Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,546 --> 00:00:02,526
>> We move from concept to configuration.
2
00:00:02,916 --> 00:00:05,866
NAT configuration is one of the
more enjoyable on a Cisco router
3
00:00:05,866 --> 00:00:07,476
because there's a few moving parts to it.
4
00:00:07,856 --> 00:00:10,556
And you have to take some of the
concepts that you've learned about,
5
00:00:10,556 --> 00:00:13,506
most specifically access list
which you just learned about
6
00:00:13,906 --> 00:00:15,976
and apply it here to be successful.
7
00:00:16,136 --> 00:00:18,036
So that just makes it kind
of a neat thing to do.
8
00:00:18,136 --> 00:00:22,386
For this configuration I am
using real Cisco routers.
9
00:00:22,386 --> 00:00:26,226
I moved out of GNS3 just
because there's something lost.
10
00:00:26,226 --> 00:00:29,906
I mean you can bridge GNS3 to a real
network card and have it do NAT,
11
00:00:29,906 --> 00:00:32,126
and that's definitely great if
you don't have a Cisco router.
12
00:00:32,406 --> 00:00:35,656
But there's something lost when you just
can't open a web page and be like, oh look,
13
00:00:35,656 --> 00:00:37,666
it's working and checking
all the NAT translation.
14
00:00:37,926 --> 00:00:41,436
Because obviously without
getting virtual box set up
15
00:00:41,436 --> 00:00:45,486
and all of that craziness there's no
real way to do that inside of GNS3
16
00:00:45,486 --> 00:00:47,726
at least easily, but it's possible.
17
00:00:47,876 --> 00:00:51,416
So what I'm going to do is I'm going
to build this router from scratch
18
00:00:51,416 --> 00:00:54,996
because you can't see it enough, and as
we're nearing the end of this series I'd love
19
00:00:54,996 --> 00:00:56,866
to solidify a bunch of concepts in your head.
20
00:00:56,896 --> 00:00:58,926
So we're going to name this router NAT.
21
00:00:59,906 --> 00:01:03,426
And we're going to make this
the fast ethernet 0/0 port
22
00:01:03,616 --> 00:01:08,756
and give it the IP address 192.168.1.1/24.
23
00:01:09,086 --> 00:01:11,686
Now, we're going to connect
this to a real service provider,
24
00:01:12,036 --> 00:01:19,466
and one of the reasons you might be like,
wow, 192.168 that's kind of old school, right?
25
00:01:19,466 --> 00:01:23,386
Instead of like your small environment,
but I wanted to set this up to
26
00:01:23,386 --> 00:01:25,396
where this is something that
you could do at home.
27
00:01:25,776 --> 00:01:34,206
I actually just answered an email from a
student, the previous edition of this series,
28
00:01:34,206 --> 00:01:38,036
this CCNA series, I recommended at the very end
29
00:01:38,036 --> 00:01:44,096
of the series purchasing
an 871W router for a lab.
30
00:01:44,236 --> 00:01:46,026
And let me see if I can pull up a picture.
31
00:01:46,946 --> 00:01:47,376
Here we go.
32
00:01:47,376 --> 00:01:50,246
Now, don't look at the price
and be like oh my goodness.
33
00:01:50,246 --> 00:01:51,246
I mean go on eBay.
34
00:01:51,246 --> 00:01:53,156
This thing hasn't been made for years.
35
00:01:53,156 --> 00:01:55,396
Like it's out of production from Cisco.
36
00:01:55,396 --> 00:01:58,756
I think these vendors are just
trying to rake you over on the price.
37
00:01:58,906 --> 00:02:01,446
You shouldn't pay more than $50 for this router.
38
00:02:01,976 --> 00:02:06,696
But I got an email from a student
saying do you still recommend the 871W,
39
00:02:06,696 --> 00:02:09,076
or do you have something more
recent that you recommend?
40
00:02:09,526 --> 00:02:14,746
And I sat and I thought, you know
what, I still recommend the 871W now
41
00:02:14,746 --> 00:02:17,676
as a great little lab router to use at home.
42
00:02:18,076 --> 00:02:22,406
The reason I say that, and that actually
reminds me I'm going to add a nugget to the end
43
00:02:22,406 --> 00:02:25,346
of this series where I add
some home lab recommendations.
44
00:02:25,346 --> 00:02:27,396
Hang on, I'm just going to write that down.
45
00:02:27,686 --> 00:02:32,476
Okay. So the reason that I recommend
this is because it's small enough
46
00:02:32,586 --> 00:02:38,916
and it has the full IOS for you to play with
that somebody would want to use this at home.
47
00:02:38,916 --> 00:02:42,696
Now, would I recommend getting
a 2800 series or 2900 series
48
00:02:42,696 --> 00:02:45,646
or whatever big, classy brand of router?
49
00:02:45,646 --> 00:02:47,456
I'm like, yeah, sure if you can afford it.
50
00:02:47,756 --> 00:02:50,366
But what I found is people
-- I actually had one student
51
00:02:50,366 --> 00:02:53,846
who said I've bought a whole
lab rack of equipment.
52
00:02:53,846 --> 00:02:57,226
He bought like five or six
different routers and switches.
53
00:02:57,226 --> 00:03:00,416
He just built a whole rack of Cisco
equipment that he used for a lab.
54
00:03:00,676 --> 00:03:02,626
And I said, wow, what are
you going to do with it?
55
00:03:03,226 --> 00:03:06,086
He goes I don't know yet
but I'm going to use it.
56
00:03:06,086 --> 00:03:09,236
And I'm like, ah, because a
lot of times if you build a lab
57
00:03:09,496 --> 00:03:13,876
without a practical scenario behind you,
you end up just making a pile of equipment
58
00:03:13,876 --> 00:03:15,406
that you turn on every now and then.
59
00:03:15,406 --> 00:03:17,496
You're like, oh well, I can type in host name.
60
00:03:17,766 --> 00:03:23,496
But getting one of these little guys allows
you to put it on your shelf and start using it
61
00:03:23,496 --> 00:03:27,276
as your home router which
immediately throws you into the fire.
62
00:03:27,356 --> 00:03:30,466
Because you just took down your
home internet connection, right?
63
00:03:30,576 --> 00:03:31,576
There's motivation.
64
00:03:31,576 --> 00:03:33,066
I want to watch TV.
65
00:03:33,176 --> 00:03:35,096
I mean what doesn't come
over the internet anymore?
66
00:03:35,366 --> 00:03:40,666
So you now have instant motivation and
instant real world situations where, okay,
67
00:03:40,666 --> 00:03:42,506
you want to set up NAT for your house.
68
00:03:42,506 --> 00:03:43,906
You want to set up a subnet.
69
00:03:43,906 --> 00:03:48,836
With this router you can even do VLANS
and set up VLANS inside of your house.
70
00:03:48,836 --> 00:03:54,956
Maybe I want to create a VLAN and
separate my WiFi from my LAN connection
71
00:03:54,956 --> 00:03:57,736
so that I can have a public WiFi
that's secured, ooh secured.
72
00:03:57,906 --> 00:04:01,756
I can create an access list to make sure
that the public WiFi I just set up can't get
73
00:04:01,756 --> 00:04:04,546
into my house and make sure
that -- you see what I mean?
74
00:04:04,546 --> 00:04:07,246
It's just like it starts breeding
these like, ooh, that's cool.
75
00:04:07,556 --> 00:04:10,506
And I can put this on the shelf and it's small.
76
00:04:10,506 --> 00:04:14,076
These guys they're going to make a lot of noise.
77
00:04:14,076 --> 00:04:17,026
[Squealing Noise] And you're like shut that off.
78
00:04:17,026 --> 00:04:19,716
And they're going to be hot,
and they take up a lot of space.
79
00:04:19,966 --> 00:04:21,476
Whereas this you get the full IOS.
80
00:04:21,476 --> 00:04:23,076
I feel like I'm selling it but I'm not.
81
00:04:23,146 --> 00:04:24,236
It's just a lab router.
82
00:04:24,236 --> 00:04:28,546
So the reason that I'm setting this up, and I
want to frame it this way, is I want to set it
83
00:04:28,546 --> 00:04:32,766
up very similar to what one of you guys
might do at home when you're setting this up.
84
00:04:32,766 --> 00:04:36,246
So I'm connecting this to a real
service router, and I'm going to say
85
00:04:36,246 --> 00:04:39,696
at your house you probably
don't have static IP addresses.
86
00:04:39,696 --> 00:04:42,816
You may, great, good for you
and go for it if you can.
87
00:04:43,086 --> 00:04:48,706
But most of the time you're going to set this up
for DHCP to get a dynamic address from the ISP,
88
00:04:48,996 --> 00:04:52,026
so I'll put ISP connection right here.
89
00:04:52,216 --> 00:04:53,646
One more thing let me just fill in.
90
00:04:53,646 --> 00:04:56,936
This is fast ethernet 0/1 right here.
91
00:04:57,496 --> 00:04:59,966
And I think that's about
all the information we need.
92
00:04:59,966 --> 00:05:00,906
Let's get going.
93
00:05:00,906 --> 00:05:02,076
I'm going to bring up my router.
94
00:05:02,076 --> 00:05:04,606
Which I told you I'm going to
set this guy up from scratch.
95
00:05:04,606 --> 00:05:07,876
So I've literally cleared the
configuration off of this router.
96
00:05:08,256 --> 00:05:11,126
Let's see if I squish it and
see everything at the same time.
97
00:05:11,126 --> 00:05:13,796
No, I do not want to enter
the initial config dialogue.
98
00:05:13,796 --> 00:05:16,576
So let's just mentally run
through the checklist.
99
00:05:16,576 --> 00:05:19,916
We're going to have to put a base
configuration on there, assign the IP address,
100
00:05:19,916 --> 00:05:23,236
give it a host name, set some of the console
port settings that we all know and love
101
00:05:23,236 --> 00:05:24,776
like log in synchronous and all that.
102
00:05:25,186 --> 00:05:30,316
We'll have to I would say set up a DHCP scope.
103
00:05:30,316 --> 00:05:35,566
I'm going to allow this guy to be a DHCP server
for the LAN in handing out IP addresses there.
104
00:05:35,566 --> 00:05:37,536
So a little bit to do to start off with.
105
00:05:37,536 --> 00:05:41,026
So I'm going to go into global -- oh, no.
106
00:05:41,586 --> 00:05:42,626
Have you ever done this before.
107
00:05:43,496 --> 00:05:45,556
I think this is the first time
in the series I've done it.
108
00:05:45,556 --> 00:05:46,946
Because I usually turn it off.
109
00:05:46,946 --> 00:05:50,186
This, by the way, if you mistype
something in user mode or privilege mode,
110
00:05:50,346 --> 00:05:53,866
what it's trying to do is
telnet to a device named eb.
111
00:05:53,866 --> 00:05:58,036
So it's trying to resolve eb to an IP address.
112
00:05:58,036 --> 00:06:00,496
If you don't set up your server or your router
113
00:06:00,496 --> 00:06:04,476
for DNS the first command you want
to type is no IP domain-lookup.
114
00:06:04,476 --> 00:06:06,846
And that's what keeps that from happening.
115
00:06:06,846 --> 00:06:08,596
That's painful because you
have to sit there and wait.
116
00:06:08,846 --> 00:06:12,506
A lot of them don't even let you -- you
can abort it by doing control shift 6
117
00:06:12,506 --> 00:06:14,626
and just keep slamming the
keyboard until it finally does that.
118
00:06:14,816 --> 00:06:16,916
But a lot of them won't even let
you do that, you're just stuck.
119
00:06:17,446 --> 00:06:18,596
Alright, so let's get going.
120
00:06:18,596 --> 00:06:19,656
We've got host name.
121
00:06:19,806 --> 00:06:20,996
I'm going to give it the name of NAT.
122
00:06:22,786 --> 00:06:24,326
Let's get into the interfaces.
123
00:06:24,326 --> 00:06:26,586
Well, actually before I do
that let's go line console 0
124
00:06:26,586 --> 00:06:29,306
because what just happened there is
not what I want to happen all the time.
125
00:06:29,626 --> 00:06:33,556
Logging synchronous so those messages
don't interrupt when I'm typing.
126
00:06:34,086 --> 00:06:35,526
No exec-time out.
127
00:06:35,526 --> 00:06:38,856
Let's go into line vty 0 4.
128
00:06:38,856 --> 00:06:42,266
Log in password will be Cisco.
129
00:06:42,266 --> 00:06:46,096
Just giving it some base passwords
and telnet information, okay.
130
00:06:46,556 --> 00:06:47,576
Exit out there.
131
00:06:47,576 --> 00:06:53,076
Let's see, enable secret, password will
be Cisco so we'll put that in there, okay.
132
00:06:53,076 --> 00:06:54,736
Interface fast ethernet at 0/0.
133
00:06:55,096 --> 00:07:00,596
IP address 192.168.1.1 class c, right?
134
00:07:00,596 --> 00:07:02,306
So we're giving that an IP address no shut.
135
00:07:03,056 --> 00:07:05,246
And I get that guy powered up and going.
136
00:07:05,786 --> 00:07:06,706
Exit back out.
137
00:07:06,706 --> 00:07:08,616
Let's go into interface.
138
00:07:08,616 --> 00:07:10,036
Let's go to the ISP connection.
139
00:07:10,036 --> 00:07:11,536
Fast ethernet 0/1.
140
00:07:12,046 --> 00:07:14,176
And we'll do an IP address.
141
00:07:14,176 --> 00:07:17,136
And this is going to be dynamic because
we're connected to the service router.
142
00:07:17,136 --> 00:07:21,526
So we'll say DHCP, we'll negotiate that, DHCP.
143
00:07:21,626 --> 00:07:25,706
It's hanging there just because it's
trying to enable that interface.
144
00:07:25,706 --> 00:07:27,546
We'll do a no shut down as well.
145
00:07:27,546 --> 00:07:29,776
Let's just see if we get anything.
146
00:07:32,336 --> 00:07:33,696
Not yet and that's okay.
147
00:07:33,696 --> 00:07:35,696
I may have to -- if I could type.
148
00:07:35,696 --> 00:07:40,096
I may have to -- oh, look at that,
it's going to say that I'll have
149
00:07:40,096 --> 00:07:41,716
to reboot my cable modem, but I got one.
150
00:07:41,716 --> 00:07:45,646
So we've got a DHCP address that's good.
151
00:07:45,776 --> 00:07:46,916
It looks good to me.
152
00:07:46,916 --> 00:07:49,766
So let's set up DHCP.
153
00:07:49,766 --> 00:07:56,246
If you ever wonder what are these, by
default Cisco routers broadcast to try
154
00:07:56,246 --> 00:07:57,746
and find a config if they don't have one.
155
00:07:57,746 --> 00:08:02,186
If you save you config and give it
some time it will stop those messages.
156
00:08:02,186 --> 00:08:05,786
You can also go into global config
mode and type in no service config,
157
00:08:06,066 --> 00:08:07,946
and most of the time that will work.
158
00:08:07,946 --> 00:08:09,646
There's been sometimes it doesn't work.
159
00:08:09,646 --> 00:08:11,516
It's just an annoyance until
you save your config.
160
00:08:12,106 --> 00:08:14,256
And even a little while after.
161
00:08:14,636 --> 00:08:20,386
So I'm going to go in to set up a DHCP scope so
our client on this LAN can get an IP address.
162
00:08:20,386 --> 00:08:25,736
So we'll do IP DHCP -- you always
when you're setting up a DHCP scope,
163
00:08:25,736 --> 00:08:29,666
I mean the router's handing out IP address to
the LAN, you always say what you don't want
164
00:08:29,666 --> 00:08:32,146
to hand out first, because there's no easy way
165
00:08:32,366 --> 00:08:35,586
of setting a range, like
hand out from here to here.
166
00:08:35,656 --> 00:08:45,556
So I'm going to exclude from
192.168.1.1 to 192.168.1.10.
167
00:08:45,606 --> 00:08:47,136
We'll say those are reserved.
168
00:08:47,136 --> 00:08:52,646
So the first address I'll hand out will be 1.11.
169
00:08:52,646 --> 00:08:53,466
Following so far?
170
00:08:54,156 --> 00:08:55,636
It's fast and furious, right?
171
00:08:55,636 --> 00:09:00,386
IP DHCP pool, and we'll call in LAN,
hit enter, and we will say the network
172
00:09:00,386 --> 00:09:05,776
that I want to hand out is 192.168.1.0.
173
00:09:06,026 --> 00:09:10,016
One of the few commands that
will allow you to say /24,
174
00:09:10,016 --> 00:09:12,456
or you can type in the full
subnet mask if you want to.
175
00:09:12,456 --> 00:09:21,616
DNS server will be let's use 4.2.2.2,
4.2.2.3, my two favorite DNS servers.
176
00:09:21,616 --> 00:09:23,576
And then Google coming in at a far side lash,
177
00:09:23,576 --> 00:09:31,116
just because 8.8.8 is just
tougher to type on a keyboard.
178
00:09:31,116 --> 00:09:32,236
I have to use two hands.
179
00:09:32,236 --> 00:09:38,366
Or not two hands but it's just the period, the
8, for no other reason it's just weird for me
180
00:09:38,366 --> 00:09:42,406
to type 8.8.8 and I can't even say it.
181
00:09:42,406 --> 00:09:44,896
So default, we want a default router.
182
00:09:45,576 --> 00:09:55,176
We want to give the default
router 192.168.1.1 to the clients
183
00:09:55,376 --> 00:09:56,556
on the internal network, and that should be it.
184
00:09:56,586 --> 00:09:57,996
Let's do a quick show run,
let me do a section IP DHCP.
185
00:09:58,026 --> 00:09:59,316
And just verify we've got
excluded address there.
186
00:09:59,346 --> 00:09:59,976
We've got the LAN subnet
187
00:10:00,046 --> 00:10:01,696
there, DNS server, default router.
188
00:10:01,696 --> 00:10:03,506
That looks good, alright.
189
00:10:03,786 --> 00:10:09,586
One of the things that you'll find is when
a Cisco router gets an IP address via DHCP,
190
00:10:09,786 --> 00:10:13,256
if that ISP is assigning it a default gateway,
191
00:10:13,406 --> 00:10:15,616
and it doesn't have a default
router already set up,
192
00:10:15,616 --> 00:10:21,156
a lot of times it will accept the DHCP assigned
default gateway as its own default route.
193
00:10:21,156 --> 00:10:25,226
Essentially it's going to say, oh okay, well, I
don't have a default gateway so I will use you.
194
00:10:25,606 --> 00:10:27,806
And that's nice because it makes it versatile.
195
00:10:28,316 --> 00:10:32,026
You can move your Cisco router
wherever and plug it into a connection.
196
00:10:32,026 --> 00:10:34,396
If it's enabled for DHCP it will pick it up
197
00:10:34,396 --> 00:10:37,556
and then start doing what it does
best which is router and do net.
198
00:10:37,616 --> 00:10:41,156
So at this point I just want
to test and see where we're at.
199
00:10:41,156 --> 00:10:44,016
I'm going to go here and do a ping.
200
00:10:44,016 --> 00:10:44,856
Let's do a ping.
201
00:10:45,306 --> 00:10:47,336
Oh, let's do a show IP interface brief.
202
00:10:47,336 --> 00:10:51,106
We've got 208.92.153.6.
203
00:10:51,276 --> 00:10:56,516
Let's do a show IP route, and I see it's
already set up, a nice little gateway
204
00:10:56,516 --> 00:10:59,036
of last resort because it got that via DHCP.
205
00:10:59,036 --> 00:11:01,136
So let's just do a ping 4.2.2.2.
206
00:11:01,136 --> 00:11:02,506
Let's ee if we can reach the DNS server.
207
00:11:02,506 --> 00:11:03,246
Good, and we do.
208
00:11:03,246 --> 00:11:06,216
So this router now has internet access.
209
00:11:06,216 --> 00:11:11,826
Now, my computer happens to be, the one that I'm
recording on right now, happens to be this guy.
210
00:11:12,196 --> 00:11:15,176
So actually what I need to do
is go into the control panel
211
00:11:15,176 --> 00:11:18,626
because I've got my own connection,
212
00:11:18,716 --> 00:11:21,846
my own network that I save my
recordings and everything like that.
213
00:11:21,846 --> 00:11:27,196
I'm going to actually go in and disable that
one which will not work well when I finish this
214
00:11:27,196 --> 00:11:29,796
because it's going to say where do you want
to save this, and I won't have a place.
215
00:11:29,796 --> 00:11:32,006
Let's get rid of virtual box as well.
216
00:11:32,006 --> 00:11:35,646
It's a little free VM ware kind of thing.
217
00:11:35,646 --> 00:11:38,256
So all that's left is my little
apple USB ethernet is after.
218
00:11:38,256 --> 00:11:40,966
That's what I have connected to SLAV network.
219
00:11:40,966 --> 00:11:43,746
So I'll open a comment prompt
and do an IP config.
220
00:11:43,856 --> 00:11:46,806
And there it is, look at that.
221
00:11:46,806 --> 00:11:53,696
We've already got a dynamic address
assigned from our pool 192.168.1.11.
222
00:11:53,696 --> 00:11:55,386
Let's actually jump back
here and line it all up.
223
00:11:55,386 --> 00:11:57,266
Here, I'll scoot this over a little bit.
224
00:11:57,266 --> 00:12:02,986
I'm going to do a show IP DHCP binding which
shows what IP addresses have been handed out.
225
00:12:03,366 --> 00:12:05,376
We're going back in time man.
226
00:12:05,376 --> 00:12:13,856
So 192.168.1 -- whoa see, that's what
happens when I disconnect my network adapter.
227
00:12:14,026 --> 00:12:15,346
There we go.
228
00:12:15,346 --> 00:12:16,896
So where were we?
229
00:12:16,896 --> 00:12:21,976
Okay, so I've got the 192.168.1.11
that's now assigned.
230
00:12:21,976 --> 00:12:27,536
But let me just see if I can ping from here,
4.2.2.2 even though I've got a default gateway.
231
00:12:28,036 --> 00:12:33,656
The reason for that is because the router
it's got an IP address and it can do routing.
232
00:12:33,946 --> 00:12:36,396
It's got a [inaudible] but
it's not configured for NAT.
233
00:12:36,506 --> 00:12:40,616
So my feeble attempts to
open a web browser will fail
234
00:12:40,876 --> 00:12:42,876
because it will say, sorry, we're not connected.
235
00:12:43,016 --> 00:12:44,206
Let's go to Google.
236
00:12:44,346 --> 00:12:45,446
Let's see if we can get there.
237
00:12:46,716 --> 00:12:48,496
Hold on, secure browsing to Google.
238
00:12:49,576 --> 00:12:50,326
Nope, nothing.
239
00:12:50,326 --> 00:12:51,206
I mean we're just hung.
240
00:12:51,206 --> 00:12:52,656
We're not getting anywhere.
241
00:12:52,656 --> 00:12:59,936
So what we want to do, let's get this browser
out of here, is start configuring NAT.
242
00:12:59,936 --> 00:13:00,926
Basic steps.
243
00:13:01,006 --> 00:13:01,626
Number one.
244
00:13:01,626 --> 00:13:02,556
Let me get back to the white board.
245
00:13:02,556 --> 00:13:09,826
Number one we need to identify our interfaces
meaning we need to go in there and identify
246
00:13:09,826 --> 00:13:14,766
that this one is connected to the inside
of the network like fast ethernet 0/0.
247
00:13:14,986 --> 00:13:17,176
Yeah, this is on the inside of my net.
248
00:13:17,176 --> 00:13:20,326
And fast ethernet at 0/1 that's
on the outside of my net.
249
00:13:20,326 --> 00:13:21,356
I need to identify that.
250
00:13:21,356 --> 00:13:23,226
And the good news is it's
very simple to do this.
251
00:13:23,226 --> 00:13:23,706
Watch this.
252
00:13:23,776 --> 00:13:25,336
It's going to be logical.
253
00:13:26,016 --> 00:13:27,416
Show IP interface brief.
254
00:13:27,416 --> 00:13:29,446
Have you got the feel that I like this command?
255
00:13:29,496 --> 00:13:31,316
So there's my interfaces.
256
00:13:31,316 --> 00:13:34,016
I'm going to go into fast ethernet 0/0.
257
00:13:34,016 --> 00:13:35,656
IP net inside.
258
00:13:36,586 --> 00:13:40,446
Now, you will find out it's common
for it to hang, and don't panic.
259
00:13:40,536 --> 00:13:43,816
Usually when you hang a router
like that something bad is
260
00:13:43,816 --> 00:13:45,326
about to happen, crash or something.
261
00:13:45,736 --> 00:13:49,176
But it's just enabling the
net process behind the scenes.
262
00:13:49,176 --> 00:13:51,656
It's creating these virtual
interfaces that it needs to do NAT.
263
00:13:51,656 --> 00:13:53,466
It's only on the first command.
264
00:13:53,466 --> 00:13:58,746
When I come in here and do fast ethernet
at 0/1 IP net outside is the other command,
265
00:13:58,956 --> 00:14:00,216
you can see that goes through right away.
266
00:14:00,726 --> 00:14:01,216
Okay, good.
267
00:14:02,296 --> 00:14:03,886
Step one is done.
268
00:14:04,496 --> 00:14:10,196
Step two is to identify our inside IP addresses.
269
00:14:10,616 --> 00:14:16,326
So we actually need to be able to say
this inside of our network is going
270
00:14:16,326 --> 00:14:18,806
to be translated to the outside world.
271
00:14:19,326 --> 00:14:22,786
Now, the way I'm going to do that is I'm
going to say essentially anything starting
272
00:14:22,786 --> 00:14:29,246
with 192.168.1.anything/24 is
valid to be translated out.
273
00:14:29,416 --> 00:14:34,966
Now, it just so happens that the way that
I do that is by using an access list.
274
00:14:35,246 --> 00:14:37,336
You see some of those concepts
come wrapping back around.
275
00:14:37,596 --> 00:14:38,516
So here's what I can do.
276
00:14:38,516 --> 00:14:40,146
Let's exist back out.
277
00:14:40,146 --> 00:14:46,046
Now the beauty is for basic NAT configurations
I can use just the standard access list.
278
00:14:46,046 --> 00:14:51,806
I go in there and do IP access
list, and it's going to be standard.
279
00:14:53,116 --> 00:14:58,446
And we'll call this NAT addresses, how's that?
280
00:14:59,206 --> 00:15:02,966
How about we do this because there's
a lot of NAT addresses inside.
281
00:15:02,966 --> 00:15:05,126
That's a long access list
name but we'll go with it.
282
00:15:05,296 --> 00:15:07,046
Inside NAT addresses, okay.
283
00:15:07,366 --> 00:15:19,186
And so I will say permit 192.168.1.0
with a wild card mask of 000255.
284
00:15:19,186 --> 00:15:21,896
I can log it if I want but I don't need to.
285
00:15:22,606 --> 00:15:23,706
And that's it.
286
00:15:24,526 --> 00:15:25,306
That's all there is to it.
287
00:15:25,306 --> 00:15:27,966
Because remember I said access list,
when we were talking about access lists,
288
00:15:27,966 --> 00:15:29,896
they're not just for access control.
289
00:15:30,286 --> 00:15:34,356
In this case I'm going to use this
access list to permit these addresses
290
00:15:34,356 --> 00:15:36,786
and only these addresses to be NAT-ed.
291
00:15:37,486 --> 00:15:38,796
Okay, step three.
292
00:15:39,486 --> 00:15:42,746
We're going to use our IP
NAT connection command.
293
00:15:43,516 --> 00:15:51,016
What I mean by that is I'm going to go in
and say I want to NAT from this to that.
294
00:15:51,746 --> 00:15:54,186
Now, this command can do a lot of stuff for us.
295
00:15:54,186 --> 00:15:55,976
I'm going to show you the first thing right now.
296
00:15:55,976 --> 00:16:01,306
I'm going to NAT -- so first off the
way the syntax works is I type IP NAT,
297
00:16:01,306 --> 00:16:03,336
so I'll translate that into English.
298
00:16:03,446 --> 00:16:05,686
IP NAT means I want a NAT, right?
299
00:16:05,876 --> 00:16:08,126
Now, I hit question mark
and it's like an interview.
300
00:16:08,126 --> 00:16:11,326
I want to NAT from the inside of my network out.
301
00:16:11,436 --> 00:16:13,966
This is going to be a source.
302
00:16:13,966 --> 00:16:16,526
Let me identify the source addresses to you.
303
00:16:16,526 --> 00:16:19,426
So I want to NAT from the
inside of my network out.
304
00:16:19,686 --> 00:16:23,746
The source addresses that are going to
be translated are going to be identified
305
00:16:24,016 --> 00:16:29,426
in access list number -- well
actually not number in this case.
306
00:16:29,876 --> 00:16:30,606
What did I name it?
307
00:16:30,606 --> 00:16:32,676
Inside NAT addresses, right, right there.
308
00:16:33,746 --> 00:16:35,256
Highlight copy.
309
00:16:35,406 --> 00:16:38,836
Yeah, let me back up here.
310
00:16:38,836 --> 00:16:41,346
There we go.
311
00:16:41,856 --> 00:16:46,936
IP NAT. Okay, so I want to NAT
from the inside of my network out.
312
00:16:46,936 --> 00:16:52,066
The source addresses are going to be
identified in access list inside NAT addresses.
313
00:16:52,066 --> 00:16:52,886
So that's the source.
314
00:16:53,106 --> 00:16:57,886
And I'm going to be going to the
destination of, and now we have the option.
315
00:16:58,106 --> 00:17:02,856
We can either go to an interface as
the destination or a pool of addresses.
316
00:17:03,116 --> 00:17:05,126
So here's the idea.
317
00:17:05,506 --> 00:17:11,736
I can either say I just want to take all of
these guys and NAT them out this interface,
318
00:17:12,106 --> 00:17:15,116
or I can create a pool of
addresses which is possible,
319
00:17:15,506 --> 00:17:23,816
and I can say maybe 208.53.91.1-9 is
going to be the pool of addresses.
320
00:17:23,816 --> 00:17:27,756
So I'm going to NAT all of these
guys out to that pool of addresses.
321
00:17:27,756 --> 00:17:31,226
Now, you having that being dynamic
NAT, remember we were talking
322
00:17:31,416 --> 00:17:35,226
in the concepts how dynamic NAT does
that one-to-one mapping if you will.
323
00:17:35,226 --> 00:17:39,296
But then you'd only have nine people able
to get to the internet at the same time.
324
00:17:39,296 --> 00:17:39,946
You don't want that.
325
00:17:40,156 --> 00:17:44,116
So we would usually use PAT
in combination with those.
326
00:17:44,116 --> 00:17:50,216
But in this case the reason the interface
command is so handy is because I don't need
327
00:17:50,216 --> 00:17:53,546
to know what my outside address
is to use that command.
328
00:17:54,426 --> 00:17:55,986
Let me type the command and I'll explain it.
329
00:17:55,986 --> 00:17:57,006
So let me get back here.
330
00:17:58,416 --> 00:18:01,726
Interface fast ethernet 0/1.
331
00:18:02,726 --> 00:18:06,386
I know some of you are like blah, blah, blah.
332
00:18:06,466 --> 00:18:07,406
That's a big command.
333
00:18:07,516 --> 00:18:08,506
It is, it is.
334
00:18:08,506 --> 00:18:09,786
There's a lot to that command.
335
00:18:10,156 --> 00:18:11,696
But let me just read it.
336
00:18:11,696 --> 00:18:13,416
I'll hit the up arrow and
go back to the beginning
337
00:18:13,416 --> 00:18:15,016
of the line and read it again in English.
338
00:18:15,406 --> 00:18:18,486
IP NAT, I want a NAT is what that means.
339
00:18:18,526 --> 00:18:24,606
From the inside of my network out the source
addresses that I want to NAT are identified
340
00:18:24,606 --> 00:18:27,026
by access list inside NAT addresses.
341
00:18:27,096 --> 00:18:27,626
And what's in there?
342
00:18:27,626 --> 00:18:30,036
192.168.1, right?
343
00:18:30,036 --> 00:18:31,426
We said permit those addresses.
344
00:18:31,656 --> 00:18:38,556
So NAT from that source to the destination of
interface, and let me go fast ethernet 0/1 and,
345
00:18:38,556 --> 00:18:41,606
oh, actually I forgot a key word on there.
346
00:18:41,606 --> 00:18:45,296
And I want to add on the key word overload.
347
00:18:46,186 --> 00:18:48,316
Not just L, overload.
348
00:18:48,956 --> 00:18:52,206
So the command just got bigger.
349
00:18:52,206 --> 00:18:55,636
I mean what do you think overload does?
350
00:18:56,376 --> 00:19:00,036
I know you're like, well, it says right
there an overloads an address translation.
351
00:19:00,036 --> 00:19:00,536
What's that mean?
352
00:19:00,926 --> 00:19:02,686
Overload enables PAT.
353
00:19:03,056 --> 00:19:06,586
So when I typed the command the first
time and press enter it would work,
354
00:19:07,016 --> 00:19:09,546
but it would only work for one IP address.
355
00:19:09,726 --> 00:19:13,186
Whoever got there first would
use up the outside address
356
00:19:13,186 --> 00:19:15,646
because it's a one-to-one mapping
if I don't have that keyboard.
357
00:19:15,836 --> 00:19:17,636
But I'm putting overload on there.
358
00:19:17,906 --> 00:19:20,266
That's when it says, oh, you want me to use PAT,
359
00:19:20,536 --> 00:19:24,756
so that way I'll translate addressed
dynamically using port numbers,
360
00:19:24,976 --> 00:19:29,376
and everybody can share the IP address
of whatever is on fast ethernet 0/1.
361
00:19:29,566 --> 00:19:35,286
The beauty of using that command
is I can now use this versatilely.
362
00:19:35,606 --> 00:19:38,306
I can move it to whatever internet
connection I want, plug it in,
363
00:19:38,306 --> 00:19:44,216
and then whatever IP address
is received via DHCP
364
00:19:44,216 --> 00:19:49,616
on that fast ethernet 0/1 will now
be used for all of my NAT settings.
365
00:19:51,506 --> 00:19:58,906
I think, I'm hesitating, I think
that's everything that we need.
366
00:20:00,046 --> 00:20:04,726
Oh, look at that, it's saying I can't change
this, dynamic mappings are already in use.
367
00:20:05,096 --> 00:20:06,286
That's funny.
368
00:20:06,286 --> 00:20:11,436
So let me just do a quick
show run, include IP NAT.
369
00:20:11,436 --> 00:20:16,286
I want to make sure that it took that command.
370
00:20:16,456 --> 00:20:21,306
But all we did is identify inside and
outside interfaces, create an access list
371
00:20:21,306 --> 00:20:25,946
that said these are the inside
addresses, these are the source addresses,
372
00:20:25,946 --> 00:20:31,936
and then we combined them all with
this IP NAT connection command.
373
00:20:31,936 --> 00:20:35,046
And so this is the biggest command
of all, probably the most confusing.
374
00:20:35,306 --> 00:20:37,396
But, again, it's kind of like an access list.
375
00:20:37,556 --> 00:20:41,266
You're just saying I want a NAT, here's
my source, here's my destination,
376
00:20:41,266 --> 00:20:43,126
and in this case we overloaded it.
377
00:20:43,126 --> 00:20:45,936
So I want to test it.
378
00:20:45,936 --> 00:20:50,526
Come on, let's bring up, oh, this
was here before, cbtnuggets, right?
379
00:20:54,636 --> 00:20:56,636
I was like that's not cool.
380
00:20:56,786 --> 00:20:59,066
Woo hoo, it worked.
381
00:20:59,306 --> 00:21:02,446
So, anyhow, I want to make sure it's
not in cache or something like that.
382
00:21:02,446 --> 00:21:03,896
What's a website I haven't gone to?
383
00:21:03,896 --> 00:21:05,486
Let's do USA Today.
384
00:21:06,066 --> 00:21:06,956
I know I haven't gone there.
385
00:21:07,656 --> 00:21:13,296
USA Today, wow, look at that,
Hall of Fame, no one elected.
386
00:21:13,296 --> 00:21:17,446
Bad. So now I can -- okay, the reason I'm
doing this and going to a couple websites,
387
00:21:17,446 --> 00:21:20,186
let me just go to one more,
let's go to amazon.com.
388
00:21:20,716 --> 00:21:24,406
Get a nice little Amazon splash page up there.
389
00:21:25,096 --> 00:21:30,356
The reason I'm going this is I now want to go in
there and do -- let's make this a little bigger,
390
00:21:30,396 --> 00:21:33,916
we'll want it big, do a command to verify.
391
00:21:33,916 --> 00:21:37,616
I'm going to do a show IP NAT translation.
392
00:21:38,156 --> 00:21:42,916
Look at that, yeah.
393
00:21:44,866 --> 00:21:50,496
We've got a massive amount of
translations going through.
394
00:21:50,496 --> 00:21:52,476
Remember in the last nugget when I said, yeah,
395
00:21:52,476 --> 00:21:56,266
theoretically you could share
one IP address for 65,000 people?
396
00:21:56,526 --> 00:22:01,476
This shows exactly why that theory
would never prove true in reality.
397
00:22:01,796 --> 00:22:07,306
Just by going to three websites, count
them, three websites, cbtnuggets,
398
00:22:07,356 --> 00:22:12,836
USA Today and amazon.com, literally
let's just keep the scrolling going.
399
00:22:13,476 --> 00:22:14,706
Okay, I reached the end.
400
00:22:14,706 --> 00:22:17,346
These were all the translations that were built.
401
00:22:17,406 --> 00:22:19,056
First off, you see all these guys?
402
00:22:19,516 --> 00:22:21,586
These are all DNS translations.
403
00:22:21,586 --> 00:22:25,746
Notice, let's read it here, and this is where
I want to get into some of the terminology.
404
00:22:26,266 --> 00:22:29,236
The inside local address
is where I'm coming from.
405
00:22:29,236 --> 00:22:33,736
So let me go to this network
diagram, change pen colors real quick.
406
00:22:34,496 --> 00:22:44,696
According to the router inside local addresses
are those that are inside of the network
407
00:22:44,696 --> 00:22:48,226
like the position they are on your
inside network, and they are local.
408
00:22:48,226 --> 00:22:52,956
You can kind of translate that to be a
private address kind of in your mind.
409
00:22:52,956 --> 00:22:57,246
Now, some of these terms I will tell you before
we even write them all out they are confusing
410
00:22:57,566 --> 00:23:01,626
because they follow the industry standard.
411
00:23:01,626 --> 00:23:05,126
NAT is an RFC standard, and so Cisco
said, okay, we'll follow the naming
412
00:23:05,126 --> 00:23:06,666
that they say in there, but it is confusing.
413
00:23:06,716 --> 00:23:10,946
So inside local means it's inside
my network, like it's mine,
414
00:23:10,946 --> 00:23:13,626
I own it, and it's a private address.
415
00:23:13,786 --> 00:23:14,646
That's the local.
416
00:23:14,866 --> 00:23:23,646
Now, this one, the public address, is
actually identified as the inside global.
417
00:23:25,076 --> 00:23:29,976
Now, that doesn't make sense initially because
you're like, well, inside, no it's outside.
418
00:23:30,236 --> 00:23:34,896
Well, it is, but think of the word
inside of who owns that address.
419
00:23:35,046 --> 00:23:36,596
You just kind of think of it that way.
420
00:23:36,836 --> 00:23:40,906
Like inside means me, outside means
somebody else owns that address.
421
00:23:40,906 --> 00:23:44,406
So when you put it that way it's like
okay, okay I own these addresses inside,
422
00:23:44,616 --> 00:23:46,976
and I own this address because
it's assigned to my router.
423
00:23:46,976 --> 00:23:49,076
Not literally I own it from my service router,
424
00:23:49,076 --> 00:23:52,016
but I own it because it's assigned
to my router so it's inside.
425
00:23:52,336 --> 00:23:54,386
Global essentially means public.
426
00:23:56,976 --> 00:24:01,556
Now, you'll see some other
terms here like outside global.
427
00:24:02,106 --> 00:24:07,046
Outside global is essentially the
IP address of the outside server.
428
00:24:07,046 --> 00:24:10,586
Outside meaning I don't own it,
it belongs to somebody else.
429
00:24:10,866 --> 00:24:13,136
Global meaning it's public.
430
00:24:14,826 --> 00:24:18,956
So when you go to a website that's going
to be how they show up in this table.
431
00:24:18,956 --> 00:24:20,446
So notice all of these.
432
00:24:20,446 --> 00:24:21,796
What's port 53?
433
00:24:21,796 --> 00:24:24,426
And notice the protocol, UDP port 53.
434
00:24:24,426 --> 00:24:25,086
Anyone remember?
435
00:24:25,266 --> 00:24:25,746
Raise your hand.
436
00:24:25,746 --> 00:24:26,176
Yes, you?
437
00:24:26,756 --> 00:24:26,926
>> DNS.
438
00:24:27,366 --> 00:24:28,956
>> DNS, yeah, exactly right.
439
00:24:29,196 --> 00:24:35,626
DNS these are all the DNS lookups that
were necessary to go to three websites.
440
00:24:35,626 --> 00:24:40,476
Now, again, I want to make sure everybody gets
-- you're like this is crazy, why would you need
441
00:24:40,476 --> 00:24:42,716
that many DNS lookups to go to three website?
442
00:24:42,906 --> 00:24:46,856
Remember, again, amazon.com, this
picture right here is one server.
443
00:24:47,046 --> 00:24:48,236
This picture is another server.
444
00:24:48,236 --> 00:24:49,096
This picture another server.
445
00:24:49,096 --> 00:24:50,406
This picture another server.
446
00:24:50,476 --> 00:24:52,726
There's so much stuff on this website.
447
00:24:52,726 --> 00:24:57,176
And every time you introduce another server
like Discover Card, something new in your city,
448
00:24:57,176 --> 00:25:01,176
or it's not even Discover Card,
discover something new in your city,
449
00:25:01,176 --> 00:25:02,976
anytime you go to a new server
it's like, oh well,
450
00:25:02,976 --> 00:25:08,956
that ad right there is actually
fed from AWS9.amazon.local.
451
00:25:08,956 --> 00:25:10,716
blah, blah, blah.
452
00:25:10,716 --> 00:25:12,876
So your computer has to go, well, who is that?
453
00:25:12,876 --> 00:25:16,086
And go do a DNS lookup just
to find out who that's from.
454
00:25:16,086 --> 00:25:19,756
That's why sometimes pages take a while to
load because it's grabbing all this information
455
00:25:19,756 --> 00:25:21,426
from all these different servers.
456
00:25:21,426 --> 00:25:26,056
Okay, so back to the configuration.
457
00:25:26,056 --> 00:25:32,476
So outside global says, okay, I access this
DNS server on port 53 all kinds of stuff.
458
00:25:32,476 --> 00:25:35,066
And notice all these source port
numbers are where it came from.
459
00:25:35,066 --> 00:25:36,926
So let's start putting these pieces together.
460
00:25:37,356 --> 00:25:39,036
Inside local so this is me.
461
00:25:39,036 --> 00:25:43,566
Excuse me, I've got 192.168.1.11.
462
00:25:43,566 --> 00:25:48,386
I generated a DNS request
from the source port 53582.
463
00:25:48,386 --> 00:25:51,616
Now, that was translated to the inside global
464
00:25:51,746 --> 00:25:57,526
or essentially the outside public
IP address of 208.92.153.6.
465
00:25:57,526 --> 00:25:58,566
Now, who's that?
466
00:25:58,666 --> 00:26:00,106
That's my router, remember?
467
00:26:00,406 --> 00:26:04,386
We actually got assigned
that address dynamically.
468
00:26:04,416 --> 00:26:13,406
It was 208.92.153.6.
469
00:26:13,586 --> 00:26:14,386
So that's me.
470
00:26:14,386 --> 00:26:19,306
So what this is saying is I've
translated from this to this.
471
00:26:19,306 --> 00:26:20,796
And notice what it did with the port number.
472
00:26:20,866 --> 00:26:23,796
It actually said, okay, I'm going
to retain your source port number
473
00:26:23,986 --> 00:26:26,936
and now so that's what you
look like to the outside world.
474
00:26:27,336 --> 00:26:31,056
So it went out and talked to this
IP address, the outside global.
475
00:26:31,056 --> 00:26:33,186
Now, I know some of you are
like, well, what's this?
476
00:26:33,266 --> 00:26:34,246
I don't even want to tell you.
477
00:26:34,696 --> 00:26:35,966
Honestly I don't.
478
00:26:36,226 --> 00:26:38,096
But let me just say this.
479
00:26:38,096 --> 00:26:39,856
That is outside local.
480
00:26:39,856 --> 00:26:44,766
You might say, okay, so outside means
it belongs to somebody else, right?
481
00:26:44,906 --> 00:26:48,376
Yup. Local means it's a private address?
482
00:26:48,716 --> 00:26:54,006
Huh? Well, essentially what this means, and
trust me my public, private it's just kind
483
00:26:54,006 --> 00:26:57,746
of a rough analogy, but what this
means is it belongs to somebody else,
484
00:26:57,816 --> 00:27:00,316
but this is how my network sees it.
485
00:27:00,756 --> 00:27:07,706
I will say for 95, 99, 98 percent of you
out there it will always be the same.
486
00:27:07,706 --> 00:27:12,506
Essentially the outside global which is
what it really is will be the outside local
487
00:27:12,506 --> 00:27:14,956
which is how your network sees it.
488
00:27:14,956 --> 00:27:18,746
What you can do, let me give you this
example, and I really don't want to tell you
489
00:27:18,746 --> 00:27:21,516
because it might confuse some,
but I just want to show it to you.
490
00:27:21,796 --> 00:27:24,586
You can do NAT translations the other way.
491
00:27:25,066 --> 00:27:25,686
Here's what I mean.
492
00:27:26,106 --> 00:27:30,636
I could go in here on this router, and I could
say, well, I want to create a NAT translation
493
00:27:30,636 --> 00:27:39,626
that when somebody accesses 192.168.1.52
it actually translates to 4.2.2.2.
494
00:27:41,046 --> 00:27:41,836
Weird, right?
495
00:27:42,136 --> 00:27:44,346
It's doable but very strange.
496
00:27:44,346 --> 00:27:50,126
So what you could do is you could make 4.2.2.2,
we'll just say this DNS server out here,
497
00:27:50,126 --> 00:27:55,566
appear as 192.168.1.52 to the internal network.
498
00:27:55,566 --> 00:28:00,676
In that case if you did that kind of
translation then you would see outside local
499
00:28:00,676 --> 00:28:11,066
at 192.168.1.52, outside global is 4.2.2.2.
500
00:28:11,066 --> 00:28:13,086
So, again, it's kind of like a backwards net.
501
00:28:13,086 --> 00:28:18,196
So if that confuses you forget I ever said it
and just say all these will always be the same,
502
00:28:18,196 --> 00:28:21,766
outside local and outside
global always the same.
503
00:28:21,836 --> 00:28:26,146
Honestly I've done this once, and
it was a whacked out situation
504
00:28:26,146 --> 00:28:27,896
where I couldn't assign a
default gateway to this PC.
505
00:28:27,896 --> 00:28:31,496
So I had to be able to get it to an outside
server, it wasn't even a DNS server,
506
00:28:31,496 --> 00:28:33,206
but an outside server without a default gateway.
507
00:28:33,206 --> 00:28:36,976
And the way I did it was by saying,
okay, I'm going to set up a NAT
508
00:28:36,976 --> 00:28:38,746
so this guy will arp [phonetic] for this,
509
00:28:38,746 --> 00:28:42,196
and it will actually translate
out to the public address.
510
00:28:42,486 --> 00:28:46,526
So that will be where it
actually looks for that server.
511
00:28:46,526 --> 00:28:49,426
So, again, weird situation,
forget I ever said it.
512
00:28:49,426 --> 00:28:56,516
Okay. So all of this -- now let me hit the
up arrow, do a show IP NAT translations.
513
00:28:56,756 --> 00:28:58,626
Look at that, look at that,
that's it right there.
514
00:28:58,626 --> 00:28:59,326
They're all gone.
515
00:28:59,326 --> 00:29:01,496
So all of these initial translations,
[rotating sound],
516
00:29:01,496 --> 00:29:03,986
all of those [rotating sound] all the way
down have now consolidated down to this.
517
00:29:03,986 --> 00:29:07,466
Why? Because the sessions have begun to close.
518
00:29:07,886 --> 00:29:11,996
When I did my DNS lookups they show up in
th table but they quickly go under way,
519
00:29:11,996 --> 00:29:15,876
because I know -- I'm sure many of you are
like, well good grief, if one computer going
520
00:29:15,876 --> 00:29:20,306
to three websites can consume that many
port numbers, I mean look at all that,
521
00:29:20,536 --> 00:29:23,566
can consume that many port
numbers, I mean it's not going
522
00:29:23,566 --> 00:29:27,046
to be long before one public IP address
runs out of port numbers, right?
523
00:29:27,326 --> 00:29:30,986
Well, yeah, but the good news
is they time out very quickly.
524
00:29:31,136 --> 00:29:35,236
After they're used they stay there for a few
seconds longer and then, shoop, they're gone.
525
00:29:35,456 --> 00:29:41,046
So now, just because I have my web browser
open, I still see these that are established,
526
00:29:41,256 --> 00:29:45,926
but for the most part they've all closed down
and consolidated down to a smaller amount.
527
00:29:47,046 --> 00:29:51,506
Okay, so we have the NAT overload
or PAT version of NAT working.
528
00:29:51,976 --> 00:29:53,936
What if, let's change it a little.
529
00:29:53,936 --> 00:29:56,366
I just gave you a scenario that works very well.
530
00:29:56,566 --> 00:29:59,976
That whole config that we
just did works very well for
531
00:30:00,496 --> 00:30:04,476
small office or home office environments.
532
00:30:04,476 --> 00:30:07,236
But what if I do have static IP addresses here?
533
00:30:07,326 --> 00:30:12,456
What if I'm a real business and maybe I have
even a pool of addresses available to me.
534
00:30:12,896 --> 00:30:15,116
What about that situation?
535
00:30:15,616 --> 00:30:21,346
Well, in that circumstances you want to squeeze
in one more command between two and three,
536
00:30:21,696 --> 00:30:25,616
and that will create a pool
of outside addresses.
537
00:30:25,846 --> 00:30:26,346
Here's what I mean.
538
00:30:26,836 --> 00:30:36,766
I can go into the router, and let's
first off do a show run, include IP NAT.
539
00:30:37,756 --> 00:30:40,596
And we want to remove the
existing configuration.
540
00:30:41,546 --> 00:30:45,186
So I'm going to say I just
want to yank this one out.
541
00:30:45,186 --> 00:30:47,696
I'm going to get rid of that command in there.
542
00:30:48,476 --> 00:30:51,626
And it says, hey, you've still
got dynamic mapping, are you sure?
543
00:30:51,626 --> 00:30:53,276
Yeah, sure, that's fine.
544
00:30:53,276 --> 00:31:00,346
So I've got the dynamic mapping
or I should say mappings deleted.
545
00:31:00,346 --> 00:31:04,336
That just means all of the, oop,
now I've done it, cleared it off.
546
00:31:04,396 --> 00:31:08,366
Off of these previous mappings these were
all dynamic, those are all wiped out now
547
00:31:08,366 --> 00:31:12,296
because I deleted the command
so I've removed that.
548
00:31:12,296 --> 00:31:14,026
And now what I can do is create a pool.
549
00:31:14,026 --> 00:31:18,546
So I'll say IP NAT pool, and I'll say, okay,
550
00:31:18,546 --> 00:31:23,846
the pool of addresses let's just say
this is my outside public addresses.
551
00:31:25,226 --> 00:31:28,066
And I would say the start IP address,
and that's why I'd come back here,
552
00:31:28,526 --> 00:31:36,656
let's just say we started from
208.92.153.5, 208.92.153.5,
553
00:31:36,846 --> 00:31:41,256
and we go through 208.92.153.6, right?
554
00:31:41,356 --> 00:31:43,526
So we've got the start and the end.
555
00:31:43,526 --> 00:31:53,736
If we need to add what subnet mask is there for
that subnet we'll say net mask 255.255.255.248,
556
00:31:53,796 --> 00:31:59,466
that's just what the service
provider has given us and hit enter.
557
00:31:59,776 --> 00:32:03,946
So now I've created this pool of
addresses that we call outside public.
558
00:32:03,946 --> 00:32:08,256
It's not doing anything yet, it's just
there until I do IP NAT inside source.
559
00:32:08,256 --> 00:32:11,196
And I'll say this time, again,
the same command as before.
560
00:32:11,196 --> 00:32:14,026
This is the same exact one I just removed.
561
00:32:14,026 --> 00:32:14,876
Inside source.
562
00:32:14,876 --> 00:32:18,146
So I'm going to map from the
inside of my network out.
563
00:32:18,146 --> 00:32:21,096
The source addresses are in access list
number 5, that's the one we created before.
564
00:32:21,096 --> 00:32:27,326
And instead of going out the
interfaces, that was the previous command,
565
00:32:27,326 --> 00:32:31,626
I'm going to go to the pool of address
that is defined as outside public.
566
00:32:31,896 --> 00:32:36,276
So I'm going to say the outside
public pool of addresses,
567
00:32:36,276 --> 00:32:38,556
and then I'm going to add on overload.
568
00:32:38,556 --> 00:32:42,296
Otherwise, now I have more IP addresses, I
have 2, 5 and 6 right there that I can use.
569
00:32:42,296 --> 00:32:45,876
But I'm going to overload them
so I'm going to max this one out.
570
00:32:45,876 --> 00:32:53,236
And once this 5 runs out of port numbers then
I'm going to go over to 6 and max that one out.
571
00:32:53,326 --> 00:32:59,116
So as we start growing and we start
requiring more public IP addresses
572
00:32:59,116 --> 00:33:02,336
that we can overload and share we can do that.
573
00:33:02,336 --> 00:33:04,306
So that would be -- now, this is still PAT.
574
00:33:04,306 --> 00:33:08,896
But if you wanted to do that as dynamic
you would just leave overload off.
575
00:33:08,896 --> 00:33:12,466
Remember dynamic NAT, doing the
dynamic one-to-one mappings.
576
00:33:12,466 --> 00:33:17,076
But then you would only get two people
able to surf the internet at a time
577
00:33:17,076 --> 00:33:21,576
because they would eat up the outside
addresses since we only created a pool of two.
578
00:33:21,576 --> 00:33:24,096
Now, what if you only had one address?
579
00:33:24,096 --> 00:33:27,786
Like same story as before, but
instead of being a DHCP it's static
580
00:33:27,816 --> 00:33:29,926
and we only have one static address.
581
00:33:29,926 --> 00:33:35,846
Well, easy enough, you would do the same
thing but create a pool of just one address.
582
00:33:35,846 --> 00:33:39,196
Just say we're going out at .5.
583
00:33:39,196 --> 00:33:42,556
You can see it starts at .5 and ends at .5.
584
00:33:42,556 --> 00:33:46,576
So we create an outside pool of one address,
that's fine, and then we go in and overload it.
585
00:33:46,576 --> 00:33:48,756
Now, we don't have to redo this command.
586
00:33:48,756 --> 00:33:52,996
Let me just do a quick show run include IP NAT.
587
00:33:52,996 --> 00:33:54,986
We don't need to redo the command.
588
00:33:55,146 --> 00:33:58,796
We can change kind of pieces
of that command out.
589
00:33:59,276 --> 00:34:04,526
Like I can change out this pool, and I don't
have to redo that IP NAT inside source command.
590
00:34:04,526 --> 00:34:07,116
So that's a way to do it if you have
a static IP address on the outside.
591
00:34:07,116 --> 00:34:12,866
Okay. The last one what about
doing a static translation?
592
00:34:12,866 --> 00:34:17,246
So we've seen remember the three
modes of NAT, we have static,
593
00:34:17,246 --> 00:34:20,166
we had dynamic which is dynamically doing
a bunch of -- you get it, dynamic, right?
594
00:34:20,366 --> 00:34:20,816
Hard to talk.
595
00:34:21,076 --> 00:34:21,986
And then we had PAT.
596
00:34:22,296 --> 00:34:23,466
So we've done PAT.
597
00:34:23,466 --> 00:34:26,266
We've even done dynamic which
you saw the config just now,
598
00:34:26,266 --> 00:34:28,226
we would just leave off the overload command.
599
00:34:28,626 --> 00:34:29,866
And then now static.
600
00:34:29,866 --> 00:34:33,306
What if we have servers running
on that inside network that I want
601
00:34:33,306 --> 00:34:35,416
to allow access to from the outside?
602
00:34:35,996 --> 00:34:37,886
That's where you need static NAT mappings.
603
00:34:38,066 --> 00:34:44,616
The way we do this is go into global
and type in IP NAT, again inside source.
604
00:34:44,666 --> 00:34:48,586
So if you get used to this, I mean it's
the same commands over and over and over.
605
00:34:48,796 --> 00:34:53,136
It always starts IP NAT inside source, and then
we either say I want to go to an access list
606
00:34:53,136 --> 00:34:55,996
or see what I see, right, static.
607
00:34:57,616 --> 00:34:59,976
And now we can do it the simple way.
608
00:34:59,976 --> 00:35:07,606
I can say, okay, the inside
local IP address is 192.168.1.51.
609
00:35:07,896 --> 00:35:09,306
We'll say that's our email server, right?
610
00:35:09,306 --> 00:35:11,946
Then it's going to say, okay,
what's the inside global?
611
00:35:11,946 --> 00:35:14,626
Remember the terms I talked about, inside local,
612
00:35:14,626 --> 00:35:17,936
so they're saying inside global
where was that on our picture?
613
00:35:18,306 --> 00:35:23,746
That was the public IP address that belongs
to us that goes to the interface right there.
614
00:35:23,746 --> 00:35:29,076
So it says, okay, this inside local or
private IP address is going to translate to,
615
00:35:29,076 --> 00:35:33,826
and that's where I would type in 208.53.
616
00:35:34,846 --> 00:35:35,506
What was it?
617
00:35:35,506 --> 00:35:39,556
208. I don't even remember.
618
00:35:39,556 --> 00:35:41,846
Oh, okay, I was trying to
figure out what that was.
619
00:35:41,846 --> 00:35:45,826
208.92.153.
620
00:35:45,826 --> 00:35:50,006
let's just say 7, alright,
and hit the enter key.
621
00:35:50,266 --> 00:35:51,166
That's one way of doing it.
622
00:35:51,166 --> 00:35:52,396
That's the simplest way.
623
00:35:52,686 --> 00:35:58,636
So that says any time somebody accesses this
IP address on the outside I will translate it
624
00:35:58,636 --> 00:36:02,386
to this IP address on the inside and vice versa.
625
00:36:02,386 --> 00:36:06,876
I will take this IP address when I
see it on the inside and translate it
626
00:36:06,876 --> 00:36:08,686
to that IP address on the outside.
627
00:36:08,876 --> 00:36:12,176
This is actually a two way
street, a two way translation.
628
00:36:12,376 --> 00:36:18,236
A lot of people say, okay, well now do we have
to create a second one that says 208.92 is here
629
00:36:18,236 --> 00:36:20,826
and 192.168 is here to kind of do both ways?
630
00:36:20,826 --> 00:36:22,056
No. This is a two way street.
631
00:36:22,216 --> 00:36:31,406
So as this one goes out you will always be
that 208.92.153.5 address that I just defined.
632
00:36:31,406 --> 00:36:35,536
And as people come in on that
-- you get the point, right?
633
00:36:36,026 --> 00:36:39,786
I'm like I could fumble over
my words or you got it, right.
634
00:36:39,786 --> 00:36:41,626
So, another way I can do this.
635
00:36:42,146 --> 00:36:46,796
I could do IP NAT inside sources, and you saw
this when I first typed it, so I'll do static.
636
00:36:47,456 --> 00:36:53,786
I could type the inside local IP address,
but I can also specify TCP or UDP.
637
00:36:54,026 --> 00:36:58,916
So this would be useful if I want to
break this into multiple port numbers.
638
00:36:58,916 --> 00:37:00,126
So let me show you.
639
00:37:00,126 --> 00:37:06,866
Let's say I want to do TCP, and I'll
say the inside local address, 192.168.1.
640
00:37:06,866 --> 00:37:10,046
let's say 53, but it's going to be on port 80.
641
00:37:10,046 --> 00:37:10,976
This is a web server.
642
00:37:11,196 --> 00:37:21,126
And I will go on the outside that really goes to
208.92.153.8 on the outside on port 80 as well.
643
00:37:21,436 --> 00:37:29,276
So what this does is say now if I get
-- I'm running out of space to scribble.
644
00:37:29,686 --> 00:37:30,996
Let's use orange.
645
00:37:31,206 --> 00:37:39,436
If I get a request on the outside and it's
directed to 208.92.153.8 on port 80 and only
646
00:37:39,436 --> 00:37:43,546
on port 80, it won't work for any other port
right now, then I will send it to the inside
647
00:37:43,546 --> 00:37:48,556
of my network to the mysterious server
that showed up that is 192.168.1.
648
00:37:48,556 --> 00:37:49,846
what did I say, 53?
649
00:37:50,396 --> 00:37:54,196
Yeah, 53 on port 80, alright?
650
00:37:55,516 --> 00:37:58,296
So I could hit the up arrow.
651
00:37:58,296 --> 00:38:01,856
Let's say this is where I can split this
one IP address to multiple destinations.
652
00:38:01,856 --> 00:38:11,376
I could say, well, maybe if they do 21 which is
FTP I'll send it in on port 21, 192.168.1.67.
653
00:38:11,376 --> 00:38:13,546
That's an FTP server on my network.
654
00:38:13,546 --> 00:38:18,486
Early on, this is long before go to my
PC and log me in and all these things
655
00:38:18,486 --> 00:38:23,426
that let you access your computer from home,
long before that I actually had a router set
656
00:38:23,426 --> 00:38:27,836
up at my house, let's get that orange color
off of there, router set up at my house
657
00:38:28,096 --> 00:38:33,556
that was connected to an ISP, and I
would use Microsoft Remote Desktop.
658
00:38:33,556 --> 00:38:35,126
It's been around for a long time.
659
00:38:35,416 --> 00:38:40,326
And Microsoft Remote Desktop uses TCP port 3389.
660
00:38:40,326 --> 00:38:42,766
And I had actually a bunch of
computers inside of my house
661
00:38:44,116 --> 00:38:45,926
that I would access when I'm the road.
662
00:38:45,926 --> 00:38:49,746
If I'm traveling or if I'm at the office
or something like that I could actually sit
663
00:38:49,746 --> 00:38:52,186
out here and use Microsoft Remote Desktop.
664
00:38:52,186 --> 00:38:54,516
You know what I mean when I'm
talking about Remote Desktop, right?
665
00:38:54,516 --> 00:38:56,236
You go to all programs.
666
00:38:56,336 --> 00:38:57,326
Of course, you can't see it.
667
00:38:57,326 --> 00:39:02,196
How about you just do start
run, you actually type in MSTSC.
668
00:39:02,196 --> 00:39:07,816
And that will bring up a remote desktop
connection to where I can type in I want to go
669
00:39:07,816 --> 00:39:12,176
to this computer home.jeremy
or whatever the computer is.
670
00:39:12,176 --> 00:39:13,606
And I can open a remote screen.
671
00:39:13,606 --> 00:39:18,276
So I would sit out here and remote to my
computer because I would map port 3389
672
00:39:18,276 --> 00:39:24,716
into my main PC which was actually
172.30.1.50 was my main PC IP address.
673
00:39:24,716 --> 00:39:28,856
But the problem is now I've
eaten up that port number 3389.
674
00:39:29,236 --> 00:39:30,616
On the outside it's eaten up.
675
00:39:30,616 --> 00:39:33,496
So I wanted to remote desktop
to these guys as well.
676
00:39:33,736 --> 00:39:36,046
What I would do is I would play this game.
677
00:39:36,426 --> 00:39:43,296
I would say, okay, well I want to actually
map 3389 to let's just say 1.67.3389,
678
00:39:43,476 --> 00:39:49,016
and then I would say I want to
actually map 3390 to the inside,
679
00:39:49,016 --> 00:39:51,896
let's just say this is the
second IP address right there.
680
00:39:51,896 --> 00:39:53,876
Let me get that all on the screen.
681
00:39:53,876 --> 00:39:54,996
It's not quite fitting.
682
00:39:55,326 --> 00:39:57,516
But you see what I'm doing here.
683
00:39:57,556 --> 00:39:59,976
I would say 3390
684
00:40:00,046 --> 00:40:04,976
on the outside actually translates
to 3389 on the inside.
685
00:40:05,206 --> 00:40:11,766
Now, whenever I would be somewhere I
would say I want to go to jeremy.home.com
686
00:40:11,766 --> 00:40:16,486
or whatever my domain -- I actually use
the dynamic DNS service and all that.
687
00:40:16,696 --> 00:40:19,586
And if I wanted to connect to my main
computer I would just hit enter and connect.
688
00:40:20,066 --> 00:40:23,976
If I wanted to connect to a secondary
computer I would put colon 3390.
689
00:40:24,266 --> 00:40:28,196
You can do that, and it will say okay,
well, I'll use port 3390 which now hits this
690
00:40:28,196 --> 00:40:30,046
and translates to a completely
different computer.
691
00:40:30,236 --> 00:40:34,106
And then I did the same thing for the third
computer, 3391, and I would come over here
692
00:40:34,106 --> 00:40:42,866
and map 3391 to whatever, 192.168.1.5 on 3389.
693
00:40:42,866 --> 00:40:45,596
And that would work out perfectly well.
694
00:40:45,596 --> 00:40:47,526
So it's saying if it receive it on this port
695
00:40:47,526 --> 00:40:50,346
on the outside I'll actually
translate it to this port on the side.
696
00:40:50,346 --> 00:40:52,446
So there's a lot of cool stuff that you can do.
697
00:40:52,446 --> 00:40:57,276
You can either statically translate
the whole IP address in and out,
698
00:40:57,526 --> 00:41:00,826
or you can statically translate port
numbers and even change port numbers
699
00:41:00,826 --> 00:41:03,266
when you're translating in and out.
700
00:41:03,266 --> 00:41:08,316
Okay, so we have now seen
the three flavors or NAT.
701
00:41:08,316 --> 00:41:11,756
This was my only slide for this because
we're so into the live configuration.
702
00:41:11,806 --> 00:41:15,626
Obviously with all the scribbles on the
screen you can see it builds on itself.
703
00:41:15,746 --> 00:41:20,806
But we've seen configuring PAT, sending
it to go out to a specific interface
704
00:41:20,806 --> 00:41:22,606
or to a specific pool of addresses.
705
00:41:22,966 --> 00:41:26,266
Configuring dynamic NAT from one
pool of addresses to another.
706
00:41:26,536 --> 00:41:30,246
And then we saw it configuring static
mappings from either a whole IP address
707
00:41:30,246 --> 00:41:34,976
or individual ports on an IP
address into different servers.
708
00:41:34,976 --> 00:41:39,606
So by the time you're done now you should
be able to go out and configure NAT for just
709
00:41:39,606 --> 00:41:42,326
about any environment that you can encounter.
710
00:41:42,326 --> 00:41:44,036
I wasn't hiding anything.
711
00:41:44,036 --> 00:41:46,886
You've now seen all the flavors
of NAT that exist.
712
00:41:47,386 --> 00:41:50,226
I hope this has been informative for you,
and I'd like to thank you for viewing.
66115
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.