Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,546 --> 00:00:02,526 >> We move from concept to configuration. 2 00:00:02,916 --> 00:00:05,866 NAT configuration is one of the more enjoyable on a Cisco router 3 00:00:05,866 --> 00:00:07,476 because there's a few moving parts to it. 4 00:00:07,856 --> 00:00:10,556 And you have to take some of the concepts that you've learned about, 5 00:00:10,556 --> 00:00:13,506 most specifically access list which you just learned about 6 00:00:13,906 --> 00:00:15,976 and apply it here to be successful. 7 00:00:16,136 --> 00:00:18,036 So that just makes it kind of a neat thing to do. 8 00:00:18,136 --> 00:00:22,386 For this configuration I am using real Cisco routers. 9 00:00:22,386 --> 00:00:26,226 I moved out of GNS3 just because there's something lost. 10 00:00:26,226 --> 00:00:29,906 I mean you can bridge GNS3 to a real network card and have it do NAT, 11 00:00:29,906 --> 00:00:32,126 and that's definitely great if you don't have a Cisco router. 12 00:00:32,406 --> 00:00:35,656 But there's something lost when you just can't open a web page and be like, oh look, 13 00:00:35,656 --> 00:00:37,666 it's working and checking all the NAT translation. 14 00:00:37,926 --> 00:00:41,436 Because obviously without getting virtual box set up 15 00:00:41,436 --> 00:00:45,486 and all of that craziness there's no real way to do that inside of GNS3 16 00:00:45,486 --> 00:00:47,726 at least easily, but it's possible. 17 00:00:47,876 --> 00:00:51,416 So what I'm going to do is I'm going to build this router from scratch 18 00:00:51,416 --> 00:00:54,996 because you can't see it enough, and as we're nearing the end of this series I'd love 19 00:00:54,996 --> 00:00:56,866 to solidify a bunch of concepts in your head. 20 00:00:56,896 --> 00:00:58,926 So we're going to name this router NAT. 21 00:00:59,906 --> 00:01:03,426 And we're going to make this the fast ethernet 0/0 port 22 00:01:03,616 --> 00:01:08,756 and give it the IP address 192.168.1.1/24. 23 00:01:09,086 --> 00:01:11,686 Now, we're going to connect this to a real service provider, 24 00:01:12,036 --> 00:01:19,466 and one of the reasons you might be like, wow, 192.168 that's kind of old school, right? 25 00:01:19,466 --> 00:01:23,386 Instead of like your small environment, but I wanted to set this up to 26 00:01:23,386 --> 00:01:25,396 where this is something that you could do at home. 27 00:01:25,776 --> 00:01:34,206 I actually just answered an email from a student, the previous edition of this series, 28 00:01:34,206 --> 00:01:38,036 this CCNA series, I recommended at the very end 29 00:01:38,036 --> 00:01:44,096 of the series purchasing an 871W router for a lab. 30 00:01:44,236 --> 00:01:46,026 And let me see if I can pull up a picture. 31 00:01:46,946 --> 00:01:47,376 Here we go. 32 00:01:47,376 --> 00:01:50,246 Now, don't look at the price and be like oh my goodness. 33 00:01:50,246 --> 00:01:51,246 I mean go on eBay. 34 00:01:51,246 --> 00:01:53,156 This thing hasn't been made for years. 35 00:01:53,156 --> 00:01:55,396 Like it's out of production from Cisco. 36 00:01:55,396 --> 00:01:58,756 I think these vendors are just trying to rake you over on the price. 37 00:01:58,906 --> 00:02:01,446 You shouldn't pay more than $50 for this router. 38 00:02:01,976 --> 00:02:06,696 But I got an email from a student saying do you still recommend the 871W, 39 00:02:06,696 --> 00:02:09,076 or do you have something more recent that you recommend? 40 00:02:09,526 --> 00:02:14,746 And I sat and I thought, you know what, I still recommend the 871W now 41 00:02:14,746 --> 00:02:17,676 as a great little lab router to use at home. 42 00:02:18,076 --> 00:02:22,406 The reason I say that, and that actually reminds me I'm going to add a nugget to the end 43 00:02:22,406 --> 00:02:25,346 of this series where I add some home lab recommendations. 44 00:02:25,346 --> 00:02:27,396 Hang on, I'm just going to write that down. 45 00:02:27,686 --> 00:02:32,476 Okay. So the reason that I recommend this is because it's small enough 46 00:02:32,586 --> 00:02:38,916 and it has the full IOS for you to play with that somebody would want to use this at home. 47 00:02:38,916 --> 00:02:42,696 Now, would I recommend getting a 2800 series or 2900 series 48 00:02:42,696 --> 00:02:45,646 or whatever big, classy brand of router? 49 00:02:45,646 --> 00:02:47,456 I'm like, yeah, sure if you can afford it. 50 00:02:47,756 --> 00:02:50,366 But what I found is people -- I actually had one student 51 00:02:50,366 --> 00:02:53,846 who said I've bought a whole lab rack of equipment. 52 00:02:53,846 --> 00:02:57,226 He bought like five or six different routers and switches. 53 00:02:57,226 --> 00:03:00,416 He just built a whole rack of Cisco equipment that he used for a lab. 54 00:03:00,676 --> 00:03:02,626 And I said, wow, what are you going to do with it? 55 00:03:03,226 --> 00:03:06,086 He goes I don't know yet but I'm going to use it. 56 00:03:06,086 --> 00:03:09,236 And I'm like, ah, because a lot of times if you build a lab 57 00:03:09,496 --> 00:03:13,876 without a practical scenario behind you, you end up just making a pile of equipment 58 00:03:13,876 --> 00:03:15,406 that you turn on every now and then. 59 00:03:15,406 --> 00:03:17,496 You're like, oh well, I can type in host name. 60 00:03:17,766 --> 00:03:23,496 But getting one of these little guys allows you to put it on your shelf and start using it 61 00:03:23,496 --> 00:03:27,276 as your home router which immediately throws you into the fire. 62 00:03:27,356 --> 00:03:30,466 Because you just took down your home internet connection, right? 63 00:03:30,576 --> 00:03:31,576 There's motivation. 64 00:03:31,576 --> 00:03:33,066 I want to watch TV. 65 00:03:33,176 --> 00:03:35,096 I mean what doesn't come over the internet anymore? 66 00:03:35,366 --> 00:03:40,666 So you now have instant motivation and instant real world situations where, okay, 67 00:03:40,666 --> 00:03:42,506 you want to set up NAT for your house. 68 00:03:42,506 --> 00:03:43,906 You want to set up a subnet. 69 00:03:43,906 --> 00:03:48,836 With this router you can even do VLANS and set up VLANS inside of your house. 70 00:03:48,836 --> 00:03:54,956 Maybe I want to create a VLAN and separate my WiFi from my LAN connection 71 00:03:54,956 --> 00:03:57,736 so that I can have a public WiFi that's secured, ooh secured. 72 00:03:57,906 --> 00:04:01,756 I can create an access list to make sure that the public WiFi I just set up can't get 73 00:04:01,756 --> 00:04:04,546 into my house and make sure that -- you see what I mean? 74 00:04:04,546 --> 00:04:07,246 It's just like it starts breeding these like, ooh, that's cool. 75 00:04:07,556 --> 00:04:10,506 And I can put this on the shelf and it's small. 76 00:04:10,506 --> 00:04:14,076 These guys they're going to make a lot of noise. 77 00:04:14,076 --> 00:04:17,026 [Squealing Noise] And you're like shut that off. 78 00:04:17,026 --> 00:04:19,716 And they're going to be hot, and they take up a lot of space. 79 00:04:19,966 --> 00:04:21,476 Whereas this you get the full IOS. 80 00:04:21,476 --> 00:04:23,076 I feel like I'm selling it but I'm not. 81 00:04:23,146 --> 00:04:24,236 It's just a lab router. 82 00:04:24,236 --> 00:04:28,546 So the reason that I'm setting this up, and I want to frame it this way, is I want to set it 83 00:04:28,546 --> 00:04:32,766 up very similar to what one of you guys might do at home when you're setting this up. 84 00:04:32,766 --> 00:04:36,246 So I'm connecting this to a real service router, and I'm going to say 85 00:04:36,246 --> 00:04:39,696 at your house you probably don't have static IP addresses. 86 00:04:39,696 --> 00:04:42,816 You may, great, good for you and go for it if you can. 87 00:04:43,086 --> 00:04:48,706 But most of the time you're going to set this up for DHCP to get a dynamic address from the ISP, 88 00:04:48,996 --> 00:04:52,026 so I'll put ISP connection right here. 89 00:04:52,216 --> 00:04:53,646 One more thing let me just fill in. 90 00:04:53,646 --> 00:04:56,936 This is fast ethernet 0/1 right here. 91 00:04:57,496 --> 00:04:59,966 And I think that's about all the information we need. 92 00:04:59,966 --> 00:05:00,906 Let's get going. 93 00:05:00,906 --> 00:05:02,076 I'm going to bring up my router. 94 00:05:02,076 --> 00:05:04,606 Which I told you I'm going to set this guy up from scratch. 95 00:05:04,606 --> 00:05:07,876 So I've literally cleared the configuration off of this router. 96 00:05:08,256 --> 00:05:11,126 Let's see if I squish it and see everything at the same time. 97 00:05:11,126 --> 00:05:13,796 No, I do not want to enter the initial config dialogue. 98 00:05:13,796 --> 00:05:16,576 So let's just mentally run through the checklist. 99 00:05:16,576 --> 00:05:19,916 We're going to have to put a base configuration on there, assign the IP address, 100 00:05:19,916 --> 00:05:23,236 give it a host name, set some of the console port settings that we all know and love 101 00:05:23,236 --> 00:05:24,776 like log in synchronous and all that. 102 00:05:25,186 --> 00:05:30,316 We'll have to I would say set up a DHCP scope. 103 00:05:30,316 --> 00:05:35,566 I'm going to allow this guy to be a DHCP server for the LAN in handing out IP addresses there. 104 00:05:35,566 --> 00:05:37,536 So a little bit to do to start off with. 105 00:05:37,536 --> 00:05:41,026 So I'm going to go into global -- oh, no. 106 00:05:41,586 --> 00:05:42,626 Have you ever done this before. 107 00:05:43,496 --> 00:05:45,556 I think this is the first time in the series I've done it. 108 00:05:45,556 --> 00:05:46,946 Because I usually turn it off. 109 00:05:46,946 --> 00:05:50,186 This, by the way, if you mistype something in user mode or privilege mode, 110 00:05:50,346 --> 00:05:53,866 what it's trying to do is telnet to a device named eb. 111 00:05:53,866 --> 00:05:58,036 So it's trying to resolve eb to an IP address. 112 00:05:58,036 --> 00:06:00,496 If you don't set up your server or your router 113 00:06:00,496 --> 00:06:04,476 for DNS the first command you want to type is no IP domain-lookup. 114 00:06:04,476 --> 00:06:06,846 And that's what keeps that from happening. 115 00:06:06,846 --> 00:06:08,596 That's painful because you have to sit there and wait. 116 00:06:08,846 --> 00:06:12,506 A lot of them don't even let you -- you can abort it by doing control shift 6 117 00:06:12,506 --> 00:06:14,626 and just keep slamming the keyboard until it finally does that. 118 00:06:14,816 --> 00:06:16,916 But a lot of them won't even let you do that, you're just stuck. 119 00:06:17,446 --> 00:06:18,596 Alright, so let's get going. 120 00:06:18,596 --> 00:06:19,656 We've got host name. 121 00:06:19,806 --> 00:06:20,996 I'm going to give it the name of NAT. 122 00:06:22,786 --> 00:06:24,326 Let's get into the interfaces. 123 00:06:24,326 --> 00:06:26,586 Well, actually before I do that let's go line console 0 124 00:06:26,586 --> 00:06:29,306 because what just happened there is not what I want to happen all the time. 125 00:06:29,626 --> 00:06:33,556 Logging synchronous so those messages don't interrupt when I'm typing. 126 00:06:34,086 --> 00:06:35,526 No exec-time out. 127 00:06:35,526 --> 00:06:38,856 Let's go into line vty 0 4. 128 00:06:38,856 --> 00:06:42,266 Log in password will be Cisco. 129 00:06:42,266 --> 00:06:46,096 Just giving it some base passwords and telnet information, okay. 130 00:06:46,556 --> 00:06:47,576 Exit out there. 131 00:06:47,576 --> 00:06:53,076 Let's see, enable secret, password will be Cisco so we'll put that in there, okay. 132 00:06:53,076 --> 00:06:54,736 Interface fast ethernet at 0/0. 133 00:06:55,096 --> 00:07:00,596 IP address 192.168.1.1 class c, right? 134 00:07:00,596 --> 00:07:02,306 So we're giving that an IP address no shut. 135 00:07:03,056 --> 00:07:05,246 And I get that guy powered up and going. 136 00:07:05,786 --> 00:07:06,706 Exit back out. 137 00:07:06,706 --> 00:07:08,616 Let's go into interface. 138 00:07:08,616 --> 00:07:10,036 Let's go to the ISP connection. 139 00:07:10,036 --> 00:07:11,536 Fast ethernet 0/1. 140 00:07:12,046 --> 00:07:14,176 And we'll do an IP address. 141 00:07:14,176 --> 00:07:17,136 And this is going to be dynamic because we're connected to the service router. 142 00:07:17,136 --> 00:07:21,526 So we'll say DHCP, we'll negotiate that, DHCP. 143 00:07:21,626 --> 00:07:25,706 It's hanging there just because it's trying to enable that interface. 144 00:07:25,706 --> 00:07:27,546 We'll do a no shut down as well. 145 00:07:27,546 --> 00:07:29,776 Let's just see if we get anything. 146 00:07:32,336 --> 00:07:33,696 Not yet and that's okay. 147 00:07:33,696 --> 00:07:35,696 I may have to -- if I could type. 148 00:07:35,696 --> 00:07:40,096 I may have to -- oh, look at that, it's going to say that I'll have 149 00:07:40,096 --> 00:07:41,716 to reboot my cable modem, but I got one. 150 00:07:41,716 --> 00:07:45,646 So we've got a DHCP address that's good. 151 00:07:45,776 --> 00:07:46,916 It looks good to me. 152 00:07:46,916 --> 00:07:49,766 So let's set up DHCP. 153 00:07:49,766 --> 00:07:56,246 If you ever wonder what are these, by default Cisco routers broadcast to try 154 00:07:56,246 --> 00:07:57,746 and find a config if they don't have one. 155 00:07:57,746 --> 00:08:02,186 If you save you config and give it some time it will stop those messages. 156 00:08:02,186 --> 00:08:05,786 You can also go into global config mode and type in no service config, 157 00:08:06,066 --> 00:08:07,946 and most of the time that will work. 158 00:08:07,946 --> 00:08:09,646 There's been sometimes it doesn't work. 159 00:08:09,646 --> 00:08:11,516 It's just an annoyance until you save your config. 160 00:08:12,106 --> 00:08:14,256 And even a little while after. 161 00:08:14,636 --> 00:08:20,386 So I'm going to go in to set up a DHCP scope so our client on this LAN can get an IP address. 162 00:08:20,386 --> 00:08:25,736 So we'll do IP DHCP -- you always when you're setting up a DHCP scope, 163 00:08:25,736 --> 00:08:29,666 I mean the router's handing out IP address to the LAN, you always say what you don't want 164 00:08:29,666 --> 00:08:32,146 to hand out first, because there's no easy way 165 00:08:32,366 --> 00:08:35,586 of setting a range, like hand out from here to here. 166 00:08:35,656 --> 00:08:45,556 So I'm going to exclude from 192.168.1.1 to 192.168.1.10. 167 00:08:45,606 --> 00:08:47,136 We'll say those are reserved. 168 00:08:47,136 --> 00:08:52,646 So the first address I'll hand out will be 1.11. 169 00:08:52,646 --> 00:08:53,466 Following so far? 170 00:08:54,156 --> 00:08:55,636 It's fast and furious, right? 171 00:08:55,636 --> 00:09:00,386 IP DHCP pool, and we'll call in LAN, hit enter, and we will say the network 172 00:09:00,386 --> 00:09:05,776 that I want to hand out is 192.168.1.0. 173 00:09:06,026 --> 00:09:10,016 One of the few commands that will allow you to say /24, 174 00:09:10,016 --> 00:09:12,456 or you can type in the full subnet mask if you want to. 175 00:09:12,456 --> 00:09:21,616 DNS server will be let's use 4.2.2.2, 4.2.2.3, my two favorite DNS servers. 176 00:09:21,616 --> 00:09:23,576 And then Google coming in at a far side lash, 177 00:09:23,576 --> 00:09:31,116 just because 8.8.8 is just tougher to type on a keyboard. 178 00:09:31,116 --> 00:09:32,236 I have to use two hands. 179 00:09:32,236 --> 00:09:38,366 Or not two hands but it's just the period, the 8, for no other reason it's just weird for me 180 00:09:38,366 --> 00:09:42,406 to type 8.8.8 and I can't even say it. 181 00:09:42,406 --> 00:09:44,896 So default, we want a default router. 182 00:09:45,576 --> 00:09:55,176 We want to give the default router 192.168.1.1 to the clients 183 00:09:55,376 --> 00:09:56,556 on the internal network, and that should be it. 184 00:09:56,586 --> 00:09:57,996 Let's do a quick show run, let me do a section IP DHCP. 185 00:09:58,026 --> 00:09:59,316 And just verify we've got excluded address there. 186 00:09:59,346 --> 00:09:59,976 We've got the LAN subnet 187 00:10:00,046 --> 00:10:01,696 there, DNS server, default router. 188 00:10:01,696 --> 00:10:03,506 That looks good, alright. 189 00:10:03,786 --> 00:10:09,586 One of the things that you'll find is when a Cisco router gets an IP address via DHCP, 190 00:10:09,786 --> 00:10:13,256 if that ISP is assigning it a default gateway, 191 00:10:13,406 --> 00:10:15,616 and it doesn't have a default router already set up, 192 00:10:15,616 --> 00:10:21,156 a lot of times it will accept the DHCP assigned default gateway as its own default route. 193 00:10:21,156 --> 00:10:25,226 Essentially it's going to say, oh okay, well, I don't have a default gateway so I will use you. 194 00:10:25,606 --> 00:10:27,806 And that's nice because it makes it versatile. 195 00:10:28,316 --> 00:10:32,026 You can move your Cisco router wherever and plug it into a connection. 196 00:10:32,026 --> 00:10:34,396 If it's enabled for DHCP it will pick it up 197 00:10:34,396 --> 00:10:37,556 and then start doing what it does best which is router and do net. 198 00:10:37,616 --> 00:10:41,156 So at this point I just want to test and see where we're at. 199 00:10:41,156 --> 00:10:44,016 I'm going to go here and do a ping. 200 00:10:44,016 --> 00:10:44,856 Let's do a ping. 201 00:10:45,306 --> 00:10:47,336 Oh, let's do a show IP interface brief. 202 00:10:47,336 --> 00:10:51,106 We've got 208.92.153.6. 203 00:10:51,276 --> 00:10:56,516 Let's do a show IP route, and I see it's already set up, a nice little gateway 204 00:10:56,516 --> 00:10:59,036 of last resort because it got that via DHCP. 205 00:10:59,036 --> 00:11:01,136 So let's just do a ping 4.2.2.2. 206 00:11:01,136 --> 00:11:02,506 Let's ee if we can reach the DNS server. 207 00:11:02,506 --> 00:11:03,246 Good, and we do. 208 00:11:03,246 --> 00:11:06,216 So this router now has internet access. 209 00:11:06,216 --> 00:11:11,826 Now, my computer happens to be, the one that I'm recording on right now, happens to be this guy. 210 00:11:12,196 --> 00:11:15,176 So actually what I need to do is go into the control panel 211 00:11:15,176 --> 00:11:18,626 because I've got my own connection, 212 00:11:18,716 --> 00:11:21,846 my own network that I save my recordings and everything like that. 213 00:11:21,846 --> 00:11:27,196 I'm going to actually go in and disable that one which will not work well when I finish this 214 00:11:27,196 --> 00:11:29,796 because it's going to say where do you want to save this, and I won't have a place. 215 00:11:29,796 --> 00:11:32,006 Let's get rid of virtual box as well. 216 00:11:32,006 --> 00:11:35,646 It's a little free VM ware kind of thing. 217 00:11:35,646 --> 00:11:38,256 So all that's left is my little apple USB ethernet is after. 218 00:11:38,256 --> 00:11:40,966 That's what I have connected to SLAV network. 219 00:11:40,966 --> 00:11:43,746 So I'll open a comment prompt and do an IP config. 220 00:11:43,856 --> 00:11:46,806 And there it is, look at that. 221 00:11:46,806 --> 00:11:53,696 We've already got a dynamic address assigned from our pool 192.168.1.11. 222 00:11:53,696 --> 00:11:55,386 Let's actually jump back here and line it all up. 223 00:11:55,386 --> 00:11:57,266 Here, I'll scoot this over a little bit. 224 00:11:57,266 --> 00:12:02,986 I'm going to do a show IP DHCP binding which shows what IP addresses have been handed out. 225 00:12:03,366 --> 00:12:05,376 We're going back in time man. 226 00:12:05,376 --> 00:12:13,856 So 192.168.1 -- whoa see, that's what happens when I disconnect my network adapter. 227 00:12:14,026 --> 00:12:15,346 There we go. 228 00:12:15,346 --> 00:12:16,896 So where were we? 229 00:12:16,896 --> 00:12:21,976 Okay, so I've got the 192.168.1.11 that's now assigned. 230 00:12:21,976 --> 00:12:27,536 But let me just see if I can ping from here, 4.2.2.2 even though I've got a default gateway. 231 00:12:28,036 --> 00:12:33,656 The reason for that is because the router it's got an IP address and it can do routing. 232 00:12:33,946 --> 00:12:36,396 It's got a [inaudible] but it's not configured for NAT. 233 00:12:36,506 --> 00:12:40,616 So my feeble attempts to open a web browser will fail 234 00:12:40,876 --> 00:12:42,876 because it will say, sorry, we're not connected. 235 00:12:43,016 --> 00:12:44,206 Let's go to Google. 236 00:12:44,346 --> 00:12:45,446 Let's see if we can get there. 237 00:12:46,716 --> 00:12:48,496 Hold on, secure browsing to Google. 238 00:12:49,576 --> 00:12:50,326 Nope, nothing. 239 00:12:50,326 --> 00:12:51,206 I mean we're just hung. 240 00:12:51,206 --> 00:12:52,656 We're not getting anywhere. 241 00:12:52,656 --> 00:12:59,936 So what we want to do, let's get this browser out of here, is start configuring NAT. 242 00:12:59,936 --> 00:13:00,926 Basic steps. 243 00:13:01,006 --> 00:13:01,626 Number one. 244 00:13:01,626 --> 00:13:02,556 Let me get back to the white board. 245 00:13:02,556 --> 00:13:09,826 Number one we need to identify our interfaces meaning we need to go in there and identify 246 00:13:09,826 --> 00:13:14,766 that this one is connected to the inside of the network like fast ethernet 0/0. 247 00:13:14,986 --> 00:13:17,176 Yeah, this is on the inside of my net. 248 00:13:17,176 --> 00:13:20,326 And fast ethernet at 0/1 that's on the outside of my net. 249 00:13:20,326 --> 00:13:21,356 I need to identify that. 250 00:13:21,356 --> 00:13:23,226 And the good news is it's very simple to do this. 251 00:13:23,226 --> 00:13:23,706 Watch this. 252 00:13:23,776 --> 00:13:25,336 It's going to be logical. 253 00:13:26,016 --> 00:13:27,416 Show IP interface brief. 254 00:13:27,416 --> 00:13:29,446 Have you got the feel that I like this command? 255 00:13:29,496 --> 00:13:31,316 So there's my interfaces. 256 00:13:31,316 --> 00:13:34,016 I'm going to go into fast ethernet 0/0. 257 00:13:34,016 --> 00:13:35,656 IP net inside. 258 00:13:36,586 --> 00:13:40,446 Now, you will find out it's common for it to hang, and don't panic. 259 00:13:40,536 --> 00:13:43,816 Usually when you hang a router like that something bad is 260 00:13:43,816 --> 00:13:45,326 about to happen, crash or something. 261 00:13:45,736 --> 00:13:49,176 But it's just enabling the net process behind the scenes. 262 00:13:49,176 --> 00:13:51,656 It's creating these virtual interfaces that it needs to do NAT. 263 00:13:51,656 --> 00:13:53,466 It's only on the first command. 264 00:13:53,466 --> 00:13:58,746 When I come in here and do fast ethernet at 0/1 IP net outside is the other command, 265 00:13:58,956 --> 00:14:00,216 you can see that goes through right away. 266 00:14:00,726 --> 00:14:01,216 Okay, good. 267 00:14:02,296 --> 00:14:03,886 Step one is done. 268 00:14:04,496 --> 00:14:10,196 Step two is to identify our inside IP addresses. 269 00:14:10,616 --> 00:14:16,326 So we actually need to be able to say this inside of our network is going 270 00:14:16,326 --> 00:14:18,806 to be translated to the outside world. 271 00:14:19,326 --> 00:14:22,786 Now, the way I'm going to do that is I'm going to say essentially anything starting 272 00:14:22,786 --> 00:14:29,246 with 192.168.1.anything/24 is valid to be translated out. 273 00:14:29,416 --> 00:14:34,966 Now, it just so happens that the way that I do that is by using an access list. 274 00:14:35,246 --> 00:14:37,336 You see some of those concepts come wrapping back around. 275 00:14:37,596 --> 00:14:38,516 So here's what I can do. 276 00:14:38,516 --> 00:14:40,146 Let's exist back out. 277 00:14:40,146 --> 00:14:46,046 Now the beauty is for basic NAT configurations I can use just the standard access list. 278 00:14:46,046 --> 00:14:51,806 I go in there and do IP access list, and it's going to be standard. 279 00:14:53,116 --> 00:14:58,446 And we'll call this NAT addresses, how's that? 280 00:14:59,206 --> 00:15:02,966 How about we do this because there's a lot of NAT addresses inside. 281 00:15:02,966 --> 00:15:05,126 That's a long access list name but we'll go with it. 282 00:15:05,296 --> 00:15:07,046 Inside NAT addresses, okay. 283 00:15:07,366 --> 00:15:19,186 And so I will say permit 192.168.1.0 with a wild card mask of 000255. 284 00:15:19,186 --> 00:15:21,896 I can log it if I want but I don't need to. 285 00:15:22,606 --> 00:15:23,706 And that's it. 286 00:15:24,526 --> 00:15:25,306 That's all there is to it. 287 00:15:25,306 --> 00:15:27,966 Because remember I said access list, when we were talking about access lists, 288 00:15:27,966 --> 00:15:29,896 they're not just for access control. 289 00:15:30,286 --> 00:15:34,356 In this case I'm going to use this access list to permit these addresses 290 00:15:34,356 --> 00:15:36,786 and only these addresses to be NAT-ed. 291 00:15:37,486 --> 00:15:38,796 Okay, step three. 292 00:15:39,486 --> 00:15:42,746 We're going to use our IP NAT connection command. 293 00:15:43,516 --> 00:15:51,016 What I mean by that is I'm going to go in and say I want to NAT from this to that. 294 00:15:51,746 --> 00:15:54,186 Now, this command can do a lot of stuff for us. 295 00:15:54,186 --> 00:15:55,976 I'm going to show you the first thing right now. 296 00:15:55,976 --> 00:16:01,306 I'm going to NAT -- so first off the way the syntax works is I type IP NAT, 297 00:16:01,306 --> 00:16:03,336 so I'll translate that into English. 298 00:16:03,446 --> 00:16:05,686 IP NAT means I want a NAT, right? 299 00:16:05,876 --> 00:16:08,126 Now, I hit question mark and it's like an interview. 300 00:16:08,126 --> 00:16:11,326 I want to NAT from the inside of my network out. 301 00:16:11,436 --> 00:16:13,966 This is going to be a source. 302 00:16:13,966 --> 00:16:16,526 Let me identify the source addresses to you. 303 00:16:16,526 --> 00:16:19,426 So I want to NAT from the inside of my network out. 304 00:16:19,686 --> 00:16:23,746 The source addresses that are going to be translated are going to be identified 305 00:16:24,016 --> 00:16:29,426 in access list number -- well actually not number in this case. 306 00:16:29,876 --> 00:16:30,606 What did I name it? 307 00:16:30,606 --> 00:16:32,676 Inside NAT addresses, right, right there. 308 00:16:33,746 --> 00:16:35,256 Highlight copy. 309 00:16:35,406 --> 00:16:38,836 Yeah, let me back up here. 310 00:16:38,836 --> 00:16:41,346 There we go. 311 00:16:41,856 --> 00:16:46,936 IP NAT. Okay, so I want to NAT from the inside of my network out. 312 00:16:46,936 --> 00:16:52,066 The source addresses are going to be identified in access list inside NAT addresses. 313 00:16:52,066 --> 00:16:52,886 So that's the source. 314 00:16:53,106 --> 00:16:57,886 And I'm going to be going to the destination of, and now we have the option. 315 00:16:58,106 --> 00:17:02,856 We can either go to an interface as the destination or a pool of addresses. 316 00:17:03,116 --> 00:17:05,126 So here's the idea. 317 00:17:05,506 --> 00:17:11,736 I can either say I just want to take all of these guys and NAT them out this interface, 318 00:17:12,106 --> 00:17:15,116 or I can create a pool of addresses which is possible, 319 00:17:15,506 --> 00:17:23,816 and I can say maybe 208.53.91.1-9 is going to be the pool of addresses. 320 00:17:23,816 --> 00:17:27,756 So I'm going to NAT all of these guys out to that pool of addresses. 321 00:17:27,756 --> 00:17:31,226 Now, you having that being dynamic NAT, remember we were talking 322 00:17:31,416 --> 00:17:35,226 in the concepts how dynamic NAT does that one-to-one mapping if you will. 323 00:17:35,226 --> 00:17:39,296 But then you'd only have nine people able to get to the internet at the same time. 324 00:17:39,296 --> 00:17:39,946 You don't want that. 325 00:17:40,156 --> 00:17:44,116 So we would usually use PAT in combination with those. 326 00:17:44,116 --> 00:17:50,216 But in this case the reason the interface command is so handy is because I don't need 327 00:17:50,216 --> 00:17:53,546 to know what my outside address is to use that command. 328 00:17:54,426 --> 00:17:55,986 Let me type the command and I'll explain it. 329 00:17:55,986 --> 00:17:57,006 So let me get back here. 330 00:17:58,416 --> 00:18:01,726 Interface fast ethernet 0/1. 331 00:18:02,726 --> 00:18:06,386 I know some of you are like blah, blah, blah. 332 00:18:06,466 --> 00:18:07,406 That's a big command. 333 00:18:07,516 --> 00:18:08,506 It is, it is. 334 00:18:08,506 --> 00:18:09,786 There's a lot to that command. 335 00:18:10,156 --> 00:18:11,696 But let me just read it. 336 00:18:11,696 --> 00:18:13,416 I'll hit the up arrow and go back to the beginning 337 00:18:13,416 --> 00:18:15,016 of the line and read it again in English. 338 00:18:15,406 --> 00:18:18,486 IP NAT, I want a NAT is what that means. 339 00:18:18,526 --> 00:18:24,606 From the inside of my network out the source addresses that I want to NAT are identified 340 00:18:24,606 --> 00:18:27,026 by access list inside NAT addresses. 341 00:18:27,096 --> 00:18:27,626 And what's in there? 342 00:18:27,626 --> 00:18:30,036 192.168.1, right? 343 00:18:30,036 --> 00:18:31,426 We said permit those addresses. 344 00:18:31,656 --> 00:18:38,556 So NAT from that source to the destination of interface, and let me go fast ethernet 0/1 and, 345 00:18:38,556 --> 00:18:41,606 oh, actually I forgot a key word on there. 346 00:18:41,606 --> 00:18:45,296 And I want to add on the key word overload. 347 00:18:46,186 --> 00:18:48,316 Not just L, overload. 348 00:18:48,956 --> 00:18:52,206 So the command just got bigger. 349 00:18:52,206 --> 00:18:55,636 I mean what do you think overload does? 350 00:18:56,376 --> 00:19:00,036 I know you're like, well, it says right there an overloads an address translation. 351 00:19:00,036 --> 00:19:00,536 What's that mean? 352 00:19:00,926 --> 00:19:02,686 Overload enables PAT. 353 00:19:03,056 --> 00:19:06,586 So when I typed the command the first time and press enter it would work, 354 00:19:07,016 --> 00:19:09,546 but it would only work for one IP address. 355 00:19:09,726 --> 00:19:13,186 Whoever got there first would use up the outside address 356 00:19:13,186 --> 00:19:15,646 because it's a one-to-one mapping if I don't have that keyboard. 357 00:19:15,836 --> 00:19:17,636 But I'm putting overload on there. 358 00:19:17,906 --> 00:19:20,266 That's when it says, oh, you want me to use PAT, 359 00:19:20,536 --> 00:19:24,756 so that way I'll translate addressed dynamically using port numbers, 360 00:19:24,976 --> 00:19:29,376 and everybody can share the IP address of whatever is on fast ethernet 0/1. 361 00:19:29,566 --> 00:19:35,286 The beauty of using that command is I can now use this versatilely. 362 00:19:35,606 --> 00:19:38,306 I can move it to whatever internet connection I want, plug it in, 363 00:19:38,306 --> 00:19:44,216 and then whatever IP address is received via DHCP 364 00:19:44,216 --> 00:19:49,616 on that fast ethernet 0/1 will now be used for all of my NAT settings. 365 00:19:51,506 --> 00:19:58,906 I think, I'm hesitating, I think that's everything that we need. 366 00:20:00,046 --> 00:20:04,726 Oh, look at that, it's saying I can't change this, dynamic mappings are already in use. 367 00:20:05,096 --> 00:20:06,286 That's funny. 368 00:20:06,286 --> 00:20:11,436 So let me just do a quick show run, include IP NAT. 369 00:20:11,436 --> 00:20:16,286 I want to make sure that it took that command. 370 00:20:16,456 --> 00:20:21,306 But all we did is identify inside and outside interfaces, create an access list 371 00:20:21,306 --> 00:20:25,946 that said these are the inside addresses, these are the source addresses, 372 00:20:25,946 --> 00:20:31,936 and then we combined them all with this IP NAT connection command. 373 00:20:31,936 --> 00:20:35,046 And so this is the biggest command of all, probably the most confusing. 374 00:20:35,306 --> 00:20:37,396 But, again, it's kind of like an access list. 375 00:20:37,556 --> 00:20:41,266 You're just saying I want a NAT, here's my source, here's my destination, 376 00:20:41,266 --> 00:20:43,126 and in this case we overloaded it. 377 00:20:43,126 --> 00:20:45,936 So I want to test it. 378 00:20:45,936 --> 00:20:50,526 Come on, let's bring up, oh, this was here before, cbtnuggets, right? 379 00:20:54,636 --> 00:20:56,636 I was like that's not cool. 380 00:20:56,786 --> 00:20:59,066 Woo hoo, it worked. 381 00:20:59,306 --> 00:21:02,446 So, anyhow, I want to make sure it's not in cache or something like that. 382 00:21:02,446 --> 00:21:03,896 What's a website I haven't gone to? 383 00:21:03,896 --> 00:21:05,486 Let's do USA Today. 384 00:21:06,066 --> 00:21:06,956 I know I haven't gone there. 385 00:21:07,656 --> 00:21:13,296 USA Today, wow, look at that, Hall of Fame, no one elected. 386 00:21:13,296 --> 00:21:17,446 Bad. So now I can -- okay, the reason I'm doing this and going to a couple websites, 387 00:21:17,446 --> 00:21:20,186 let me just go to one more, let's go to amazon.com. 388 00:21:20,716 --> 00:21:24,406 Get a nice little Amazon splash page up there. 389 00:21:25,096 --> 00:21:30,356 The reason I'm going this is I now want to go in there and do -- let's make this a little bigger, 390 00:21:30,396 --> 00:21:33,916 we'll want it big, do a command to verify. 391 00:21:33,916 --> 00:21:37,616 I'm going to do a show IP NAT translation. 392 00:21:38,156 --> 00:21:42,916 Look at that, yeah. 393 00:21:44,866 --> 00:21:50,496 We've got a massive amount of translations going through. 394 00:21:50,496 --> 00:21:52,476 Remember in the last nugget when I said, yeah, 395 00:21:52,476 --> 00:21:56,266 theoretically you could share one IP address for 65,000 people? 396 00:21:56,526 --> 00:22:01,476 This shows exactly why that theory would never prove true in reality. 397 00:22:01,796 --> 00:22:07,306 Just by going to three websites, count them, three websites, cbtnuggets, 398 00:22:07,356 --> 00:22:12,836 USA Today and amazon.com, literally let's just keep the scrolling going. 399 00:22:13,476 --> 00:22:14,706 Okay, I reached the end. 400 00:22:14,706 --> 00:22:17,346 These were all the translations that were built. 401 00:22:17,406 --> 00:22:19,056 First off, you see all these guys? 402 00:22:19,516 --> 00:22:21,586 These are all DNS translations. 403 00:22:21,586 --> 00:22:25,746 Notice, let's read it here, and this is where I want to get into some of the terminology. 404 00:22:26,266 --> 00:22:29,236 The inside local address is where I'm coming from. 405 00:22:29,236 --> 00:22:33,736 So let me go to this network diagram, change pen colors real quick. 406 00:22:34,496 --> 00:22:44,696 According to the router inside local addresses are those that are inside of the network 407 00:22:44,696 --> 00:22:48,226 like the position they are on your inside network, and they are local. 408 00:22:48,226 --> 00:22:52,956 You can kind of translate that to be a private address kind of in your mind. 409 00:22:52,956 --> 00:22:57,246 Now, some of these terms I will tell you before we even write them all out they are confusing 410 00:22:57,566 --> 00:23:01,626 because they follow the industry standard. 411 00:23:01,626 --> 00:23:05,126 NAT is an RFC standard, and so Cisco said, okay, we'll follow the naming 412 00:23:05,126 --> 00:23:06,666 that they say in there, but it is confusing. 413 00:23:06,716 --> 00:23:10,946 So inside local means it's inside my network, like it's mine, 414 00:23:10,946 --> 00:23:13,626 I own it, and it's a private address. 415 00:23:13,786 --> 00:23:14,646 That's the local. 416 00:23:14,866 --> 00:23:23,646 Now, this one, the public address, is actually identified as the inside global. 417 00:23:25,076 --> 00:23:29,976 Now, that doesn't make sense initially because you're like, well, inside, no it's outside. 418 00:23:30,236 --> 00:23:34,896 Well, it is, but think of the word inside of who owns that address. 419 00:23:35,046 --> 00:23:36,596 You just kind of think of it that way. 420 00:23:36,836 --> 00:23:40,906 Like inside means me, outside means somebody else owns that address. 421 00:23:40,906 --> 00:23:44,406 So when you put it that way it's like okay, okay I own these addresses inside, 422 00:23:44,616 --> 00:23:46,976 and I own this address because it's assigned to my router. 423 00:23:46,976 --> 00:23:49,076 Not literally I own it from my service router, 424 00:23:49,076 --> 00:23:52,016 but I own it because it's assigned to my router so it's inside. 425 00:23:52,336 --> 00:23:54,386 Global essentially means public. 426 00:23:56,976 --> 00:24:01,556 Now, you'll see some other terms here like outside global. 427 00:24:02,106 --> 00:24:07,046 Outside global is essentially the IP address of the outside server. 428 00:24:07,046 --> 00:24:10,586 Outside meaning I don't own it, it belongs to somebody else. 429 00:24:10,866 --> 00:24:13,136 Global meaning it's public. 430 00:24:14,826 --> 00:24:18,956 So when you go to a website that's going to be how they show up in this table. 431 00:24:18,956 --> 00:24:20,446 So notice all of these. 432 00:24:20,446 --> 00:24:21,796 What's port 53? 433 00:24:21,796 --> 00:24:24,426 And notice the protocol, UDP port 53. 434 00:24:24,426 --> 00:24:25,086 Anyone remember? 435 00:24:25,266 --> 00:24:25,746 Raise your hand. 436 00:24:25,746 --> 00:24:26,176 Yes, you? 437 00:24:26,756 --> 00:24:26,926 >> DNS. 438 00:24:27,366 --> 00:24:28,956 >> DNS, yeah, exactly right. 439 00:24:29,196 --> 00:24:35,626 DNS these are all the DNS lookups that were necessary to go to three websites. 440 00:24:35,626 --> 00:24:40,476 Now, again, I want to make sure everybody gets -- you're like this is crazy, why would you need 441 00:24:40,476 --> 00:24:42,716 that many DNS lookups to go to three website? 442 00:24:42,906 --> 00:24:46,856 Remember, again, amazon.com, this picture right here is one server. 443 00:24:47,046 --> 00:24:48,236 This picture is another server. 444 00:24:48,236 --> 00:24:49,096 This picture another server. 445 00:24:49,096 --> 00:24:50,406 This picture another server. 446 00:24:50,476 --> 00:24:52,726 There's so much stuff on this website. 447 00:24:52,726 --> 00:24:57,176 And every time you introduce another server like Discover Card, something new in your city, 448 00:24:57,176 --> 00:25:01,176 or it's not even Discover Card, discover something new in your city, 449 00:25:01,176 --> 00:25:02,976 anytime you go to a new server it's like, oh well, 450 00:25:02,976 --> 00:25:08,956 that ad right there is actually fed from AWS9.amazon.local. 451 00:25:08,956 --> 00:25:10,716 blah, blah, blah. 452 00:25:10,716 --> 00:25:12,876 So your computer has to go, well, who is that? 453 00:25:12,876 --> 00:25:16,086 And go do a DNS lookup just to find out who that's from. 454 00:25:16,086 --> 00:25:19,756 That's why sometimes pages take a while to load because it's grabbing all this information 455 00:25:19,756 --> 00:25:21,426 from all these different servers. 456 00:25:21,426 --> 00:25:26,056 Okay, so back to the configuration. 457 00:25:26,056 --> 00:25:32,476 So outside global says, okay, I access this DNS server on port 53 all kinds of stuff. 458 00:25:32,476 --> 00:25:35,066 And notice all these source port numbers are where it came from. 459 00:25:35,066 --> 00:25:36,926 So let's start putting these pieces together. 460 00:25:37,356 --> 00:25:39,036 Inside local so this is me. 461 00:25:39,036 --> 00:25:43,566 Excuse me, I've got 192.168.1.11. 462 00:25:43,566 --> 00:25:48,386 I generated a DNS request from the source port 53582. 463 00:25:48,386 --> 00:25:51,616 Now, that was translated to the inside global 464 00:25:51,746 --> 00:25:57,526 or essentially the outside public IP address of 208.92.153.6. 465 00:25:57,526 --> 00:25:58,566 Now, who's that? 466 00:25:58,666 --> 00:26:00,106 That's my router, remember? 467 00:26:00,406 --> 00:26:04,386 We actually got assigned that address dynamically. 468 00:26:04,416 --> 00:26:13,406 It was 208.92.153.6. 469 00:26:13,586 --> 00:26:14,386 So that's me. 470 00:26:14,386 --> 00:26:19,306 So what this is saying is I've translated from this to this. 471 00:26:19,306 --> 00:26:20,796 And notice what it did with the port number. 472 00:26:20,866 --> 00:26:23,796 It actually said, okay, I'm going to retain your source port number 473 00:26:23,986 --> 00:26:26,936 and now so that's what you look like to the outside world. 474 00:26:27,336 --> 00:26:31,056 So it went out and talked to this IP address, the outside global. 475 00:26:31,056 --> 00:26:33,186 Now, I know some of you are like, well, what's this? 476 00:26:33,266 --> 00:26:34,246 I don't even want to tell you. 477 00:26:34,696 --> 00:26:35,966 Honestly I don't. 478 00:26:36,226 --> 00:26:38,096 But let me just say this. 479 00:26:38,096 --> 00:26:39,856 That is outside local. 480 00:26:39,856 --> 00:26:44,766 You might say, okay, so outside means it belongs to somebody else, right? 481 00:26:44,906 --> 00:26:48,376 Yup. Local means it's a private address? 482 00:26:48,716 --> 00:26:54,006 Huh? Well, essentially what this means, and trust me my public, private it's just kind 483 00:26:54,006 --> 00:26:57,746 of a rough analogy, but what this means is it belongs to somebody else, 484 00:26:57,816 --> 00:27:00,316 but this is how my network sees it. 485 00:27:00,756 --> 00:27:07,706 I will say for 95, 99, 98 percent of you out there it will always be the same. 486 00:27:07,706 --> 00:27:12,506 Essentially the outside global which is what it really is will be the outside local 487 00:27:12,506 --> 00:27:14,956 which is how your network sees it. 488 00:27:14,956 --> 00:27:18,746 What you can do, let me give you this example, and I really don't want to tell you 489 00:27:18,746 --> 00:27:21,516 because it might confuse some, but I just want to show it to you. 490 00:27:21,796 --> 00:27:24,586 You can do NAT translations the other way. 491 00:27:25,066 --> 00:27:25,686 Here's what I mean. 492 00:27:26,106 --> 00:27:30,636 I could go in here on this router, and I could say, well, I want to create a NAT translation 493 00:27:30,636 --> 00:27:39,626 that when somebody accesses 192.168.1.52 it actually translates to 4.2.2.2. 494 00:27:41,046 --> 00:27:41,836 Weird, right? 495 00:27:42,136 --> 00:27:44,346 It's doable but very strange. 496 00:27:44,346 --> 00:27:50,126 So what you could do is you could make 4.2.2.2, we'll just say this DNS server out here, 497 00:27:50,126 --> 00:27:55,566 appear as 192.168.1.52 to the internal network. 498 00:27:55,566 --> 00:28:00,676 In that case if you did that kind of translation then you would see outside local 499 00:28:00,676 --> 00:28:11,066 at 192.168.1.52, outside global is 4.2.2.2. 500 00:28:11,066 --> 00:28:13,086 So, again, it's kind of like a backwards net. 501 00:28:13,086 --> 00:28:18,196 So if that confuses you forget I ever said it and just say all these will always be the same, 502 00:28:18,196 --> 00:28:21,766 outside local and outside global always the same. 503 00:28:21,836 --> 00:28:26,146 Honestly I've done this once, and it was a whacked out situation 504 00:28:26,146 --> 00:28:27,896 where I couldn't assign a default gateway to this PC. 505 00:28:27,896 --> 00:28:31,496 So I had to be able to get it to an outside server, it wasn't even a DNS server, 506 00:28:31,496 --> 00:28:33,206 but an outside server without a default gateway. 507 00:28:33,206 --> 00:28:36,976 And the way I did it was by saying, okay, I'm going to set up a NAT 508 00:28:36,976 --> 00:28:38,746 so this guy will arp [phonetic] for this, 509 00:28:38,746 --> 00:28:42,196 and it will actually translate out to the public address. 510 00:28:42,486 --> 00:28:46,526 So that will be where it actually looks for that server. 511 00:28:46,526 --> 00:28:49,426 So, again, weird situation, forget I ever said it. 512 00:28:49,426 --> 00:28:56,516 Okay. So all of this -- now let me hit the up arrow, do a show IP NAT translations. 513 00:28:56,756 --> 00:28:58,626 Look at that, look at that, that's it right there. 514 00:28:58,626 --> 00:28:59,326 They're all gone. 515 00:28:59,326 --> 00:29:01,496 So all of these initial translations, [rotating sound], 516 00:29:01,496 --> 00:29:03,986 all of those [rotating sound] all the way down have now consolidated down to this. 517 00:29:03,986 --> 00:29:07,466 Why? Because the sessions have begun to close. 518 00:29:07,886 --> 00:29:11,996 When I did my DNS lookups they show up in th table but they quickly go under way, 519 00:29:11,996 --> 00:29:15,876 because I know -- I'm sure many of you are like, well good grief, if one computer going 520 00:29:15,876 --> 00:29:20,306 to three websites can consume that many port numbers, I mean look at all that, 521 00:29:20,536 --> 00:29:23,566 can consume that many port numbers, I mean it's not going 522 00:29:23,566 --> 00:29:27,046 to be long before one public IP address runs out of port numbers, right? 523 00:29:27,326 --> 00:29:30,986 Well, yeah, but the good news is they time out very quickly. 524 00:29:31,136 --> 00:29:35,236 After they're used they stay there for a few seconds longer and then, shoop, they're gone. 525 00:29:35,456 --> 00:29:41,046 So now, just because I have my web browser open, I still see these that are established, 526 00:29:41,256 --> 00:29:45,926 but for the most part they've all closed down and consolidated down to a smaller amount. 527 00:29:47,046 --> 00:29:51,506 Okay, so we have the NAT overload or PAT version of NAT working. 528 00:29:51,976 --> 00:29:53,936 What if, let's change it a little. 529 00:29:53,936 --> 00:29:56,366 I just gave you a scenario that works very well. 530 00:29:56,566 --> 00:29:59,976 That whole config that we just did works very well for 531 00:30:00,496 --> 00:30:04,476 small office or home office environments. 532 00:30:04,476 --> 00:30:07,236 But what if I do have static IP addresses here? 533 00:30:07,326 --> 00:30:12,456 What if I'm a real business and maybe I have even a pool of addresses available to me. 534 00:30:12,896 --> 00:30:15,116 What about that situation? 535 00:30:15,616 --> 00:30:21,346 Well, in that circumstances you want to squeeze in one more command between two and three, 536 00:30:21,696 --> 00:30:25,616 and that will create a pool of outside addresses. 537 00:30:25,846 --> 00:30:26,346 Here's what I mean. 538 00:30:26,836 --> 00:30:36,766 I can go into the router, and let's first off do a show run, include IP NAT. 539 00:30:37,756 --> 00:30:40,596 And we want to remove the existing configuration. 540 00:30:41,546 --> 00:30:45,186 So I'm going to say I just want to yank this one out. 541 00:30:45,186 --> 00:30:47,696 I'm going to get rid of that command in there. 542 00:30:48,476 --> 00:30:51,626 And it says, hey, you've still got dynamic mapping, are you sure? 543 00:30:51,626 --> 00:30:53,276 Yeah, sure, that's fine. 544 00:30:53,276 --> 00:31:00,346 So I've got the dynamic mapping or I should say mappings deleted. 545 00:31:00,346 --> 00:31:04,336 That just means all of the, oop, now I've done it, cleared it off. 546 00:31:04,396 --> 00:31:08,366 Off of these previous mappings these were all dynamic, those are all wiped out now 547 00:31:08,366 --> 00:31:12,296 because I deleted the command so I've removed that. 548 00:31:12,296 --> 00:31:14,026 And now what I can do is create a pool. 549 00:31:14,026 --> 00:31:18,546 So I'll say IP NAT pool, and I'll say, okay, 550 00:31:18,546 --> 00:31:23,846 the pool of addresses let's just say this is my outside public addresses. 551 00:31:25,226 --> 00:31:28,066 And I would say the start IP address, and that's why I'd come back here, 552 00:31:28,526 --> 00:31:36,656 let's just say we started from 208.92.153.5, 208.92.153.5, 553 00:31:36,846 --> 00:31:41,256 and we go through 208.92.153.6, right? 554 00:31:41,356 --> 00:31:43,526 So we've got the start and the end. 555 00:31:43,526 --> 00:31:53,736 If we need to add what subnet mask is there for that subnet we'll say net mask 255.255.255.248, 556 00:31:53,796 --> 00:31:59,466 that's just what the service provider has given us and hit enter. 557 00:31:59,776 --> 00:32:03,946 So now I've created this pool of addresses that we call outside public. 558 00:32:03,946 --> 00:32:08,256 It's not doing anything yet, it's just there until I do IP NAT inside source. 559 00:32:08,256 --> 00:32:11,196 And I'll say this time, again, the same command as before. 560 00:32:11,196 --> 00:32:14,026 This is the same exact one I just removed. 561 00:32:14,026 --> 00:32:14,876 Inside source. 562 00:32:14,876 --> 00:32:18,146 So I'm going to map from the inside of my network out. 563 00:32:18,146 --> 00:32:21,096 The source addresses are in access list number 5, that's the one we created before. 564 00:32:21,096 --> 00:32:27,326 And instead of going out the interfaces, that was the previous command, 565 00:32:27,326 --> 00:32:31,626 I'm going to go to the pool of address that is defined as outside public. 566 00:32:31,896 --> 00:32:36,276 So I'm going to say the outside public pool of addresses, 567 00:32:36,276 --> 00:32:38,556 and then I'm going to add on overload. 568 00:32:38,556 --> 00:32:42,296 Otherwise, now I have more IP addresses, I have 2, 5 and 6 right there that I can use. 569 00:32:42,296 --> 00:32:45,876 But I'm going to overload them so I'm going to max this one out. 570 00:32:45,876 --> 00:32:53,236 And once this 5 runs out of port numbers then I'm going to go over to 6 and max that one out. 571 00:32:53,326 --> 00:32:59,116 So as we start growing and we start requiring more public IP addresses 572 00:32:59,116 --> 00:33:02,336 that we can overload and share we can do that. 573 00:33:02,336 --> 00:33:04,306 So that would be -- now, this is still PAT. 574 00:33:04,306 --> 00:33:08,896 But if you wanted to do that as dynamic you would just leave overload off. 575 00:33:08,896 --> 00:33:12,466 Remember dynamic NAT, doing the dynamic one-to-one mappings. 576 00:33:12,466 --> 00:33:17,076 But then you would only get two people able to surf the internet at a time 577 00:33:17,076 --> 00:33:21,576 because they would eat up the outside addresses since we only created a pool of two. 578 00:33:21,576 --> 00:33:24,096 Now, what if you only had one address? 579 00:33:24,096 --> 00:33:27,786 Like same story as before, but instead of being a DHCP it's static 580 00:33:27,816 --> 00:33:29,926 and we only have one static address. 581 00:33:29,926 --> 00:33:35,846 Well, easy enough, you would do the same thing but create a pool of just one address. 582 00:33:35,846 --> 00:33:39,196 Just say we're going out at .5. 583 00:33:39,196 --> 00:33:42,556 You can see it starts at .5 and ends at .5. 584 00:33:42,556 --> 00:33:46,576 So we create an outside pool of one address, that's fine, and then we go in and overload it. 585 00:33:46,576 --> 00:33:48,756 Now, we don't have to redo this command. 586 00:33:48,756 --> 00:33:52,996 Let me just do a quick show run include IP NAT. 587 00:33:52,996 --> 00:33:54,986 We don't need to redo the command. 588 00:33:55,146 --> 00:33:58,796 We can change kind of pieces of that command out. 589 00:33:59,276 --> 00:34:04,526 Like I can change out this pool, and I don't have to redo that IP NAT inside source command. 590 00:34:04,526 --> 00:34:07,116 So that's a way to do it if you have a static IP address on the outside. 591 00:34:07,116 --> 00:34:12,866 Okay. The last one what about doing a static translation? 592 00:34:12,866 --> 00:34:17,246 So we've seen remember the three modes of NAT, we have static, 593 00:34:17,246 --> 00:34:20,166 we had dynamic which is dynamically doing a bunch of -- you get it, dynamic, right? 594 00:34:20,366 --> 00:34:20,816 Hard to talk. 595 00:34:21,076 --> 00:34:21,986 And then we had PAT. 596 00:34:22,296 --> 00:34:23,466 So we've done PAT. 597 00:34:23,466 --> 00:34:26,266 We've even done dynamic which you saw the config just now, 598 00:34:26,266 --> 00:34:28,226 we would just leave off the overload command. 599 00:34:28,626 --> 00:34:29,866 And then now static. 600 00:34:29,866 --> 00:34:33,306 What if we have servers running on that inside network that I want 601 00:34:33,306 --> 00:34:35,416 to allow access to from the outside? 602 00:34:35,996 --> 00:34:37,886 That's where you need static NAT mappings. 603 00:34:38,066 --> 00:34:44,616 The way we do this is go into global and type in IP NAT, again inside source. 604 00:34:44,666 --> 00:34:48,586 So if you get used to this, I mean it's the same commands over and over and over. 605 00:34:48,796 --> 00:34:53,136 It always starts IP NAT inside source, and then we either say I want to go to an access list 606 00:34:53,136 --> 00:34:55,996 or see what I see, right, static. 607 00:34:57,616 --> 00:34:59,976 And now we can do it the simple way. 608 00:34:59,976 --> 00:35:07,606 I can say, okay, the inside local IP address is 192.168.1.51. 609 00:35:07,896 --> 00:35:09,306 We'll say that's our email server, right? 610 00:35:09,306 --> 00:35:11,946 Then it's going to say, okay, what's the inside global? 611 00:35:11,946 --> 00:35:14,626 Remember the terms I talked about, inside local, 612 00:35:14,626 --> 00:35:17,936 so they're saying inside global where was that on our picture? 613 00:35:18,306 --> 00:35:23,746 That was the public IP address that belongs to us that goes to the interface right there. 614 00:35:23,746 --> 00:35:29,076 So it says, okay, this inside local or private IP address is going to translate to, 615 00:35:29,076 --> 00:35:33,826 and that's where I would type in 208.53. 616 00:35:34,846 --> 00:35:35,506 What was it? 617 00:35:35,506 --> 00:35:39,556 208. I don't even remember. 618 00:35:39,556 --> 00:35:41,846 Oh, okay, I was trying to figure out what that was. 619 00:35:41,846 --> 00:35:45,826 208.92.153. 620 00:35:45,826 --> 00:35:50,006 let's just say 7, alright, and hit the enter key. 621 00:35:50,266 --> 00:35:51,166 That's one way of doing it. 622 00:35:51,166 --> 00:35:52,396 That's the simplest way. 623 00:35:52,686 --> 00:35:58,636 So that says any time somebody accesses this IP address on the outside I will translate it 624 00:35:58,636 --> 00:36:02,386 to this IP address on the inside and vice versa. 625 00:36:02,386 --> 00:36:06,876 I will take this IP address when I see it on the inside and translate it 626 00:36:06,876 --> 00:36:08,686 to that IP address on the outside. 627 00:36:08,876 --> 00:36:12,176 This is actually a two way street, a two way translation. 628 00:36:12,376 --> 00:36:18,236 A lot of people say, okay, well now do we have to create a second one that says 208.92 is here 629 00:36:18,236 --> 00:36:20,826 and 192.168 is here to kind of do both ways? 630 00:36:20,826 --> 00:36:22,056 No. This is a two way street. 631 00:36:22,216 --> 00:36:31,406 So as this one goes out you will always be that 208.92.153.5 address that I just defined. 632 00:36:31,406 --> 00:36:35,536 And as people come in on that -- you get the point, right? 633 00:36:36,026 --> 00:36:39,786 I'm like I could fumble over my words or you got it, right. 634 00:36:39,786 --> 00:36:41,626 So, another way I can do this. 635 00:36:42,146 --> 00:36:46,796 I could do IP NAT inside sources, and you saw this when I first typed it, so I'll do static. 636 00:36:47,456 --> 00:36:53,786 I could type the inside local IP address, but I can also specify TCP or UDP. 637 00:36:54,026 --> 00:36:58,916 So this would be useful if I want to break this into multiple port numbers. 638 00:36:58,916 --> 00:37:00,126 So let me show you. 639 00:37:00,126 --> 00:37:06,866 Let's say I want to do TCP, and I'll say the inside local address, 192.168.1. 640 00:37:06,866 --> 00:37:10,046 let's say 53, but it's going to be on port 80. 641 00:37:10,046 --> 00:37:10,976 This is a web server. 642 00:37:11,196 --> 00:37:21,126 And I will go on the outside that really goes to 208.92.153.8 on the outside on port 80 as well. 643 00:37:21,436 --> 00:37:29,276 So what this does is say now if I get -- I'm running out of space to scribble. 644 00:37:29,686 --> 00:37:30,996 Let's use orange. 645 00:37:31,206 --> 00:37:39,436 If I get a request on the outside and it's directed to 208.92.153.8 on port 80 and only 646 00:37:39,436 --> 00:37:43,546 on port 80, it won't work for any other port right now, then I will send it to the inside 647 00:37:43,546 --> 00:37:48,556 of my network to the mysterious server that showed up that is 192.168.1. 648 00:37:48,556 --> 00:37:49,846 what did I say, 53? 649 00:37:50,396 --> 00:37:54,196 Yeah, 53 on port 80, alright? 650 00:37:55,516 --> 00:37:58,296 So I could hit the up arrow. 651 00:37:58,296 --> 00:38:01,856 Let's say this is where I can split this one IP address to multiple destinations. 652 00:38:01,856 --> 00:38:11,376 I could say, well, maybe if they do 21 which is FTP I'll send it in on port 21, 192.168.1.67. 653 00:38:11,376 --> 00:38:13,546 That's an FTP server on my network. 654 00:38:13,546 --> 00:38:18,486 Early on, this is long before go to my PC and log me in and all these things 655 00:38:18,486 --> 00:38:23,426 that let you access your computer from home, long before that I actually had a router set 656 00:38:23,426 --> 00:38:27,836 up at my house, let's get that orange color off of there, router set up at my house 657 00:38:28,096 --> 00:38:33,556 that was connected to an ISP, and I would use Microsoft Remote Desktop. 658 00:38:33,556 --> 00:38:35,126 It's been around for a long time. 659 00:38:35,416 --> 00:38:40,326 And Microsoft Remote Desktop uses TCP port 3389. 660 00:38:40,326 --> 00:38:42,766 And I had actually a bunch of computers inside of my house 661 00:38:44,116 --> 00:38:45,926 that I would access when I'm the road. 662 00:38:45,926 --> 00:38:49,746 If I'm traveling or if I'm at the office or something like that I could actually sit 663 00:38:49,746 --> 00:38:52,186 out here and use Microsoft Remote Desktop. 664 00:38:52,186 --> 00:38:54,516 You know what I mean when I'm talking about Remote Desktop, right? 665 00:38:54,516 --> 00:38:56,236 You go to all programs. 666 00:38:56,336 --> 00:38:57,326 Of course, you can't see it. 667 00:38:57,326 --> 00:39:02,196 How about you just do start run, you actually type in MSTSC. 668 00:39:02,196 --> 00:39:07,816 And that will bring up a remote desktop connection to where I can type in I want to go 669 00:39:07,816 --> 00:39:12,176 to this computer home.jeremy or whatever the computer is. 670 00:39:12,176 --> 00:39:13,606 And I can open a remote screen. 671 00:39:13,606 --> 00:39:18,276 So I would sit out here and remote to my computer because I would map port 3389 672 00:39:18,276 --> 00:39:24,716 into my main PC which was actually 172.30.1.50 was my main PC IP address. 673 00:39:24,716 --> 00:39:28,856 But the problem is now I've eaten up that port number 3389. 674 00:39:29,236 --> 00:39:30,616 On the outside it's eaten up. 675 00:39:30,616 --> 00:39:33,496 So I wanted to remote desktop to these guys as well. 676 00:39:33,736 --> 00:39:36,046 What I would do is I would play this game. 677 00:39:36,426 --> 00:39:43,296 I would say, okay, well I want to actually map 3389 to let's just say 1.67.3389, 678 00:39:43,476 --> 00:39:49,016 and then I would say I want to actually map 3390 to the inside, 679 00:39:49,016 --> 00:39:51,896 let's just say this is the second IP address right there. 680 00:39:51,896 --> 00:39:53,876 Let me get that all on the screen. 681 00:39:53,876 --> 00:39:54,996 It's not quite fitting. 682 00:39:55,326 --> 00:39:57,516 But you see what I'm doing here. 683 00:39:57,556 --> 00:39:59,976 I would say 3390 684 00:40:00,046 --> 00:40:04,976 on the outside actually translates to 3389 on the inside. 685 00:40:05,206 --> 00:40:11,766 Now, whenever I would be somewhere I would say I want to go to jeremy.home.com 686 00:40:11,766 --> 00:40:16,486 or whatever my domain -- I actually use the dynamic DNS service and all that. 687 00:40:16,696 --> 00:40:19,586 And if I wanted to connect to my main computer I would just hit enter and connect. 688 00:40:20,066 --> 00:40:23,976 If I wanted to connect to a secondary computer I would put colon 3390. 689 00:40:24,266 --> 00:40:28,196 You can do that, and it will say okay, well, I'll use port 3390 which now hits this 690 00:40:28,196 --> 00:40:30,046 and translates to a completely different computer. 691 00:40:30,236 --> 00:40:34,106 And then I did the same thing for the third computer, 3391, and I would come over here 692 00:40:34,106 --> 00:40:42,866 and map 3391 to whatever, 192.168.1.5 on 3389. 693 00:40:42,866 --> 00:40:45,596 And that would work out perfectly well. 694 00:40:45,596 --> 00:40:47,526 So it's saying if it receive it on this port 695 00:40:47,526 --> 00:40:50,346 on the outside I'll actually translate it to this port on the side. 696 00:40:50,346 --> 00:40:52,446 So there's a lot of cool stuff that you can do. 697 00:40:52,446 --> 00:40:57,276 You can either statically translate the whole IP address in and out, 698 00:40:57,526 --> 00:41:00,826 or you can statically translate port numbers and even change port numbers 699 00:41:00,826 --> 00:41:03,266 when you're translating in and out. 700 00:41:03,266 --> 00:41:08,316 Okay, so we have now seen the three flavors or NAT. 701 00:41:08,316 --> 00:41:11,756 This was my only slide for this because we're so into the live configuration. 702 00:41:11,806 --> 00:41:15,626 Obviously with all the scribbles on the screen you can see it builds on itself. 703 00:41:15,746 --> 00:41:20,806 But we've seen configuring PAT, sending it to go out to a specific interface 704 00:41:20,806 --> 00:41:22,606 or to a specific pool of addresses. 705 00:41:22,966 --> 00:41:26,266 Configuring dynamic NAT from one pool of addresses to another. 706 00:41:26,536 --> 00:41:30,246 And then we saw it configuring static mappings from either a whole IP address 707 00:41:30,246 --> 00:41:34,976 or individual ports on an IP address into different servers. 708 00:41:34,976 --> 00:41:39,606 So by the time you're done now you should be able to go out and configure NAT for just 709 00:41:39,606 --> 00:41:42,326 about any environment that you can encounter. 710 00:41:42,326 --> 00:41:44,036 I wasn't hiding anything. 711 00:41:44,036 --> 00:41:46,886 You've now seen all the flavors of NAT that exist. 712 00:41:47,386 --> 00:41:50,226 I hope this has been informative for you, and I'd like to thank you for viewing. 66115