WEBVTT

00:04.459 --> 00:07.950
>> One of the services that
many routers provide is

00:07.950 --> 00:11.430
a service called NAT,
network address translation.

00:11.430 --> 00:13.710
NAT works with a very
similar service called

00:13.710 --> 00:16.380
PAT, port address translation.

00:16.380 --> 00:18.910
Really the two go hand in hand.

00:18.910 --> 00:20.485
On my internal network,

00:20.485 --> 00:23.100
I have my hosts and I want
to keep them protected.

00:23.100 --> 00:26.265
Even though a router's
primary job isn't security,

00:26.265 --> 00:29.925
there are ways that you can
add security to a router.

00:29.925 --> 00:33.020
The idea is for any
device running NAT,

00:33.020 --> 00:35.025
there must be two interfaces.

00:35.025 --> 00:37.140
One internal interface
connected to

00:37.140 --> 00:38.895
the internal network and

00:38.895 --> 00:41.790
an external interface
connected out to the Internet.

00:41.790 --> 00:44.445
All traffic goes
to the NAT device.

00:44.445 --> 00:47.420
The NAT device strips the
true source address and

00:47.420 --> 00:48.800
replaces that address with

00:48.800 --> 00:51.110
its own external
interface address.

00:51.110 --> 00:53.000
It looks like all
traffic going out

00:53.000 --> 00:54.530
>> onto the Internet
is coming from

00:54.530 --> 00:57.534
>> that NAT device,
it's external address.

00:57.534 --> 00:59.240
>> It's a way of
hiding my internal

00:59.240 --> 01:00.980
IP addresses and presenting

01:00.980 --> 01:02.270
a different source address to

01:02.270 --> 01:04.130
all clients on the Internet.

01:04.130 --> 01:06.020
That also makes it
very difficult for

01:06.020 --> 01:07.580
those Internet
systems to connect

01:07.580 --> 01:09.559
>> to my internal network.

01:09.559 --> 01:12.710
>> With that being
said, another function

01:12.710 --> 01:14.090
that NAT can perform using

01:14.090 --> 01:15.140
PAT is to have

01:15.140 --> 01:16.985
many internal IP addresses

01:16.985 --> 01:19.235
with just a single
external IP address,

01:19.235 --> 01:20.540
and that uses something called

01:20.540 --> 01:22.264
>> port address translation.

01:22.264 --> 01:24.965
>> I may have 50
internal IP addresses,

01:24.965 --> 01:26.705
all coming through
the NAT device

01:26.705 --> 01:28.910
and all traffic looks
like it's coming from the

01:28.910 --> 01:34.405
137.186.57.8 IP address
in this illustration.

01:34.405 --> 01:36.590
The reason many-to-one
mapping or

01:36.590 --> 01:38.270
>> the one-to-many
mapping can happen

01:38.270 --> 01:39.410
>> is through the use of ports,

01:39.410 --> 01:42.290
>> and ports are assigned
to the source address.

01:42.290 --> 01:47.765
For instance, let's say
computer 192.168.0.12,

01:47.765 --> 01:49.910
is sending traffic
out to the Internet.

01:49.910 --> 01:51.530
If I have many internal hosts,

01:51.530 --> 01:53.480
when that traffic goes
through my router,

01:53.480 --> 01:55.280
my router strips
the true source,

01:55.280 --> 01:56.720
replaces it with its own,

01:56.720 --> 01:59.090
and adds arbitrary port
number as the source so

01:59.090 --> 02:00.320
that when the server goes out to

02:00.320 --> 02:02.080
the Internet, responds back.

02:02.080 --> 02:03.795
The router says,

02:03.795 --> 02:05.040
this port goes to the address of

02:05.040 --> 02:09.800
192.168.0.12 by
appending point numbers

02:09.800 --> 02:10.985
to the source address,

02:10.985 --> 02:13.520
that router or whatever
the NAT device is,

02:13.520 --> 02:16.370
is going to be able to keep
up with my internal hosts.

02:16.370 --> 02:18.410
The big benefit of
NAT is that it hides

02:18.410 --> 02:20.330
internal addresses and also

02:20.330 --> 02:21.710
keeps me from having to pay for

02:21.710 --> 02:24.920
200 individual IP
addresses for my ISP.

02:24.920 --> 02:27.080
I pay for the one
IP address that's

02:27.080 --> 02:29.300
on my external
interface on my router,

02:29.300 --> 02:31.310
then everything else
is hidden behind NAT

02:31.310 --> 02:34.030
so they don't have to be
registered addresses.

02:34.030 --> 02:35.910
Another benefit with NAT,

02:35.910 --> 02:38.145
are the internal IP addresses.

02:38.145 --> 02:41.220
These follow an RFC called 1918.

02:41.220 --> 02:44.330
RFC 1918 sets aside three ranges

02:44.330 --> 02:45.980
>> of IP addresses just to

02:45.980 --> 02:48.445
>> be used for private
internal usage

02:48.445 --> 02:50.500
and they are anything
on the 10 network,

02:50.500 --> 02:54.930
the 172.16 through
172.31 network,

02:54.930 --> 02:57.810
and the 192.168 network.

02:57.810 --> 02:59.420
All of those are reserved for

02:59.420 --> 03:01.940
the specific purpose
of internal use.

03:01.940 --> 03:03.680
Again, because they're behind

03:03.680 --> 03:05.735
NAT devices, it doesn't matter.

03:05.735 --> 03:07.280
Those aren't the
devices that are

03:07.280 --> 03:08.640
going on on the Internet.

03:08.640 --> 03:10.410
Those aren't the IP addresses.

03:10.410 --> 03:13.520
NAT is going to strip those
internal addresses and

03:13.520 --> 03:15.980
everything presents from a
single external interface

03:15.980 --> 03:17.420
of the NAT device.

03:17.420 --> 03:19.700
Now, if your NAT device fails,

03:19.700 --> 03:22.455
all your traffic is going
through that NAT device.

03:22.455 --> 03:23.600
You're going to have to have

03:23.600 --> 03:25.205
that single point of failure.

03:25.205 --> 03:27.080
Keep in mind that
NAT really doesn't

03:27.080 --> 03:29.375
provide any other
security services.

03:29.375 --> 03:32.480
NAT very simply provides
the address transition,

03:32.480 --> 03:35.520
but that's an important
service for us.