port numbers in translation process so
00:22:56
it uses ip and the port
00:23:00
nat
00:23:01
uses a unique uh inside global address
00:23:04
is required for each inside host
00:23:07
accessing the outside network so in the
00:23:10
net you need to have a unique inside
00:23:12
global address for each inside host but
00:23:16
with pad a single unique inside global
00:23:19
address can be shared by many inside
00:23:22
hosts
00:23:23
accessing the outside network so pat has
00:23:26
some more advantages than nat
00:23:29
and remember nat only modifies the ipv4
00:23:33
addresses
00:23:34
while the path modifies both the ipv4
00:23:38
address and the port number hence the
00:23:40
nat as i mentioned before only modify
00:23:43
the layer 3 header while the path modify
00:23:47
both layer 3 which is the ip address and
00:23:50
the layer 4 headers which is the port
00:23:52
number
00:23:54
you should remember this like back of
00:23:55
your hand because you know this is this
00:23:58
will show up on your exams and quizzes
00:24:04
packets without a layer 4 segment
00:24:07
some packets do not contain a layer for
00:24:09
port number such as icmp
00:24:11
version 4 messages
00:24:14
each of these types of protocols is
00:24:17
handled differently by pat
00:24:19
because remember pat's request
00:24:21
i mean pat uses utilizes both layers
00:24:25
three and layer four but not all packets
00:24:28
contain layer for information such as
00:24:30
the port numbers right such as icmps
00:24:34
so
00:24:35
for example the icmp version for query
00:24:37
messages echo request and echo replies
00:24:40
include a query id
00:24:43
icmp version 4 uses the query id to
00:24:46
identify any code request with its
00:24:48
corresponding echo reply
00:24:51
please note other icmp version 4
00:24:54
messages do not use the query id these
00:24:56
messages and other protocols that do not
00:24:59
use tcp or udp port numbers very uh
00:25:04
vary and are beyond the scope of this
00:25:06
curriculum so
00:25:08
keep that in mind back of your mind it
00:25:11
is not part of this course this lecture
00:25:14
series for now but in the future
00:25:16
you know i will cover this
00:25:19
the path uses both layer 3 and layer 4
00:25:23
modification
00:25:25
nat do not
00:25:26
however not all packets that you're
00:25:28
gonna send through the pad
00:25:30
will have layer four which is the port
00:25:33
number such as the iecmp version four
00:25:36
but those are handled differently by the
00:25:38
pad which we will not cover
00:25:41
in this lecture okay that's all you need
00:25:44
to know for now for nat versus pad so
00:25:47
remember the layer three layer two
00:25:49
differences and also remember that pat
00:25:51
is what actually being used in most
00:25:54
homes so if you buy a router if you get
00:25:57
a router modem combination from your isp
00:26:00
when you
00:26:00
connect to the internet when you when
00:26:02
you are watching this video for example
00:26:04
by connecting to youtube.com
00:26:06
you are basically using
00:26:08
a pat not an ad even though we typically
00:26:12
misuse the term nat all the time
00:26:15
most home routers most home
00:26:18
you know router modem combination
00:26:20
devices use a type of pad so it is pad
00:26:24
so that's what you need to understand
00:26:26
for now don't worry about how icmp
00:26:29
version 4 packets are handled by the pad
00:26:30
but it is beyond the scope of this
00:26:33
class
00:26:36
so there's a packet tracer file called
00:26:38
investigate nat operations if you have
00:26:41
access to this file please go ahead
00:26:43
download it and do it if you do not i
00:26:46
will leave a copy in the
00:26:49
sanuj.com website and i will make sure
00:26:51
to leave a link in the description so
00:26:53
you can go and click and download it and
00:26:55
do it
00:26:59
net advantages and disadvantages
00:27:05
so let's look at the advantages of nat
00:27:08
nat provides many benefits
00:27:11
they include net conserve the
00:27:13
legally registered addressing scheme by
00:27:15
allowing the privatization of
00:27:19
internet so what basically
00:27:22
it is doing is that remember the ipv4
00:27:25
address exhaustion issue so that that
00:27:27
has been addressed by nat so the nat is
00:27:30
basically conserving the legally
00:27:32
registered addressing scheme by allowing
00:27:35
the privatization of you know the
00:27:38
internet so the the internal networks of
00:27:41
any
00:27:43
land network
00:27:44
is now separated from globally routable
00:27:48
ip addresses as a result of use of nat
00:27:51
nat also conserves the address through
00:27:53
application port level multiplexing that
00:27:57
increases the flexibility of connections
00:27:59
to the public network that provides
00:28:01
consistency for internal network
00:28:04
addressing schemes so that means that
00:28:07
you can have a specific addressing
00:28:09
schemes associated with your
00:28:11
organization you can use because you are
00:28:12
behind a nat
00:28:14
you can use whatever addressing scheme
00:28:16
you like you don't have to worry about
00:28:18
you know uh whether it's it's globally
00:28:20
routable or not like for example uh you
00:28:23
may want to use
00:28:24
192.168.10. something like that or you
00:28:27
192.168.20. something or for something
00:28:29
else with the new network and
00:28:32
192.168.30. something for something
00:28:34
other than you know those two so
00:28:37
so on and so forth like you can
00:28:38
customize the anyway you like
00:28:41
uh you know
00:28:42
for your internal network uh the
00:28:45
addresses because they are not like a
00:28:47
globally routable ip addresses they are
00:28:49
just within your organization
00:28:51
that also allows the existing private
00:28:53
ipv4 address scheme to remain while
00:28:56
allowing for easy
00:28:58
change to a new public addressing scheme
00:29:01
and that hides the ipv for addresses of
00:29:04
users and other devices so not
00:29:07
theoretically like it's not a very good
00:29:10
way to
00:29:11
for security but it is
00:29:13
better than expose ip addresses uh to
00:29:16
the uh the outside world so that
00:29:18
basically hides the internal ip
00:29:20
addresses from the outside world but
00:29:22
remember nat is not a firewall though so
00:29:25
it's not a security feature but it kind
00:29:27
of provide a type of security where it
00:29:29
kind of hides the internal ip address
00:29:32
from the outside world but remember it's
00:29:35
it's not a security feature though okay
00:29:38
so what are the disadvantage of nat
00:29:42
so the drawbacks or disadvantages
00:29:44
include net increases forwarding delays
00:29:47
because remember every
00:29:49
data packet that goes through the pat or
00:29:52
nat has to be translated every single
00:29:55
time it goes out as well as every single
00:29:58
time the packet comes back in right so
00:30:00
if you want to access a web server from
00:30:03
inside
00:30:04
your initial transaction has to be
00:30:06
translated through the pattern at and
00:30:09
when the web server send the information
00:30:11
back to you
00:30:12
that packet packets also has to be
00:30:15
translated uh by the neither nato pad so
00:30:18
that gonna create a forwarding delays
00:30:21
it also can create end-to-end addressing
00:30:24
um
00:30:26
loss so it causes the loss of the
00:30:28
end-to-end addressing so the addressing
00:30:30
is not consistent so
00:30:32
your end device your device
00:30:36
is not directly addressing
00:30:38
the uh server outside outside your
00:30:41
network it's actually being there's a
00:30:45
type of a man in the middle situation
00:30:47
right basically a nat is basically
00:30:49
acting as a translator between
00:30:52
the
00:30:53
outside world server and you so that's
00:30:56
what it means by the end-to-end
00:30:58
addressing is lost
00:30:59
the end-to-end ip v4 traceability is
00:31:02
also lost so there are situations where
00:31:04
you need to trace the ip
00:31:07
for troubleshooting as well as for other
00:31:09
reasons and that will be lost at the nat
00:31:13
nat complicates the use of tunneling
00:31:15
protocols such as ipsec so if you have
00:31:18
ipsec tunnels that you need to create
00:31:20
like a vpn tunnels nat will create
00:31:23
complications which we will cover later
00:31:25
sometime so i will go over like ipsec
00:31:29
and vpns and how nat can complicate it
00:31:32
and how we go about resolving that nat
00:31:35
complication with respect to ipsec i
00:31:38
will i will cover that in a later
00:31:40
lecture
00:31:41
uh not also uh have an issue with
00:31:45
services that request the initiation of
00:31:48
tcp connections from outside network or
00:31:51
stateless protocols such as
00:31:53
those using udp
00:31:55
because those can be disrupted as a
00:31:59
result of nat
00:32:00
so
00:32:01
you know the services that require the
00:32:03
initiation of a tcp connection from the
00:32:05
outside network or the stateless
00:32:07
protocols such as udp could have a a
00:32:11
disruption because of the nat
00:32:13
translation so
00:32:15
while we have overcome some of these
00:32:17
issues
00:32:18
uh like you know it's not for the you
00:32:20
know it's not completely eliminated
00:32:22
that's what you need to understand so
00:32:23
for your exams and quizzes you should
00:32:25
know all of these items listed here as
00:32:28
the
00:32:29
disadvantages for
00:32:31
using a nat
00:32:35
static nat
00:32:39
static net scenario
00:32:41
static net is a one-to-one mapping
00:32:43
between an inside address and an outside
00:32:46
address
00:32:47
static net allows external devices to
00:32:49
initiate connections to internal devices
00:32:52
using statically assigned public
00:32:55
addresses
00:32:57
for instance an internal web server may
00:33:00
be mapped to a specific inside global
00:33:03
address so that it is accessible from
00:33:06
outside network so if you have a web
00:33:08
server internally inside your network
00:33:10
and if you want clients outside
00:33:13
accessing that website
00:33:14
you
00:33:15
have to assign a static nat so that
00:33:19
every single time that this data pass
00:33:22
through your router
00:33:23
that it is always the same so same port
00:33:26
same ip address same everything so that
00:33:29
a public
00:33:31
system can have access to your web
00:33:33
server so that is an example of a public
00:33:36
sorry a static net scenario
00:33:41
configure static nat
00:33:43
so there are two basic tasks when
00:33:46
configuring static net translations
00:33:49
in cisco routers the step one is to
00:33:52
create a mapping between the inside
00:33:55
local address and the inside global
00:33:57
address using the command ip nat inside
00:34:01
source static command
00:34:03
so that's the command you need to use ip
00:34:06
nat inside source static right here and
00:34:10
then you're gonna enter the ip address
00:34:12
and the
00:34:13
you know associated information and the
00:34:15
step two
00:34:17
is the interface
00:34:19
participating in the translations are
00:34:21
configured as inside or outside relative
00:34:23
to the nat
00:34:25
with the ip nat inside command and ipnat
00:34:28
outside commands and you can see that
00:34:30
been entered right here so this is how
00:34:33
you actually
00:34:34
create a
00:34:36
static nad on your cisco routers
00:34:40
again i will go through these kind of
00:34:42
examples in a live lab demonstration
00:34:45
later and post to my youtube channel as
00:34:47
a separate video but for now just know
00:34:49
these commands ip
00:34:52
nats inside source static ipnot inside
00:34:55
and ipnet outside
00:35:01
analyze static nat
00:35:03
the static nat translation process
00:35:06
between the client and the web server
00:35:09
can be summarized with these five steps
00:35:12
so
00:35:13
the client sends a packet to the web
00:35:15
server
00:35:17
so that's the first thing going to
00:35:18
happen so the client send the packet to
00:35:20
the web server asking hey i want to
00:35:22
access this website
00:35:24
the r2 receives the packet from the
00:35:26
client and in its nat
00:35:28
outside interface and check its nat
00:35:31
table start to get the message and check
00:35:34
it's not table
00:35:35
r2 translates the inside global address
00:35:39
of the inside local address and forward
00:35:42
the packet towards the web server so
00:35:43
it's going to get forwarded
00:35:45
to the web server based on the net table
00:35:48
information
00:35:49
the
00:35:50
web server receives the packet and
00:35:52
responds to the client using its inside
00:35:55
local address
00:35:57
then dr2
00:35:59
receives the packet from the web server
00:36:01
on a snap inside interface with the
00:36:04
source address of the inside local
00:36:07
address of the web server and
00:36:10
it also translate the source address to
00:36:12
the inside global address so these are
00:36:15
the two things that at the very end that
00:36:17
the this thing gonna do
00:36:19
the nat
00:36:21
that is located in the router
00:36:24
so
00:36:26
how do you verify static net so to
00:36:29
verify the net operation you can issue
00:36:32
the command show ip
00:36:34
nat translations
00:36:36
and this command shows the active nat
00:36:39
translations because the example is a
00:36:42
static net configuration the translation
00:36:44
is always present in the net table
00:36:46
regardless of any active communication
00:36:49
so you don't need to have traffic pass
00:36:51
through to generate this data because it
00:36:54
is a static nat configuration
00:36:57
so if the command is issued used during
00:36:59
an active session the output also
00:37:02
indicates the address of the outside
00:37:04
device as well
00:37:05
in this case it is a static net and you
00:37:08
can actually see
00:37:09
that beam map right here
00:37:12
with the show ipna translations command
00:37:19
another useful command is to use show
00:37:21
ipnat statistics
00:37:23
it displays information about the total
00:37:26
number of active translations nat
00:37:28
configuration parameters the number of
00:37:31
addresses in the pool and the number of
00:37:33
addresses that have been allocated to
00:37:36
verify that the net translation is
00:37:38
working it is best to clear the
00:37:40
statistics from any port translation
00:37:43
using
00:37:44
clear ips nat statistics command before
00:37:48
trying out the show ipnat statistics so
00:37:50
that you will have a better idea about
00:37:53
whether
00:37:54
whatever the changes that you made is
00:37:55
actually working so if you run the show
00:37:57
ip not statistics it will show you how
00:38:00
many hits and the misses and some data
00:38:02
associated with that but you can run the
00:38:04
clear ip net statistics to clear that
00:38:07
information and see if it is working
00:38:09
afterward
00:38:13
so there is a packet tracer file called
00:38:15
configure static nat if you have access
00:38:18
to that file please go ahead and do it
00:38:20
if you do not i will post a copy of this
00:38:22
file to my sanju.com website once i find
00:38:25
one and so you can download and go ahead
00:38:27
and do them
00:38:28
again i will do these
00:38:31
packet tracer
00:38:32
options like the the module examples and
00:38:36
activities on separate videos and post
00:38:39
to my youtube channel later sometimes
00:38:43
dynamic nat
00:38:48
dynamic net scenario
00:38:51
dynamic net automatically maps inside
00:38:54
local addresses to inside global
00:38:56
addresses
00:38:57
dynamic nat uses a pool of inside global
00:39:00
addresses
00:39:02
the pool of inside global addresses is
00:39:04
available to any device on the inside
00:39:07
network on a first come first serve
00:39:10
basis
00:39:11
so basically as the term suggests
00:39:14
dynamic
00:39:16
it's automatically assigning ip
00:39:18
addresses to inside devices that is
00:39:21
trying to reach the outside networks
00:39:24
by using a pool of available global ip
00:39:28
addresses
00:39:29
and how it it is doing that is first
00:39:32
come first serve basis so whichever the
00:39:34
inside device first requested it gets
00:39:37
the
00:39:38
an ip address assigned from that pool uh
00:39:41
from the dynamic nat scenario
00:39:43
in the dynamic net situation right
00:39:46
so the thing about this is that if all
00:39:49
the addresses in the pool are in use a
00:39:52
device must wait for an available ip
00:39:54
address before it can access the outside
00:39:57
network so because it is dynamically
00:39:59
assigned
00:40:00
we are using the first come first
00:40:02
services to assign those internal uh
00:40:06
global addresses
00:40:07
if the internal or inside global address
00:40:10
pool get exhausted then the next device
00:40:13
next inside device trying to reach the
00:40:15
outside network has to wait for an
00:40:17
available address so it can get assigned
00:40:20
a internal global
00:40:22
iip address so that it can reach the
00:40:25
outside network
00:40:27
so
00:40:28
just like the name suggests dynamic nat
00:40:31
in this setting scenario these nat is
00:40:35
automatically mapping the inside local
00:40:37
addresses to
00:40:39
inside global addresses so on the right
00:40:41
hand side we have a router r2 that is
00:40:45
using the dynamic nat
00:40:48
so when one of these devices try to
00:40:50
reach the server outside of its network
00:40:53
it is going to use the automatically
00:40:56
assigning the ip addresses method
00:41:00
to assign an ip address to these end
00:41:03
devices
00:41:05
using the pool of global ip addresses in
00:41:07
the nat
00:41:09
and then that device can reach the
00:41:11
outside network using that
00:41:14
mapping
00:41:14
so that's how the dynamic nat works
00:41:20
so on a cisco device you can configure
00:41:23
dynamic nat by following five steps
00:41:27
so the first thing we need to do is to
00:41:29
define a pool of addresses that will be
00:41:32
used for translation using ipnat pool
00:41:35
command so the command is ip
00:41:38
nat pool
00:41:40
so that's the command you should
00:41:41
remember
00:41:42
and next step what we're going to do is
00:41:44
to configure a standard access control
00:41:47
list to identify or permit in this case
00:41:50
only those addresses that are to be
00:41:53
translated
00:41:55
then
00:41:56
just like any other acl we what we're
00:41:59
going to do is we're going to bind the
00:42:01
acl to the pool using the ip nat inside
00:42:05
source list command
00:42:07
so on the bottom of your screen you see
00:42:10
these three steps done
00:42:11
on this cisco router so we have the ip
00:42:15
nat pool so that's the command we used
00:42:17
to define the pool of addresses for the
00:42:19
net translation
00:42:21
and we have named the pool as nat dash
00:42:25
pool one so this is for identification
00:42:27
of that pool
00:42:29
so then we have assigned the ip address
00:42:31
pool of one nine two one six eight two
00:42:33
hundred two two two six to one nine two
00:42:36
one six five dot two hundred two four
00:42:38
zero so that's a range of ip addresses
00:42:40
that we're gonna assign to this net pool
00:42:42
with the subnet mask associated with
00:42:44
that
00:42:45
then we have created the access list
00:42:47
here
00:42:48
uh using the access dash list command uh
00:42:51
with permitting that uh you know that
00:42:54
those networks and then
00:42:57
we have bind that access list to this
00:43:00
nat pool so if you don't remember how we
00:43:03
how the access list works and how you
00:43:06
can configure them you can watch my
00:43:08
previous lecture on access list
00:43:11
but in this scenario we are using that
00:43:13
knowledge to assign that access list
00:43:16
creating an access list and assigning
00:43:18
that access list to this nat pool so
00:43:21
those are the first three steps you need
00:43:23
to take
00:43:24
in the five step process of creating a
00:43:28
dynamic nat on a cisco router
00:43:31
so the next thing what we're going to do
00:43:33
is to identify which interfaces are
00:43:36
inside
00:43:37
so
00:43:38
once you have created the net pool and
00:43:41
have assigned it to the uh you know the
00:43:44
the access list
00:43:46
next we are using the interface commands
00:43:49
to identify inside uh
00:43:52
you know interfaces
00:43:54
and then identify the also the outside
00:43:56
interfaces so in this example
00:43:59
we have identified the serial 0 1 0 as
00:44:02
the inside interface and the serial 0 1
00:44:06
1 as our outside interface hence what
00:44:09
we're going to do is we're going to go
00:44:10
to interface configuration for serial 0
00:44:13
1 0 1 with the interface serial 1 0 1
00:44:16
command and we're going to issue the
00:44:18
command i p
00:44:19
nat inside for that and then we're going
00:44:22
to go into the interface configuration
00:44:24
for serial 0 1 1 and then we're going to
00:44:27
issue the ip nat outside command so that
00:44:31
what this command is going to do is
00:44:33
going to make the serial 0 1 0 the
00:44:36
inside
00:44:38
you know interface and then the serial 0
00:44:40
1 1 the outside interface which is
00:44:43
required for our net operations
00:44:46
so that would actually create the
00:44:50
dynamic nat on a cisco router
00:44:55
analyze dynamic nat
00:44:57
inside to outside
00:45:00
the dynamic nut translation process
00:45:02
includes the following steps so it
00:45:04
includes several steps this is three of
00:45:06
them and we will go into the next slide
00:45:08
to discuss the other steps associated
00:45:10
with this
00:45:12
so
00:45:13
the in this scenario on the right hand
00:45:15
side the same network diagram that we
00:45:18
viewed a few slides ago on the right
00:45:20
hand side you have that r2 router that
00:45:23
is translating
00:45:25
the net request that coming from the
00:45:27
inside network to the outside network
00:45:29
right so in this situation the pc one
00:45:32
and pc2 send packets requesting a
00:45:35
connection to the server the server is
00:45:37
located in the outside of this network
00:45:39
right
00:45:40
so the next thing what's going to happen
00:45:42
is r2 receives the first packet from pc1
00:45:46
checks the acl
00:45:47
to determine if the package should be
00:45:49
translated
00:45:50
select an available global address and
00:45:53
create a translation entry in the net
00:45:56
table so what happen is when the pc one
00:45:59
request the access to the server the
00:46:02
first thing this router gonna do it's
00:46:03
gonna check hey is this need to be
00:46:05
translated to the outside or is it just
00:46:07
an internal routing thing so if it is in
00:46:10
external in this case it is because he's
00:46:13
trying to access this server what he's
00:46:15
going to do is he's going to check the
00:46:16
acl to determine if the packet
00:46:18
you know how the package should be
00:46:19
translated and then select an available
00:46:22
global address from the its pool
00:46:25
and then assign it to that request and
00:46:29
then add that information to its nat
00:46:32
table
00:46:33
r2 replay then what's going to happen is
00:46:35
r2 replaces the inside local source
00:46:38
address of pc1 which is 192.16810.10
00:46:42
with the translated global ip address of
00:46:44
209.165.200.226
00:46:49
and forward that packet so before
00:46:51
forwarding that packet but
00:46:53
what's next going to happen after the
00:46:55
net table entry has been created is to
00:46:57
convert the inside ip address of that pc
00:47:01
to the
00:47:02
inside global ip address that assigned
00:47:05
by the nat process
00:47:07
the same process occurs for the packet
00:47:09
from pc2 using the translated address of
00:47:12
209.165.200.227
00:47:16
which is shown on the right hand side so
00:47:18
we have a nat pool and here's a inside
00:47:22
local ip address so the for the pc one
00:47:25
it is which is 209 165 200.226 is the
00:47:29
global that assigned to the local one
00:47:30
here and for the pc2
00:47:33
the nat has assigned 209.165.200.227
00:47:38
to that pc2 uh um you know internal ip
00:47:42
address so you can see that on the net
00:47:44
pool so this is what's happening right
00:47:45
here so this this pc1 and pc2 request
00:47:49
the connection to the
00:47:50
server outside it goes to the this r2
00:47:53
router and the r2 router checks the acl
00:47:56
to determine if the package should be
00:47:58
translated and
00:48:00
if it is needed to be translated then
00:48:02
you're going to select from a global ip
00:48:05
internal global ip address and assign
00:48:08
them accordingly to this you know
00:48:10
request and add that to its ipv4 net
00:48:14
pool table so that's the first three
00:48:17
steps going to happen
00:48:19
in the dynamic nat
00:48:22
and the next thing is the server
00:48:25
receives the packet from the pc one
00:48:29
so after that the table has been created
00:48:31
after the eyepiece has been assigned the
00:48:34
internal global ip address the server
00:48:36
receives the packet from the pc1 and
00:48:38
respond using the destiny destination
00:48:41
address of 209.165.200.226.
00:48:47
because that is the one that been
00:48:49
assigned during the net process on this
00:48:51
r2
00:48:53
the server receives the packet from pc2
00:48:55
it responds to the you
00:48:57
request using the destination address of
00:49:00
209.165.
00:49:02
but you know but this time it is 227
00:49:05
because it is the pc2 that is requesting
00:49:08
the connection so basically when the
00:49:10
server received the information from
00:49:12
this one it goes with this ip address
00:49:15
when the server received from pc2 it
00:49:17
goes with this ip address why
00:49:20
because in the previous process we have
00:49:23
created this net pool and assigned
00:49:25
these nats
00:49:27
associated with those pc1 and pc2
00:49:31
internal ip addresses
00:49:33
in the next step the fifth steps what's
00:49:35
going to happen when the r2 receives the
00:49:37
packet with the destination address of
00:49:39
what
00:49:42
209.165.200.226 so this is going to
00:49:44
receive that information back from the
00:49:47
server it performs a nat table lookup
00:49:51
and translate the address back to the
00:49:54
inside local address and forward the
00:49:57
packet towards the pc one
00:49:59
remember on our previous steps here we
00:50:02
have created the net table entry right
00:50:06
here so when the rr2 received the packet
00:50:09
from the pc1 and pc2 it check the acl
00:50:12
determine if the packet should be
00:50:13
translated and what's going to happen is
00:50:15
it's going to assign an internal global
00:50:17
ip address and it also creates a
00:50:19
translation entry in the net table right
00:50:22
now that entry is now being used here
00:50:26
is to again translate it back
00:50:30
to the inside local address and forward
00:50:33
the packet towards the pc1 in this case
00:50:36
because the pc1 requested it so when the
00:50:38
pc
00:50:39
when the r2 received the packet with the
00:50:41
destination address of 209.165.200.227
00:50:46
it performs a nat table lookup and
00:50:48
translate the address back to the inside
00:50:50
local address of 192.168.10.
00:50:54
so 11.10 and forward the packet towards
00:50:57
a pc
00:50:59
2 because in this case 226 is associated
00:51:02
with pc1 in the net table and that
00:51:05
the ip address ending two to seven
00:51:08
associated with pc2
00:51:10
on the net table so it gets translated
00:51:12
to the internal ip address of that ip
00:51:14
sorry for pc2
00:51:17
so
00:51:18
that those are the you know the steps
00:51:20
that gonna take for the translation and
00:51:23
what's gonna happen next is the pc1 and
00:51:25
pc2 receive the packets and continue the
00:51:28
conversation back and forth between the
00:51:31
external server and the internal device
00:51:34
so the router performs steps two to five
00:51:37
for each packet
00:51:39
so
00:51:40
each time this the these internal
00:51:43
devices try to communicate outside and
00:51:45
um you know system it goes to
00:51:48
these
00:51:49
fives uh you know steps this this this
00:51:51
and
00:51:53
uh these two steps every single time so
00:51:56
it's try to communicate
00:51:58
so again to summarize this because this
00:52:00
is a very important concept
00:52:02
pc1 and pcs2 send packets requesting to
00:52:05
the outside well the r2 dynamic nat
00:52:08
gonna sign random ip address out of its
00:52:12
dynamic nat eye pool of ip addresses if
00:52:15
it is available based on the acl
00:52:18
so then it will add those entries to the
00:52:22
net table
00:52:24
and then forward the information to the
00:52:27
outside server and when the outside
00:52:30
server come back and reply back
00:52:32
to the
00:52:33
r2 it's going to use those ip inside
00:52:36
global ip addresses assigned by the r2
00:52:39
to communicate back to the r2 but then
00:52:42
r2 going to translate it back
00:52:44
to these pc1 and pc2 internal ip
00:52:47
addresses based on the net pool entries
00:52:49
that it has created in step two
00:52:53
and then the process repeats over and
00:52:56
over and over as it start communicating
00:52:58
back and forth uh you know between the
00:53:01
internal devices and the external source
00:53:04
so it's gonna go through the process of
00:53:07
one two one two three
00:53:09
four five over and over and over until
00:53:12
the communication is terminated
00:53:15
so that's the process of dynamic nat
00:53:19
outside to inside
00:53:23
so how do you verify dynamic nat
00:53:25
so on a cisco device the output of the
00:53:28
show ipnat translations so the the
00:53:31
command is show ipnat translations
00:53:34
can be used to display all static
00:53:37
translations that have been configured
00:53:40
and any dynamic translations that have
00:53:42
been created by traffic so if you run
00:53:44
the command show ipnat translations it
00:53:48
will show you all the translations here
00:53:50
this is not only a useful command for
00:53:52
you to verify your nat but
00:53:56
also
00:53:57
may be used by your instructor like in
00:54:00
my instructor have you show ipnet
00:54:02
translations to verify your lab exams is
00:54:04
done properly so this is something that
00:54:06
very very easy way to check if the
00:54:08
student have done what they're supposed
00:54:10
to do so this is a good
00:54:13
command that you should remember
00:54:16
adding the verbose a keyword display
00:54:19
additional information about each
00:54:21
translation including how long the entry
00:54:24
was created and used so if you show
00:54:26
ipnet translation and you add the
00:54:28
additional command verbose right here it
00:54:31
will give you some additional
00:54:32
information related to that dynamic nat
00:54:40
by default translation entries timeout
00:54:43
after 24 hours unless the timers have
00:54:46
been reconfigured with the ipnat
00:54:48
translation timeout command so remember
00:54:51
this command as well ipnat translation
00:54:54
timeout and then you can put the time
00:54:56
out variable in this case in seconds
00:54:59
right here
00:55:01
to clear dynamic entries before the
00:55:04
timeout has expired you can use the
00:55:06
clear ipnat translation command so that
00:55:09
is clear ipnat translation command
00:55:12
and the ipnet translation timeout is
00:55:15
entered in the global configuration mode
00:55:17
while the clear ipnat translation can be
00:55:19
entered in the privilege executive mode
00:55:22
and on here you can see that command
00:55:24
entered clear ipna translation with a
00:55:27
star here and the show ipnet translation
00:55:29
will show the ip addresses and the
00:55:31
bottom of your screen you have the
00:55:35
a table that actually describes some of
00:55:38
these commands and its options
00:55:40
and if you have ever reached uh you know
00:55:43
if you have research a
00:55:46
cisco manual you may be familiar with
00:55:49
these type of you know
00:55:51
notations that they use so you should be
00:55:54
familiar with these type of notations
00:55:56
even though i haven't gone through them
00:55:57
a lot
00:55:58
so
00:55:59
uh
00:56:00
in here
00:56:01
it shows a command clear ipna
00:56:03
translation with a star and it gives you
00:56:04
a description it clears all dynamic
00:56:06
address translation entries from the nat
00:56:09
translation table typically the star
00:56:11
command will mean that it will clear
00:56:13
everything associated with that command
00:56:15
behind it
00:56:17
the clear ip net transaction inside with
00:56:19
these
00:56:20
type of you know how it's written here
00:56:22
those are like variables that you can
00:56:24
change
00:56:25
so this clears a simple dynamic
00:56:27
translation entry containing an inside
00:56:29
translation or both inside and outside
00:56:32
translations so
00:56:34
in here these are things the variables
00:56:36
that you can enter the outside is a
00:56:38
keyword these are all keywords so this
00:56:40
is a key command so this is a full
00:56:42
command that needs keywords and this is
00:56:44
the keyword and these are like the
00:56:45
variables that you can enter
00:56:47
the next one it clears an external
00:56:49
dynamic translation entry it is clear
00:56:51
ipnet translation then
00:56:54
you can enter the protocol here and then
00:56:56
inside is a keyword and these are the
00:56:57
options and then the outside is a
00:56:58
keyword and again options right here
00:57:01
if you are reading again uh those uh
00:57:03
cisco manuals they are usually written
00:57:05
like this way and i will go maybe i will
00:57:08
do a quick video on how to read cisco
00:57:10
manuals uh later sometime
00:57:12
but for now just remember these
00:57:14
you know commands exist
00:57:18
the show ipnat statistics
00:57:21
command display information about the
00:57:24
total number of active translations net
00:57:26
configuration parameters the number of
00:57:29
addresses in the pool and how many of
00:57:32
the addresses have been allocated so
00:57:35
remember in the dynamic nat we have
00:57:37
created a pool of ip addresses that can
00:57:40
be
00:57:41
automatically assigned so the show ipnat
00:57:43
statistics will show
00:57:45
how many of those ip addresses are in
00:57:47
use and associated statistics related to
00:57:50
that such as the now such as how you
00:57:52
know the net configuration parameters so
00:57:55
if you run show ip net statuses this is
00:57:57
the screen that you're gonna see on your
00:57:59
cisco routers
00:58:00
if you have the dynamic nat configured
00:58:03
and right here it says the name of the
00:58:05
net pool so remember from our previous
00:58:07
example we use the nat pool one as our
00:58:11
pool name of the net pool and it shows
00:58:14
the configuration options right here the
00:58:16
pool uh
00:58:17
range the net mask and
00:58:20
the
00:58:20
how many addresses are now allocated so
00:58:22
in this example we have 15 addresses
00:58:25
allocated sorry uh two addresses
00:58:27
allocated out of 15 that is 13
00:58:31
usage of this entire pool because pool
00:58:33
have 15. so if you divide 2 by 15
00:58:36
multiply by 100 that will give you 13 so
00:58:38
that's 13 of your pool have been used
00:58:41
and it's clearly nicely displayed up
00:58:43
here so you for that you use this
00:58:45
command
00:58:48
the show running dash config command
00:58:51
with the piping character this
00:58:54
line character
00:58:55
uh with the uh nat uh cal interface or
00:58:59
pool commands associate with the
00:59:00
associated value can be used to also uh
00:59:04
you know display some net information in
00:59:06
this example we have the show running
00:59:09
dash config and we are piping or
00:59:11
filtering whatever
00:59:13
the information that includes nat in it
00:59:16
and in here we have the display of that
00:59:19
nat information uh on these two lines so
00:59:22
you can use the show running dash config
00:59:25
pipe include nat include cal include
00:59:28
interface or exclude nat so you will see
00:59:31
everything except the
00:59:32
nat so i have gone through what this
00:59:35
character do it's like it's called a
00:59:36
piping character it basically filter out
00:59:39
certain things and as you go through
00:59:41
these courses you'll get to know how to
00:59:43
use those so this is basically
00:59:45
limiting the fee or filtering out the
00:59:48
information so it's easy for you to read
00:59:54
there's a packet tracer file called
00:59:55
configure
00:59:57
dynamic nat
00:59:59
i will try to find a copy of that packet
01:00:01
tracer file and post to my sanju.com
01:00:03
website
01:00:04
if you do have access to cisco netacad
01:00:07
or you have access to this packet tracer
01:00:09
file through your academic institution
01:00:11
please go back to those
01:00:14
institution and download those and then
01:00:16
do them as you go through these lectures
01:00:21
pad
01:00:25
configure pat
01:00:27
to use a single ip address
01:00:31
to configure pad to use a single ipv4
01:00:34
address
01:00:35
add the keyword overload to the ipnat
01:00:38
inside source command
01:00:40
remember from my previous
01:00:43
you know lectures and slides i mentioned
01:00:45
pad is also known as
01:00:47
nat overload right
01:00:49
that is also known as nat overload
01:00:52
so this is why you can you know simply
01:00:54
use the overload command to the ipnet
01:00:57
inside source command in order to create
01:01:00
your netpad
01:01:02
in the example below on the bottom of
01:01:04
your screen all hosts from network
01:01:06
192.168.0.0
01:01:10
matching acl1
01:01:12
that send traffic through router r2 to
01:01:15
the internet will be translated to the
01:01:17
ip address 192.165.200.225
01:01:23
which is ipv4 address of interface s0111
01:01:28
the traffic flows will be identified by
01:01:31
port number in the net table because
01:01:34
the overload keyword is configured see
01:01:39
in right here you can see
01:01:41
that the overload keyword is
01:01:44
entered along with the net insight
01:01:46
source list serial interface serial 0 1
01:01:49
0 therefore what's going to happen is
01:01:50
the traffic flow will be identified by
01:01:54
the port in the nat table because of
01:01:57
that key keyword command right that
01:02:00
that's a key
01:02:01
it's a a keyword that can be used in
01:02:04
this command so what happening here is
01:02:06
the nat overload
01:02:08
which is also known as pat
01:02:10
right remember that
01:02:14
configure pad to use an address pool
01:02:18
an isp may allocate more than one public
01:02:21
ipv4 address to an organization
01:02:24
in this scenario the organization can
01:02:26
configure pat to use a pool of ipv4
01:02:29
public addresses for translation
01:02:32
remember i have mentioned previously
01:02:34
that most of the home routers and modem
01:02:37
combinations as well as small business
01:02:40
uh
01:02:41
routers even large
01:02:43
you know networks sometimes the isp
01:02:46
provided devices actually using pad even
01:02:48
though we keep calling it snap nat all
01:02:51
the time it's actually using pad because
01:02:54
you probably most likely have one or
01:02:56
very
01:02:58
few very limited number of
01:03:00
outside uh globally travel
01:03:02
internationally globally routable ip
01:03:04
addresses outside so what's going to
01:03:06
happen is the pat will be used
01:03:09
for the ipv address translation process
01:03:13
even though
01:03:14
we often hear network engineers and
01:03:16
technicians keep using nat um
01:03:18
as a like a misnomer right
01:03:21
um so remember that but however uh your
01:03:25
isp may have provided to you more than
01:03:27
one external ip address for example
01:03:31
i am with show cable canada
01:03:33
and show cable because i have a higher
01:03:36
tier internet service so they have
01:03:38
different tiers of internet i have two
01:03:41
globally routable public ip addresses so
01:03:44
i have two ipv4 global addresses
01:03:47
assigned to my internet connection so in
01:03:49
that situation a pat can use a pool of
01:03:52
ipv4 i add public addresses for
01:03:55
translation
01:03:56
so to configure pat for a dynamic nat
01:03:58
address pool in a cisco router you need
01:04:02
to add the keyword overload to the ipnet
01:04:05
insight source command so overload
01:04:08
keyword will be added to the ip nat
01:04:10
inside source command in this scenario
01:04:12
so in this example the nat dash pool 2
01:04:15
is bound to an acl to permit
01:04:18
192.168.0.0.16
01:04:22
to be translated
01:04:25
so these hosts can share an ipv4 address
01:04:28
from pool because pad is enabled with
01:04:31
the keyword overload right here so right
01:04:34
here we have the ip nat inside source
01:04:36
list one
01:04:38
pool
01:04:39
and nat dash
01:04:41
pool 2 is now
01:04:43
you know uh associated now been
01:04:46
associated with that access list one but
01:04:48
now we have the overload command enter
01:04:50
right here as a result of that
01:04:53
these hosts now can share ipv4 addresses
01:04:56
from the pool of pat that is enable
01:04:59
via that keyword so that's what
01:05:02
happening right here
01:05:03
so again as i mentioned pad is what is
01:05:06
commonly used today
01:05:08
in most ipv4 associated uh isp devices
01:05:12
whether home
01:05:13
modems and routers or small business
01:05:16
homes uh in modem and routers so they
01:05:18
typically use the pad
01:05:20
because remember pad is the port address
01:05:22
translation and it has both uh
01:05:25
layer 3 and layer 4 um you know headers
01:05:28
that gonna be
01:05:30
modified in pad as opposed to nat right
01:05:34
so that's why we use pad because it is
01:05:36
more versatile and flexible
01:05:41
so let's analyze pat
01:05:42
in this scenario the server to pc
01:05:46
so on the right hand side
01:05:48
we have a router that is configured with
01:05:51
pad it is a similar configuration but we
01:05:54
have two servers on the outside now
01:05:57
and
01:05:57
uh based on that information here uh
01:06:00
let's see what's gonna happen when you
01:06:02
know it's trying to uh connect
01:06:05
with the inside and outside networks
01:06:07
so the pc one and pcs2 send packet to
01:06:10
server one and server two so the pc one
01:06:12
and pc2 are sending packers to both
01:06:14
server one and server two
01:06:16
both servers are being now
01:06:18
accessed by these two devices trying to
01:06:20
access right now
01:06:21
so what's going to happen next is the
01:06:23
packet from pc1 reaches the uh a router
01:06:26
to this router where the path is
01:06:28
happening first
01:06:30
so as a result the r2 modifies the
01:06:32
source ipv4 address to 209.165.200.225
01:06:38
which is the inside global address
01:06:40
the packet is then forward
01:06:43
to the server one
01:06:45
so they are to get it and it use the the
01:06:49
inside global address
01:06:51
uh assignment to assign this uh global
01:06:55
insight address to the uh the pc one the
01:07:00
packet from pc2 next arrive at the r2
01:07:03
so the pat changes the source
01:07:05
ipv4 address of pc2 to the inside global
01:07:10
address of
01:07:11
209.165.200
01:07:16
notice the inside global address of
01:07:18
these two are now the same so the pc2
01:07:22
has the same source port number as the
01:07:24
translation for the pc one because these
01:07:27
are the same
01:07:28
so the path increments the source port
01:07:31
number until it is a unique value in its
01:07:34
table in this instance it's going to be
01:07:37
445. so in this patch scenario unlike
01:07:41
the previous example what's going to
01:07:43
happen is the inside global address for
01:07:46
both pc1 and pc2 trying to reach these
01:07:49
servers are the same
01:07:51
it's the same 209.165.200.225.
01:07:55
however
01:07:57
the port number now gonna be different
01:08:00
in the inside global address for these
01:08:02
two pcs hence it is we can be it can be
01:08:05
used to identify traffic goods that are
01:08:08
supposed to go to one pc from the other
01:08:10
in this case
01:08:11
140
01:08:13
1444 port is used by the pc1 and
01:08:18
1445 port is used by the pc2 because
01:08:22
what happened in pat it increments the
01:08:24
source port number until it is unique
01:08:27
value in its table and
01:08:30
as a result now you can identify traffic
01:08:32
that's supposed to go to the pc one from
01:08:34
traffic that's supposed to go to the pc2
01:08:36
and that table in this scenario in this
01:08:39
packed scenario looks like this on the
01:08:41
bottom of your screen
01:08:43
one thing you should notice
01:08:45
as i mentioned
01:08:47
because now we are using both the ip
01:08:49
address and
01:08:51
the port number
01:08:53
pat has the ability to modify both layer
01:08:56
3 and layer 2. in other words it can
01:08:58
modify the ip address as well as the
01:09:02
port number and it is displayed clearly
01:09:04
on the right hand side of your screen
01:09:06
right here
01:09:10
so let's look at what happened in pat
01:09:12
when the pc to server traffic so in this
01:09:15
case now we are going to look at pc2
01:09:17
server traffic so pc1 and pc2 send
01:09:20
packets to server 1 and server 2. the
01:09:23
packet from pc1 reaches the r2 first
01:09:26
just like before and r2 modifies the
01:09:28
source ipv4 address to
01:09:32
209.165.200.225. which is the inside
01:09:34
global address the packet is then
01:09:36
forwarded to server 1.
01:09:39
the packet from pc
01:09:41
2 arrives at r2
01:09:46
pat changes the source ipv4 address to
01:09:48
pc2
01:09:50
to the inside global address of 209 or
01:09:53
165 200.225 again
01:09:55
look it's the same so the pc2 has the
01:09:57
same source number as the translator pc1
01:10:00
so the pat increments the source port
01:10:02
number until it is unique value in its
01:10:04
table in this instance is 445 so you can
01:10:06
see that right here
01:10:08
so this is server to pce
01:10:11
and this is pc2 server but notice it is
01:10:16
the same process but is slightly
01:10:18
different
01:10:20
right so notice that so it's the same
01:10:22
thing
01:10:23
right sorry so this is server to pc
01:10:28
and this is pc to server but the process
01:10:31
is very similar because it's using pat
01:10:35
so next we're going to look at finally
01:10:37
the server to pc so in this case server
01:10:41
use the source port from the receive
01:10:43
packet as the destination port and the
01:10:46
source address as the destination
01:10:48
address for the return traffic
01:10:51
r2 changes the destination ipv4 address
01:10:54
of the packet from server 1 from
01:10:57
209.165.200.225
01:11:00
to the internal ip address of pc1 which
01:11:03
is 192.168.10.10
01:11:05
and forward that packet to the pc one r2
01:11:08
also changes the destination ip address
01:11:10
of the packet from server 2
01:11:13
from 209.165.200.225
01:11:16
to the internal ip address of pc2 in
01:11:19
this case 192.168.10.11
01:11:22
and modifies the destination port back
01:11:24
to its original value of 144
01:11:27
1444 so the packet is then forwarded to
01:11:31
pc2 so that's the basic operation you
01:11:34
know how exactly the the pat operation
01:11:37
works uh when the internal inside
01:11:39
network and outside network communicate
01:11:42
uh with each other
01:11:44
so
01:11:45
if you find this a lot of information
01:11:47
that is really hard to remember please
01:11:49
go back on this video and watch those
01:11:51
few slides again and you will understand
01:11:53
exactly you know what is described here
01:11:56
because not only i have explained what's
01:11:58
shown here on the right hand side but
01:12:00
you also have this diagram and the
01:12:02
information shown
01:12:03
in what's happening here and remember
01:12:06
pads can pat can modify
01:12:08
both layer 3 and layer 4 so it's a port
01:12:11
number and the ip address while the nat
01:12:13
cannot that doesn't do that so that's
01:12:15
the difference between pat and nat and
01:12:17
that is why we use pad a lot in home and
01:12:22
you know small business use
01:12:25
so how do you verify pad
01:12:28
the same commands used to verify static
01:12:30
and dynamic net are used to verify pat
01:12:33
the show ipnat translations remember
01:12:36
that command show ipnet translation can
01:12:39
be used
01:12:40
to display the translations from two
01:12:42
different hosts to different
01:12:44
web servers in the previous example so
01:12:47
the notice that the two different inside
01:12:49
hosts are allocated the same ipv4
01:12:51
address of 209.165.200.226
01:12:55
inside global address in that patex
01:12:57
sample
01:12:58
but the source port numbers in the net
01:13:00
table differentiate the two transactions
01:13:03
so right here we ran the show ipnet
01:13:05
translation hey look at that the inside
01:13:07
global ip address is the same for the
01:13:09
both tcp requests but however the port
01:13:13
number is different in here 1444
01:13:15
the other one is 1445 so you have two
01:13:18
different port numbers hence
01:13:20
differentiating one pce from the other
01:13:23
pc on the inside network
01:13:28
the show ipnet statistics the same
01:13:31
command we have used previously can
01:13:34
verifies that the nat pool uh
01:13:37
nat dash pool 2 has allocated a single
01:13:40
address to both translations
01:13:42
how do you know that because allocated
01:13:45
is showing here it's one because we only
01:13:47
ran that part in this example so also
01:13:49
shown there are number of number and
01:13:52
type of active translations net
01:13:54
configuration parameters the number of
01:13:56
address in the addresses in the pool and
01:13:58
how many have been allocated so just
01:14:00
like before the show ipnet statistics
01:14:03
show all of these data
01:14:05
on your cisco routers if you run that
01:14:07
command then that's what you'll see if
01:14:09
you have the
01:14:10
the path configured in that router
01:14:15
there is a packet tracer file called
01:14:17
configure pad if you have access to this
01:14:19
packet tracer file please go ahead and
01:14:22
do it if you do not i will try to find a
01:14:24
copy of this packet trace file and post
01:14:26
to my sandwich.com website and then you
01:14:29
can download from there and go ahead and
01:14:30
do it and again i will go through these
01:14:33
lab demonstration and packet tracer
01:14:34
demonstration videos on a separate video
01:14:37
clips and post it to my youtube channel
01:14:39
later sometime
01:14:44
nat 64 which is basically for ipv6
01:14:52
nat for ipv6 ipv6 was developed with the
01:14:56
intention of making nat for ipv4 with
01:14:59
translation between public and powered
01:15:03
ipv4 address unnecessary so basically
01:15:06
the only the one of the primary reasons
01:15:08
why we made ipv4 so that we don't need
01:15:11
the nat at the first place
01:15:13
however
01:15:15
ipv6 does include its own ipv6 private
01:15:18
address space unique local addresses
01:15:21
also known as
01:15:22
ulas so
01:15:24
even though ipv6 technically do not need
01:15:28
a net translation to be used because we
01:15:31
have more than enough ips v6 addresses
01:15:34
you can have globally routable ip v6
01:15:36
addresses from your inside network all
01:15:38
the way to the internet
01:15:41
ipv6 still have its own ipv6 private
01:15:44
address space
01:15:45
called unique global
01:15:48
sorry unique local addresses uls
01:15:50
ipv6 unique local addresses also known
01:15:53
as ulas are similar to that of the rfc
01:15:56
1918 private addresses in the ipv4 but
01:16:00
have a different purpose
01:16:03
ula addresses are meant for only local
01:16:06
communication within a site
01:16:09
ula addresses are not meant to provide
01:16:11
additional ipv6 address space
01:16:14
no to provide a level of security so
01:16:16
remember
01:16:18
in
01:16:18
ipv4 you can use
01:16:21
nat for multiple reasons including
01:16:23
hiding your internal ipv4 addresses
01:16:26
because it's doing net translations at
01:16:28
the router
01:16:30
and also to conserve
01:16:32
the ipv4 uh internationally globally
01:16:35
routable addresses because we are
01:16:37
running out of we are exhausting those
01:16:39
ipv4 addresses
01:16:40
but however
01:16:42
the
01:16:43
ula addresses in ipv6
01:16:46
are not meant for low you know
01:16:48
for doing you know that kind of security
01:16:51
or to provide any additional ipv6
01:16:54
addresses instead ula addresses are
01:16:56
meant for only local communication
01:16:58
within a site so remember those are the
01:17:00
key chain differences that you should
01:17:02
know for your exams and quizzes
01:17:04
ipv6 does provide for protocol
01:17:07
translation between ipv4 and ipv6 known
01:17:10
as the nat 64. so that's that's another
01:17:14
thing that you should remember so ipv6
01:17:16
does provide the protocol translation
01:17:18
between ipv4 and ipv6 devices so known
01:17:21
as the nat 64.
01:17:26
nat 64.
01:17:28
nat for ipv6 is used in a much different
01:17:31
context than the net for ipv4 so
01:17:33
everything you you learn about the nat
01:17:36
in ipv4
01:17:38
uh most of the items that i have covered
01:17:40
does not apply to nat 64. so nat for
01:17:43
ipv4 also known as nat in general
01:17:46
does not behave the same way as nat 64
01:17:50
which is a part of ipv6
01:17:53
the varieties of nat for ipv6 are used
01:17:56
to transparently provide access between
01:18:00
ipv6 only and ipv4 only networks as
01:18:04
shown on the right hand side
01:18:06
in this figure
01:18:07
right here if you look at it so
01:18:10
it is used it is not used as a form of
01:18:14
private ipv6 to global ipv6 translation
01:18:18
but it is to just to make the
01:18:19
communication between ipvs for online
01:18:22
devices and ipv6 only devices possible
01:18:25
that's the primary purpose of nat 64.
01:18:28
natural ipv6 should not be used as a
01:18:30
long term
01:18:32
you know method
01:18:33
but as a temporary mechanism to assist
01:18:36
in mitigation from ipv to ipv6 so if you
01:18:40
are creating a brand new network in 2022
01:18:44
for example
01:18:45
you should not be using nat 64 at all
01:18:47
you should be just using ipv6 addresses
01:18:50
but it can i the this nat 64 can be used
01:18:54
for communication be across
01:18:57
ipv6 only and ipvs for only networks as
01:19:00
a temporary measure
01:19:02
during the transition period
01:19:05
in this class for this module right now
01:19:08
i will not go into any more details on
01:19:10
nat 64 because that is not part of the
01:19:13
curriculum
01:19:14
for cisco this lecture series
01:19:18
so for now this is all what you need to
01:19:21
know about nat 64. it is different from
01:19:23
that of an ipv4 nat
01:19:26
it is you know not even close to what
01:19:28
the functionalities uh why we use it uh
01:19:31
you know when you compare net 64 against
01:19:34
the nat so they are completely two
01:19:36
different things and the primary reason
01:19:38
why we use nad and today in 2022 is to
01:19:42
make sure the transition between ipv6
01:19:44
only and the ipv4 only networks happen
01:19:48
smoothly so for now that's all you need
01:19:50
to remember for your exams and questions
01:19:53
when it's come to the point at 64.
01:19:58
so that will bring us to the end of this
01:20:00
lecture i'll introduce you to few more
01:20:03
um you know packet tracer files as well
01:20:05
as uh go over what we have covered
01:20:10
so there are two packet tracer files
01:20:12
called configure nat for ipv4 so if you
01:20:14
have access to these files
01:20:16
through your cisco netacad please go
01:20:18
ahead and do it if you do not i will try
01:20:20
to find a copies of those files and post
01:20:23
to my sanjit.com website so you can
01:20:25
download and do them
01:20:28
so here is a summary of what we have
01:20:31
learned so next few slides i will go
01:20:33
through
01:20:34
the items that we have covered in this
01:20:36
lecture
01:20:37
we learned that there are not enough
01:20:38
public ipv4 addresses to assign a unique
01:20:41
address to each device connected to the
01:20:43
internet that's where the term ipv4
01:20:46
address extend came from
01:20:49
the primary use of the nat or network
01:20:51
address translation is to pre conserve
01:20:54
public ipv for addresses in nat
01:20:57
terminology the inside network is the
01:21:00
set of networks that is subject to
01:21:02
translation
01:21:03
the outside network refers to all other
01:21:06
networks
01:21:08
we learned that the net
01:21:09
terminology is always applied from the
01:21:12
perspective of the device with the
01:21:14
translated address remember that's a
01:21:16
very important concept the net
01:21:18
terminology is always applied from the
01:21:21
perspective of the device with the
01:21:23
translated address
01:21:25
so what is considered as the inside and
01:21:27
what is considered as outside is from
01:21:29
the perspective of the device that with
01:21:31
the translated address
01:21:33
inside address
01:21:35
are the addresses of the device which is
01:21:38
being translated by
01:21:40
nat outside addresses are the addresses
01:21:44
of the destination device
01:21:46
local address is any address that
01:21:49
appears on the inside portion of the
01:21:51
network while the global address sees
01:21:53
any address that appears on the outside
01:21:56
portion of the network
01:21:57
we also learned static nat uses a
01:22:00
one-to-one mapping of local and global
01:22:03
addresses
01:22:04
while the dynamic nad uses a pool of ip
01:22:07
addresses
01:22:09
public ip addresses and assign them on
01:22:12
first come first serve basis
01:22:16
we learn about a
01:22:18
the concept of pat
01:22:20
also known as port address translation
01:22:24
the pad is also
01:22:26
being called net overload because it
01:22:29
maps multiple private ipv4 addresses to
01:22:32
a single public ipv4 address for a few
01:22:36
addresses or for a few addresses so it
01:22:39
can do either you know map multiple
01:22:42
private ipv4 addresses to a single
01:22:44
public ipv4 address or a handful of
01:22:47
public ipv4 addresses
01:22:49
nat increases
01:22:51
forwarding delays because the
01:22:53
translation of each ipv4 address within
01:22:56
the packet headers take time remember
01:22:59
um nat
01:23:00
is basically using the i you know packet
01:23:03
headers to do the translation then it
01:23:06
does increase the the for forwarding
01:23:08
times
01:23:09
nat complicates the use of tunneling
01:23:11
protocols such as ipv sorry such as uh
01:23:14
ipsec
01:23:16
because nat modifies values in the
01:23:18
headers causing some
01:23:21
issues with the the network
01:23:23
configuration associated with ip6
01:23:26
remember i did not cover ipsec and vpns
01:23:30
yet but i will cover that in the future
01:23:32
just for now remember that nat do
01:23:35
complicate the vpn and ipsec
01:23:38
configuration just for now but in the in
01:23:40
next few weeks i will explain how ipsec
01:23:43
and vpn tunnels can are created and we
01:23:46
will go into depth later
01:23:48
the we learned the show ipnet
01:23:51
translations command uh display all
01:23:53
statistic
01:23:54
uh all statistical information related
01:23:57
to translations that have been
01:23:59
configured and any dynamic translation
01:24:02
that have been created by traffic
01:24:04
we learn about uh how we can clear the
01:24:06
those entries in dynamic entries before
01:24:09
timeout has expired uh to do that we're
01:24:11
going to use the clear ipnat
01:24:13
translations
01:24:14
command vlan ipv6 was developed with the
01:24:18
intention of making nat or network
01:24:20
address translation for ipv4 with the
01:24:23
translation between public and private
01:24:26
ipv4 addresses unnecessary
01:24:28
however ipv6 unique local address also
01:24:32
known as ula are similar to that of rfc
01:24:35
1980 private address in the ipv4 but
01:24:39
have a completely different purpose
01:24:41
which we didn't go into depth in this
01:24:43
lecture
01:24:44
however we mentioned that the ipv6 does
01:24:47
provide for a protocol translation
01:24:50
between ipv4 and ipv6 known
01:24:54
as nat 64. so ipv46 still have a type of
01:24:59
nat
01:25:00
which allow the communication between
01:25:02
ipv4 and ipv6 uh networks and those that
01:25:07
particular system you know methodology
01:25:09
is called nat 64.
01:25:13
that is the end of this module
01:25:15
if you like these type of lectures
01:25:17
please thumbs up this video and
01:25:19
subscribe to my channel
01:25:21
as i mentioned before i will go through
01:25:24
lab demonstration within next few weeks
01:25:27
so that you will have a comprehensive
01:25:29
idea about nat and pat that we have
01:25:32
covered
01:25:33
if you have any questions or concerns
01:25:35
regarding any of the items that we have
01:25:36
covered please don't hesitate to reach
01:25:38
out to me until next time good luck with
01:25:41
your exams and have a nice day