WEBVTT

0:00:02.800000 --> 0:00:06.260000
 Hello and welcome this video in which
 I'm going to do a review of the

0:00:06.260000 --> 0:00:08.860000
 various forms of network
 address translation.

0:00:08.860000 --> 0:00:12.140000
 We're just going to start with a general
 overview or refresher of what

0:00:12.140000 --> 0:00:15.740000
 NAT is and why you would use it.

0:00:15.740000 --> 0:00:20.700000
 So here are the overview.

0:00:20.700000 --> 0:00:24.140000
 Here is the overview of what we're
 going to talk about today.

0:00:24.140000 --> 0:00:27.500000
 So introduction and that NAT stands
 for network address translation.

0:00:27.500000 --> 0:00:32.040000
 The idea here is that NAT is going to
 be translating your IP address in

0:00:32.040000 --> 0:00:35.440000
 your IP header and that has the ability
 to translate the source address

0:00:35.440000 --> 0:00:37.620000
 or the destination address.

0:00:37.620000 --> 0:00:40.000000
 Most of the time when people use that's
 because they want to translate

0:00:40.000000 --> 0:00:42.920000
 their source address from
 one address to the other.

0:00:42.920000 --> 0:00:47.460000
 So the idea is a packet comes into
 a router or switches can do NAT as

0:00:47.460000 --> 0:00:49.000000
 well or firewalls.

0:00:49.000000 --> 0:00:53.700000
 But a packet comes into a device and
 that device removes the source IP

0:00:53.700000 --> 0:00:57.700000
 address, put some other source IP address
 in there and then transmits

0:00:57.700000 --> 0:01:00.560000
 the packet out and that device
 keeps a record of it.

0:01:00.560000 --> 0:01:04.160000
 It knows what the original source was
 and what it changed that new source

0:01:04.160000 --> 0:01:08.320000
 address to. That way when the reply
 comes back, it can use that record

0:01:08.320000 --> 0:01:11.980000
 to translate it back to what it was and
 send the reply back to the originator

0:01:11.980000 --> 0:01:17.260000
 of the packet. So this is typically
 used to translate from private to

0:01:17.260000 --> 0:01:18.940000
 public addresses.

0:01:18.940000 --> 0:01:23.220000
 If you have a home network, which most
 of you probably do, chances are

0:01:23.220000 --> 0:01:27.360000
 that your inside network in your house,
 your laptop, your PC, your printer

0:01:27.360000 --> 0:01:33.120000
 are probably all using private addresses
 like 10.something or 192.168

0:01:33.120000 --> 0:01:37.760000
.something and addresses sourced from
 those private networks can't go to

0:01:37.760000 --> 0:01:42.240000
 the Internet. ISPs actually have filters
 in place blocking packets that

0:01:42.240000 --> 0:01:43.580000
 are sourced from that.

0:01:43.580000 --> 0:01:47.240000
 But no worries because most likely your
 cable modem or your Wi-Fi router

0:01:47.240000 --> 0:01:51.660000
 most likely has network address translation
 already in place by default.

0:01:51.660000 --> 0:01:56.120000
 So as your packets are leaving your
 Wi-Fi router or leaving your cable

0:01:56.120000 --> 0:02:00.660000
 modem, that source address is being
 translated to a publicly routable

0:02:00.660000 --> 0:02:05.240000
 address that your ISP gave you and
 then it's going out into the cloud.

0:02:05.240000 --> 0:02:10.700000
 And that translation tables, like I
 mentioned, ensure that your reply

0:02:10.700000 --> 0:02:14.860000
 packets you get back from the website
 you're visiting or the server you're

0:02:14.860000 --> 0:02:18.440000
 going to will be translated back to
 your actual private address before

0:02:18.440000 --> 0:02:20.380000
 they hit your host.

0:02:20.380000 --> 0:02:22.780000
 So what can that change?

0:02:22.780000 --> 0:02:25.480000
 Well, typically it's used to
 change the source address.

0:02:25.480000 --> 0:02:29.740000
 It can also change the source, the
 destination IP address and certain

0:02:29.740000 --> 0:02:40.080000
 flavors of NAT can also change your
 source TCP or UDP port number.

0:02:40.080000 --> 0:02:44.020000
 So NAT was originally way back in the
 day developed as a means to save

0:02:44.020000 --> 0:02:48.080000
 money on the purchase of multiple
 public IP subnets.

0:02:48.080000 --> 0:02:49.720000
 So think about this for a moment.

0:02:49.720000 --> 0:02:54.840000
 If you are a company and you say, okay,
 I need all the subnets in my company

0:02:54.840000 --> 0:02:59.620000
 or the payroll subnet, the engineering
 subnet, the human resources subnet,

0:02:59.620000 --> 0:03:03.540000
 I need packets that are sourced from
 any of those subnets to be able to

0:03:03.540000 --> 0:03:04.800000
 get to Internet resources.

0:03:04.800000 --> 0:03:07.340000
 Like websites and
 things like that.

0:03:07.340000 --> 0:03:12.160000
 Well, every public subnet you
 get, you have to pay for.

0:03:12.160000 --> 0:03:15.340000
 So when you go to your regional Internet
 registry or your Internet service

0:03:15.340000 --> 0:03:18.820000
 provider, they're going to charge you
 some money, probably on a monthly

0:03:18.820000 --> 0:03:22.960000
 basis for every public
 subnet you get.

0:03:22.960000 --> 0:03:26.300000
 So wouldn't it be great if we could
 say, hey, here's what I'm going to

0:03:26.300000 --> 0:03:32.320000
 do. I really only need a public subnet
 from my outside facing connection.

0:03:32.320000 --> 0:03:38.120000
 I need a public network right here, but
 be great if on all my inside networks.

0:03:38.120000 --> 0:03:42.740000
 I could just use private networks like
 the 10 network or the 172 16 and

0:03:42.740000 --> 0:03:46.840000
 have this guy right here use network
 address translation to translate

0:03:46.840000 --> 0:03:49.820000
 all those sources to
 my public source.

0:03:49.820000 --> 0:03:52.860000
 Maybe a pool of public
 source addresses.

0:03:52.860000 --> 0:03:54.240000
 So that way it saves me money.

0:03:54.240000 --> 0:03:58.200000
 I don't have to pay money for public
 IP addresses for all my interior

0:03:58.200000 --> 0:04:00.600000
 get my interior networks.

0:04:00.600000 --> 0:04:06.580000
 Now, in addition to that, Nat also became
 became a really good resource

0:04:06.580000 --> 0:04:10.500000
 as IP before subnets have become
 more and more scarce.

0:04:10.500000 --> 0:04:15.100000
 As people have realized, hey, even if I
 have the money to give every internal

0:04:15.100000 --> 0:04:18.640000
 subnet a public address, a lot of times
 now when you go to your ISP, they'll

0:04:18.640000 --> 0:04:22.220000
 say, sorry, we don't have any IPV
 for networks left to give you.

0:04:22.220000 --> 0:04:25.720000
 We might be able to give you one for
 your when facing connection, but

0:04:25.720000 --> 0:04:29.240000
 that's it. So this is another
 good use for that.

0:04:29.240000 --> 0:04:32.540000
 And that's also useful as
 a security mechanism.

0:04:32.540000 --> 0:04:38.960000
 Meaning that if we have a host right
 here who let's say has a private

0:04:38.960000 --> 0:04:41.120000
 IP address of 10, one, one, one.

0:04:41.120000 --> 0:04:45.900000
 And let's say on this interface right
 here, we have a public address of

0:04:45.900000 --> 0:05:01.100000
 190 dot one, one, one.

0:05:01.100000 --> 0:05:05.940000
 Okay. And let's say there's
 a server right here.

0:05:05.940000 --> 0:05:09.600000
 Who is 777 seven.

0:05:09.600000 --> 0:05:16.140000
 Well, if this host at 10, one, one, one
 is sending a packet to 777 seven.

0:05:16.140000 --> 0:05:19.020000
 As his packet goes through
 the net router.

0:05:19.020000 --> 0:05:24.200000
 Right here. As the packet comes out,
 the source address will be translated

0:05:24.200000 --> 0:05:27.300000
 to maybe want maybe the first
 address in the pool.

0:05:27.300000 --> 0:05:29.280000
 One dot one dot two.

0:05:29.280000 --> 0:05:33.180000
 And so when it gets to the server, the
 server will respond to that packet.

0:05:33.180000 --> 0:05:37.780000
 And because there's a net translation
 entry in that router ready and waiting

0:05:37.780000 --> 0:05:42.900000
 to go, when a packet comes back with
 a destination of 190 dot one dot

0:05:42.900000 --> 0:05:47.120000
 two, the router will say, oh yeah, I
 have a translation entry for that.

0:05:47.120000 --> 0:05:50.940000
 When I see a packet coming in going to
 190 dot one one two, I will translate

0:05:50.940000 --> 0:05:53.300000
 that back to 10 one one one.

0:05:53.300000 --> 0:05:58.820000
 No problem. So how is that a
 security safeguard for us?

0:05:58.820000 --> 0:06:03.440000
 Well, here's how Nat can
 help us with security.

0:06:03.440000 --> 0:06:09.160000
 If that server go back there.

0:06:09.160000 --> 0:06:14.020000
 If that server were trying to initiate
 a packet, let's say, hey, I'm going

0:06:14.020000 --> 0:06:20.520000
 to describe to send a packet to 190
 dot one dot one dot maybe 30.

0:06:20.520000 --> 0:06:25.440000
 Well, there's no translation entry in the
 table dot 30 has not been allocated

0:06:25.440000 --> 0:06:27.420000
 as a network address translation
 to anybody.

0:06:27.420000 --> 0:06:31.080000
 So when that got here to this router
 that router would say, oh, I'm sorry,

0:06:31.080000 --> 0:06:34.640000
 but I've got no place to translate
 you and it would drop that.

0:06:34.640000 --> 0:06:41.320000
 So it hides our inside addresses outside
 resources can only reply to connections

0:06:41.320000 --> 0:06:46.380000
 that were initiated by inside resources,
 but they cannot initiate connections

0:06:46.380000 --> 0:06:53.080000
 to those same inside resources.

0:06:53.080000 --> 0:06:56.320000
 So here's the translation
 logic of how Nat works.

0:06:56.320000 --> 0:07:01.020000
 Number one, not only works on interfaces
 are just defined as Nat inside

0:07:01.020000 --> 0:07:06.440000
 or outside. So from a configurations
 perspective, you have to first go

0:07:06.440000 --> 0:07:08.520000
 to at least one interface.

0:07:08.520000 --> 0:07:12.600000
 Configure as a Nat inside interface
 and then configure another interface

0:07:12.600000 --> 0:07:14.340000
 as a Nat outside interface.

0:07:14.340000 --> 0:07:15.560000
 That's your first step.

0:07:15.560000 --> 0:07:20.740000
 Number two, as packets arrive on the
 router, they have to arrive on an

0:07:20.740000 --> 0:07:22.240000
 inside interface.

0:07:22.240000 --> 0:07:23.240000
 So there you go.

0:07:23.240000 --> 0:07:27.400000
 That's arriving on an Internet on an
 inside interface and in order to

0:07:27.400000 --> 0:07:32.640000
 be translated. So right there, see that
 second packet because that packet

0:07:32.640000 --> 0:07:36.260000
 arrived on fast, the incident to slash
 two and there's no designation

0:07:36.260000 --> 0:07:41.800000
 of that interface being not inside
 that packet will not be a candidate

0:07:41.800000 --> 0:07:46.300000
 for Nat. It will not be translated,
 but not only must it arrive on an

0:07:46.300000 --> 0:07:47.020000
 inside interface.

0:07:47.020000 --> 0:07:50.600000
 It has to be routed to
 an outside interface.

0:07:50.600000 --> 0:07:56.320000
 So look at that, because packet number
 one came in Nat inside, but was

0:07:56.320000 --> 0:07:59.620000
 routed out fast, either
 that to slash two.

0:07:59.620000 --> 0:08:02.040000
 It was not a candidate for Nat.

0:08:02.040000 --> 0:08:06.040000
 But if that same packet were to be routed
 out fast, either that one slash

0:08:06.040000 --> 0:08:08.480000
 one, that is a candidate for Nat.

0:08:08.480000 --> 0:08:10.980000
 But wait, there's one other thing.


0:08:10.980000 --> 0:08:14.300000
 Just because it comes in an inside interface
 and goes out an outside interface,

0:08:14.300000 --> 0:08:15.660000
 that's not good enough.

0:08:15.660000 --> 0:08:21.280000
 We have to specify criteria about what
 packets are allowed to be Nat and

0:08:21.280000 --> 0:08:23.540000
 what packets are not.

0:08:23.540000 --> 0:08:28.060000
 That's typically done with some sort
 of an access list to do that.

0:08:28.060000 --> 0:08:37.000000
 And then we'll keep a record of that
 in the Nat translation table.

0:08:37.000000 --> 0:08:40.960000
 So some terminology for Nat.

0:08:40.960000 --> 0:08:44.860000
 Addresses are categorized by network
 address translations, either local

0:08:44.860000 --> 0:08:46.960000
 or global addresses.

0:08:46.960000 --> 0:08:51.820000
 A local address is from the viewpoint
 of an inside interface or an inside

0:08:51.820000 --> 0:08:59.260000
 host. So your inside host, your laptop,
 your PC, your server sitting on

0:08:59.260000 --> 0:09:04.120000
 the inside network, whatever IP addresses
 they understand they see those

0:09:04.120000 --> 0:09:08.420000
 are considered local addresses or pre
 translated dresses before they've

0:09:08.420000 --> 0:09:09.520000
 been translated.

0:09:09.520000 --> 0:09:14.260000
 Global addresses are IP addresses as viewed
 from devices located on outside

0:09:14.260000 --> 0:09:17.760000
 post translation networks.

0:09:17.760000 --> 0:09:20.260000
 So for example, right here.

0:09:20.260000 --> 0:09:25.600000
 10 dot 1 dot 1 dot 1 that's considered
 an inside local address.

0:09:25.600000 --> 0:09:27.320000
 It is inside the network.

0:09:27.320000 --> 0:09:31.200000
 So it's on the inside network and it is
 pre translated has not been changed

0:09:31.200000 --> 0:09:35.800000
 yet. So all other devices in here.


0:09:35.800000 --> 0:09:38.680000
 Would see 10 1 1 1.

0:09:38.680000 --> 0:09:41.240000
 That is their inside
 local address.

0:09:41.240000 --> 0:09:46.480000
 Now when that pack is going out, getting
 out the router and it's translated.

0:09:46.480000 --> 0:09:48.240000
 We give it a new address.

0:09:48.240000 --> 0:09:50.040000
 So from the outside world.

0:09:50.040000 --> 0:09:52.240000
 They don't see 10 1 1.

0:09:52.240000 --> 0:09:55.500000
 They don't even know that
 10 1 1 exists to them.

0:09:55.500000 --> 0:09:59.960000
 10 1 1 1 appears as
 135 dot 1 1 1 1.

0:09:59.960000 --> 0:10:02.880000
 So that is our inside
 global address.

0:10:02.880000 --> 0:10:07.260000
 Meaning this packet originated
 on the inside.

0:10:07.260000 --> 0:10:10.760000
 That's where it started, but we changed
 it to a global address that everybody

0:10:10.760000 --> 0:10:12.600000
 in the Internet can see.

0:10:12.600000 --> 0:10:22.860000
 135 dot 1 1 1. And just as a final
 review here, there are just two or

0:10:22.860000 --> 0:10:26.740000
 three types of net we need to understand
 there is static net.

0:10:26.740000 --> 0:10:31.420000
 Dynamic net and net overloading or
 port address translation and I will

0:10:31.420000 --> 0:10:36.760000
 get into the differences of all three
 of these in subsequent videos.

0:10:36.760000 --> 0:10:37.860000
 Thank you for watching this one.