1
00:00:08,400 --> 00:00:13,620
This is one of multiple videos where I discuss net or network address translation.

2
00:00:14,040 --> 00:00:21,000
In this video, I'm answering a question from Pedro, who's attending my June three Q&A course.

3
00:00:21,480 --> 00:00:24,360
The link to the course can be found below this video.

4
00:00:36,580 --> 00:00:38,290
Pedro, thanks for the question.

5
00:00:38,410 --> 00:00:39,610
Here's the answer.

6
00:00:40,360 --> 00:00:42,550
In this Janus three topology.

7
00:00:42,580 --> 00:00:46,360
I have three Cisco iOS routers acting as servers.

8
00:00:47,080 --> 00:00:57,310
I also have a Cisco iOS router acting as a PC and will configure a fifth Cisco iOS router with NET to

9
00:00:57,310 --> 00:01:02,740
allow the client to access the three servers on the internal network.

10
00:01:03,250 --> 00:01:07,300
Now all I've done here is configure IP addresses on the devices.

11
00:01:07,510 --> 00:01:14,830
I've also configured a default gateway on the servers to point to the net router, but the client router

12
00:01:14,830 --> 00:01:16,450
has no routing enabled.

13
00:01:17,390 --> 00:01:24,890
So here is router three acting as the client show IP route shows us that there are no rats in the routing

14
00:01:24,920 --> 00:01:28,100
table except connected and local routes.

15
00:01:28,610 --> 00:01:30,800
No gateway of last resort to set.

16
00:01:30,890 --> 00:01:40,910
There's no default drought, no routing protocols such as OSPF, BGP or AJP or enabled on this router.

17
00:01:41,540 --> 00:01:50,600
So if we run a debug IP packet and then try and ping one of the internal servers, this is rather one.

18
00:01:52,150 --> 00:01:54,820
Acting as our first server.

19
00:01:54,850 --> 00:01:58,090
What we told is that the packet is unreadable.

20
00:01:59,180 --> 00:02:04,280
The router doesn't know how to get to this destination network.

21
00:02:08,320 --> 00:02:13,450
The same is true for any of the other server IP addresses.

22
00:02:15,990 --> 00:02:22,920
The PC doesn't know how to get there because there is no routing enabled and it has no route to server

23
00:02:22,920 --> 00:02:25,890
one, server two or server three.

24
00:02:26,630 --> 00:02:35,870
Rather one acting as server one is configured with the default route pointing to rather two which is

25
00:02:35,870 --> 00:02:37,550
acting as the net rather.

26
00:02:39,620 --> 00:02:41,990
It could, as an example, try and ping.

27
00:02:43,530 --> 00:02:44,190
RADA three.

28
00:02:44,220 --> 00:02:46,020
Acting as the PC.

29
00:02:47,480 --> 00:02:51,860
And you'll notice that the traffic hits the router, but it doesn't know how to return the traffic back

30
00:02:51,860 --> 00:02:53,030
to the server.

31
00:02:53,420 --> 00:02:55,970
So there's a 0% success rate.

32
00:02:56,300 --> 00:02:58,310
In other words, this server.

33
00:02:59,050 --> 00:03:05,770
Sends the traffic to its default gateway, which is this router who routes the traffic onto this segment.

34
00:03:05,860 --> 00:03:09,880
It hits this PC, but the PC doesn't know how to get back again.

35
00:03:10,300 --> 00:03:15,670
Now, typically, RFC 1918 addresses are not readable on the Internet.

36
00:03:16,770 --> 00:03:21,360
Because Internet routers will block traffic sent from those IP addresses.

37
00:03:21,420 --> 00:03:28,590
So what we need to do is configure Nat on this router to allow this PC to access the servers and to

38
00:03:28,590 --> 00:03:34,380
allow their traffic to be netted when going on to the outside or the internet.

39
00:03:34,620 --> 00:03:37,650
So let's configure rather to with Nat.

40
00:03:38,490 --> 00:03:38,820
Okay.

41
00:03:38,820 --> 00:03:40,380
So this is rather to.

42
00:03:41,480 --> 00:03:49,310
Which is our net rather show IP interface brief shows us the IP addresses configured on this router.

43
00:03:49,880 --> 00:03:55,070
Gigabit there is configured with an IP address in the 8 to 8.8 range.

44
00:03:55,070 --> 00:03:58,220
That is a public IP address used by level three.

45
00:03:58,460 --> 00:04:06,680
So here we pretending that that interface is the outside or the internet facing interface on this router

46
00:04:07,100 --> 00:04:14,870
gigabit is 0002 and zero three are using RFC 1918 addresses.

47
00:04:14,870 --> 00:04:18,950
In other words, private IP addresses non ratable on the internet.

48
00:04:20,060 --> 00:04:22,340
So what I'll do is configure.

49
00:04:23,430 --> 00:04:23,930
Gigabit.

50
00:04:23,970 --> 00:04:24,900
Zero one.

51
00:04:24,930 --> 00:04:27,150
As a net outside interface.

52
00:04:29,680 --> 00:04:35,950
In this example, I'm using an iOS V router, so we saw a CPU hog message.

53
00:04:35,950 --> 00:04:37,960
But the writers come back now.

54
00:04:39,490 --> 00:04:51,190
So I'm using a 15.62 version of iOS V interface gigabit zero zero IP Nat Inside Interface Gigabit zero

55
00:04:51,190 --> 00:04:59,170
two IP Nat Inside Interface Gigabit zero three IP Nat Inside.

56
00:04:59,290 --> 00:05:02,860
We have to tell the router which interfaces are on the inside.

57
00:05:02,890 --> 00:05:09,520
In other words, internal networks and which interfaces are on the outside or internet facing.

58
00:05:10,930 --> 00:05:12,640
So what we've done thus far.

59
00:05:14,360 --> 00:05:15,500
Is configure.

60
00:05:16,760 --> 00:05:17,210
Gigabit.

61
00:05:17,300 --> 00:05:21,710
Zero zero as an inside NAT interface gigabit.

62
00:05:21,740 --> 00:05:23,960
Zero one is outside.

63
00:05:26,590 --> 00:05:32,860
And Gigabit zero two and zero three are inside net interfaces.

64
00:05:34,320 --> 00:05:35,820
Now we can use the command IP.

65
00:05:35,820 --> 00:05:36,450
Nat.

66
00:05:37,640 --> 00:05:39,050
What are we going to net?

67
00:05:39,350 --> 00:05:42,770
In this example, we're going to net inside addresses.

68
00:05:42,920 --> 00:05:48,650
In other words, we are netting addresses for hosts on the inside of our network.

69
00:05:49,100 --> 00:05:55,970
Think of the term inside as belonging to an insider, someone who's inside your organization.

70
00:05:56,210 --> 00:06:01,400
I'm an outsider, so I'm on the outside of your organization.

71
00:06:01,490 --> 00:06:02,660
You work for a company.

72
00:06:02,660 --> 00:06:06,980
Perhaps you are an insider in that company.

73
00:06:07,310 --> 00:06:11,480
I, on the other hand, am an outsider to your company.

74
00:06:11,540 --> 00:06:18,490
So an inside host is an insider and they have addresses on the local area network.

75
00:06:18,500 --> 00:06:21,470
So I'll talk about some terms in a moment.

76
00:06:21,470 --> 00:06:28,190
But a local inside address is an address of this host found on the local land.

77
00:06:28,550 --> 00:06:37,100
In other words, an inside local address is a insiders IP address when found on the local land and inside

78
00:06:37,100 --> 00:06:43,280
global address is an IP address that belongs to this inside host found on the global internet.

79
00:06:44,160 --> 00:06:48,030
In this example, we want to net an inside host address.

80
00:06:48,030 --> 00:06:52,490
In other words, an address that belongs to a host on the inside of our network.

81
00:06:52,500 --> 00:06:58,980
In other words, internal to our network, we're going to net the source IP address of that internal

82
00:06:58,980 --> 00:06:59,550
host.

83
00:06:59,790 --> 00:07:06,660
And in this example, we want to use a static net entry because we want devices from the Internet to

84
00:07:06,660 --> 00:07:09,810
be able to initiate sessions to this host.

85
00:07:10,050 --> 00:07:14,200
So we asked for the inside local IP address.

86
00:07:14,220 --> 00:07:17,400
This is the real IP address of the host.

87
00:07:17,760 --> 00:07:25,490
This host is on the inside of our network and it's connected to the local area network.

88
00:07:25,500 --> 00:07:35,160
So the inside or local IP address is the physical IP address of that device on the local area network.

89
00:07:35,490 --> 00:07:38,280
Now what are we going to net the address to?

90
00:07:38,550 --> 00:07:43,140
In this example, I'm going to net it to 8.82 to 8.1.

91
00:07:43,380 --> 00:07:47,310
That IP address does not exist in the network.

92
00:07:48,350 --> 00:07:55,370
So going on to Rada three, which is acting as our PC in this topology at the moment, it's not able

93
00:07:55,370 --> 00:08:01,580
to ping 88281 because that address doesn't exist.

94
00:08:02,120 --> 00:08:05,480
Notice we're getting encapsulation failed.

95
00:08:06,270 --> 00:08:07,350
Show up.

96
00:08:07,590 --> 00:08:11,340
We're getting an incomplete up entry for that host.

97
00:08:11,700 --> 00:08:18,780
The PC is not able to discover 8282281, and that's because it doesn't exist.

98
00:08:19,080 --> 00:08:23,760
We're going to create this virtual IP address for that host.

99
00:08:24,300 --> 00:08:28,770
Now I'm going to use extendable to complete the net translation.

100
00:08:29,220 --> 00:08:32,700
So going back onto roster three.

101
00:08:33,299 --> 00:08:35,700
Are we able to ping that address?

102
00:08:35,730 --> 00:08:36,630
Yes, we are.

103
00:08:37,799 --> 00:08:38,580
Let me just start.

104
00:08:38,580 --> 00:08:41,429
Stop the debug previously.

105
00:08:43,530 --> 00:08:45,740
We couldn't ping this address.

106
00:08:45,750 --> 00:08:47,760
We had encapsulation failed.

107
00:08:49,670 --> 00:08:57,770
The OP was incomplete, but after we created the net entry, we could ping 8.8 to 8.1.

108
00:08:58,160 --> 00:08:59,960
So let's do that again.

109
00:09:01,860 --> 00:09:05,040
And what I'll do is run up debug on the server.

110
00:09:05,640 --> 00:09:07,530
So this is sort of a one.

111
00:09:09,850 --> 00:09:12,280
Debug IP ICMP.

112
00:09:14,220 --> 00:09:18,510
I'll do a single ping from router three, which is acting as our PC.

113
00:09:19,900 --> 00:09:22,690
And what you can see here is a source of 10.1.

114
00:09:22,870 --> 00:09:27,190
1.1 sent a reply to 8282281.

115
00:09:28,060 --> 00:09:28,930
But.

116
00:09:31,640 --> 00:09:41,360
The Internet device doesn't know that it's talking to 10.10, 10.1, because the address is being noted.

117
00:09:42,050 --> 00:09:47,240
The Internet PC thinks it's talking to 828281.

118
00:09:47,900 --> 00:10:00,020
And that's because show IP net translation shows us on router to the net router that 8282881 is being

119
00:10:00,020 --> 00:10:03,380
translated to ten .1.1.1.

120
00:10:03,890 --> 00:10:05,800
This is the inside of local address.

121
00:10:05,810 --> 00:10:12,170
This is the actual physical address of this PC, as we can see here.

122
00:10:14,490 --> 00:10:15,540
Here's the address.

123
00:10:17,040 --> 00:10:19,560
This is the inside global address.

124
00:10:19,590 --> 00:10:23,610
In other words, this is the netted address of that PC.

125
00:10:24,120 --> 00:10:27,330
This is the address of that PC.

126
00:10:27,390 --> 00:10:29,880
When traffic is sent onto the internet.

127
00:10:30,300 --> 00:10:33,030
I hope you've found the video useful.

128
00:10:33,150 --> 00:10:37,680
If you enjoyed it, please like it and please subscribe to my YouTube channel.

129
00:10:37,890 --> 00:10:39,630
I wish you all the very best.