WEBVTT 0:00:03.100000 --> 0:00:08.600000 Hello and welcome to this video review on static NAT for our CCNA Bootcamp. 0:00:08.600000 --> 0:00:12.240000 These are the topics we're going to cover. 0:00:12.240000 --> 0:00:14.260000 So what is static NAT? 0:00:14.260000 --> 0:00:19.300000 So static NAT is a static one-to-one mapping, meaning we go into our NAT 0:00:19.300000 --> 0:00:24.060000 router and we statically give it a command saying this inside local address 0:00:24.060000 --> 0:00:29.700000 will always map to this exact outside global address. 0:00:29.700000 --> 0:00:31.300000 So why would we do this? 0:00:31.300000 --> 0:00:33.580000 Well this is usually deployed at the server end. 0:00:33.580000 --> 0:00:38.100000 It removes the security of dynamic NAT. 0:00:38.100000 --> 0:00:39.160000 Well what do we mean by that? 0:00:39.160000 --> 0:00:49.120000 Well, if I go into my NAT router and I say this private source address 0:00:49.120000 --> 0:00:55.700000 is always going to map to this public source address. 0:00:55.700000 --> 0:01:00.300000 What that means then is that translation is always in the NAT translation 0:01:00.300000 --> 0:01:02.980000 table. It's always there. 0:01:02.980000 --> 0:01:11.320000 So that means anybody in the internet can always initiate a connection 0:01:11.320000 --> 0:01:19.000000 to 150.1.1.1 and because that translation exists they will always be able 0:01:19.000000 --> 0:01:22.040000 to reach this inside source. 0:01:22.040000 --> 0:01:31.080000 Useful when hosts need to initiate connections to inside hosts. 0:01:31.080000 --> 0:01:34.520000 When outside hosts need to initiate connections to inside hosts. 0:01:34.520000 --> 0:01:37.140000 Let me give you an example of that. 0:01:37.140000 --> 0:01:43.480000 Let's say that this is my corporate network right here and here's my NAT 0:01:43.480000 --> 0:01:54.760000 router. And I still only have one public network right here but it's a 0:01:54.760000 --> 0:01:56.400000 fairly large public network. 0:01:56.400000 --> 0:02:04.960000 Let's say I was given the entire class B of 150.1.0.0.16. 0:02:04.960000 --> 0:02:13.560000 Now my ISP, he's got the first address and I put the second address right 0:02:13.560000 --> 0:02:19.820000 here. But that still gives me a lot of other addresses. 0:02:19.820000 --> 0:02:24.840000 So what I've done is now even though that's given me a lot of addresses 0:02:24.840000 --> 0:02:28.980000 I have a ton of networks inside. 0:02:28.980000 --> 0:02:33.840000 Let's say I have hundreds of internal subnets and so I've decided to use 0:02:33.840000 --> 0:02:36.280000 private dressing on those internal subnets. 0:02:36.280000 --> 0:02:38.440000 Maybe that's the 10.10 network. 0:02:38.440000 --> 0:02:40.580000 Maybe that's the 10.4 network. 0:02:40.580000 --> 0:02:42.660000 Maybe that's the 10.50. 0:02:42.660000 --> 0:02:47.280000 10.75 and so on and so forth. 0:02:47.280000 --> 0:02:51.140000 Now on a few of these networks, not all of them, but on a few of these 0:02:51.140000 --> 0:02:55.840000 networks I have some devices like maybe some web servers that I want the 0:02:55.840000 --> 0:02:58.300000 public to reach at any point in time. 0:02:58.300000 --> 0:03:01.640000 So these web servers are not going to be initiating connections. 0:03:01.640000 --> 0:03:04.360000 They're going to be receiving connections from the outside world. 0:03:04.360000 --> 0:03:10.260000 Maybe there's a web server right here who is 10.10.1.1. 0:03:10.260000 --> 0:03:16.820000 Maybe I got another one down here who is 10.75.1.1. 0:03:16.820000 --> 0:03:19.880000 This would be a prime use case for static NAT. 0:03:19.880000 --> 0:03:23.380000 On my NAT router I could say, all right, I'm going to create some static 0:03:23.380000 --> 0:03:33.460000 NAT entries. 10.10.1.1 is always going to be mapped to 150.1.0.3 and 10 0:03:33.460000 --> 0:03:44.440000 .75.1.1. He's always going to have a static entry to 150.1.0.4. 0:03:44.440000 --> 0:03:48.720000 So the rest of my internal network is hidden, but now, and the outside 0:03:48.720000 --> 0:03:51.120000 world has no idea I'm using private addressing. 0:03:51.120000 --> 0:03:54.100000 I have to put private addresses on those servers because the subnets they 0:03:54.100000 --> 0:03:58.640000 sit on, the VLANs they sit on, everybody on that subnet is using a 10 0:03:58.640000 --> 0:04:00.060000 .something address. 0:04:00.060000 --> 0:04:02.880000 So I have to give that to my servers as well just because of where they're 0:04:02.880000 --> 0:04:07.360000 located. But now I've created some static NAT entries so everybody on 0:04:07.360000 --> 0:04:15.600000 the outside can reach my at 150.1.0 .3, which is this guy right here, and 0:04:15.600000 --> 0:04:20.800000 they can reach 150.1.0.4, which is this guy right here. 0:04:20.800000 --> 0:04:25.960000 So that's a prime use case for static network address translation. 0:04:25.960000 --> 0:04:31.380000 So how do we configure this? 0:04:31.380000 --> 0:04:37.120000 Well, we still have to define interfaces as NAT inside and NAT outside. 0:04:37.120000 --> 0:04:40.020000 We still have to do that. 0:04:40.020000 --> 0:04:44.400000 And then we just define a global configuration command, IP NAT inside 0:04:44.400000 --> 0:04:49.260000 source static. And we give the private address, like in my previous example, 0:04:49.260000 --> 0:04:53.160000 10.75.1.1 would be our private address. 0:04:53.160000 --> 0:04:56.200000 And our public address would be 150.1.whatever. 0:04:56.200000 --> 0:05:00.820000 So in this particular case here, in this example, our private address 0:05:00.820000 --> 0:05:03.660000 would be 10.1.1.1. 0:05:03.660000 --> 0:05:08.720000 And our public address would be 135.1.1.1. 0:05:08.720000 --> 0:05:14.880000 And that's how we would configure our static NAT. 0:05:14.880000 --> 0:05:18.740000 And then to verify that it's actually working, that we have a static NAT 0:05:18.740000 --> 0:05:26.140000 entry, we can do show IP NAT translation, or get a little bit more detail 0:05:26.140000 --> 0:05:29.280000 with show IP NAT translation verbose. 0:05:29.280000 --> 0:05:32.920000 So notice that we have a translation entry here. 0:05:32.920000 --> 0:05:37.680000 Here's our inside local, 10.1.1.1. 0:05:37.680000 --> 0:05:42.040000 Here's what's been translated to 135.1.1.1.1.1.1. 0:05:42.040000 --> 0:05:49.240000 Notice that it says right here that this is a static translation has no 0:05:49.240000 --> 0:05:51.040000 aging, no timeout. 0:05:51.040000 --> 0:05:54.280000 It will always be there. 0:05:54.280000 --> 0:06:00.940000 So that is our review of static NAT, and how you configure it, and how