WEBVTT 0:00:03.240000 --> 0:00:07.520000 Hello and welcome to this video refresher for the CC&E Bootcamp on dynamic 0:00:07.520000 --> 0:00:10.000000 network address translation. 0:00:10.000000 --> 0:00:12.880000 And here are the topics we're going to cover here. 0:00:12.880000 --> 0:00:16.220000 So let's just get right into it. 0:00:16.220000 --> 0:00:20.540000 Dynamic NAT. So many to many mapping. 0:00:20.540000 --> 0:00:25.840000 So the idea here is that a private host, so a host on your inside network 0:00:25.840000 --> 0:00:31.580000 who has a private IP address of 10 dot something or 192.168 dot something, 0:00:31.580000 --> 0:00:36.000000 when that host is translated, we don't have a static translation entry 0:00:36.000000 --> 0:00:38.060000 ready and waiting for him. 0:00:38.060000 --> 0:00:42.360000 That host is going to get a translation entry from a pool of available 0:00:42.360000 --> 0:00:47.800000 public IP addresses and its first come, first served. 0:00:47.800000 --> 0:00:51.960000 Usually deployed for host utilizing DHCP and it's useful when the source 0:00:51.960000 --> 0:00:57.640000 or destination port numbers need to be retained. 0:00:57.640000 --> 0:01:03.240000 So the idea behind this is that in theory, imagine I have a company that's 0:01:03.240000 --> 0:01:09.100000 got 1000 host addresses inside that could potentially use the internet. 0:01:09.100000 --> 0:01:13.140000 Now some of those, so in my company, I have devices with host addresses 0:01:13.140000 --> 0:01:18.020000 like printers, fax machines that probably, well maybe not a fax machine, 0:01:18.020000 --> 0:01:23.520000 but a printer, maybe an IP phone or something that may not ever need outside 0:01:23.520000 --> 0:01:28.060000 access. So that host address, I can be pretty assured, will never need 0:01:28.060000 --> 0:01:30.700000 to get translated because they'll never reach the internet. 0:01:30.700000 --> 0:01:33.340000 And then of my remaining host, let's say, okay, of my remaining host, 0:01:33.340000 --> 0:01:38.720000 I've got 1000 employees who on any given day, any given time might need 0:01:38.720000 --> 0:01:40.460000 to reach the internet. 0:01:40.460000 --> 0:01:46.420000 Well statistically speaking, what's the likelihood that all 1000 employees 0:01:46.420000 --> 0:01:52.280000 will need to have translated addresses all at the same time to reach the 0:01:52.280000 --> 0:01:56.720000 internet? They probably won't, probably only a subset of my employees 0:01:56.720000 --> 0:01:59.020000 will need to be translated at any given time. 0:01:59.020000 --> 0:02:01.360000 So you'd have to answer that for yourself. 0:02:01.360000 --> 0:02:05.520000 You say, okay, well, maybe statistically speaking, at any given point 0:02:05.520000 --> 0:02:11.140000 in time, maybe one quarter of my employees actually need internet access. 0:02:11.140000 --> 0:02:15.700000 So you're going to create your dynamic nap pool, not with a one to one 0:02:15.700000 --> 0:02:19.020000 translation. For example, if I have 1000 addresses, I don't need to have 0:02:19.020000 --> 0:02:25.480000 a nap pool with 1000 public IP addresses waiting to be translated because 0:02:25.480000 --> 0:02:29.980000 not all those people are going to need to reach the public IP or the public 0:02:29.980000 --> 0:02:32.600000 internet at the same time. 0:02:32.600000 --> 0:02:34.860000 So how are we going to do this? 0:02:34.860000 --> 0:02:39.960000 Well, we still define interfaces as inside and outside for a nap perspective. 0:02:39.960000 --> 0:02:44.640000 Now we're going to create an access list about what inside resources are 0:02:44.640000 --> 0:02:47.700000 allowed to be translated and which ones are not. 0:02:47.700000 --> 0:02:52.240000 So maybe we want to exclude our printers as an example of addresses that 0:02:52.240000 --> 0:02:54.540000 don't ever need to be translated. 0:02:54.540000 --> 0:02:58.500000 And then here is really the crux of dynamic nap. 0:02:58.500000 --> 0:03:00.440000 We're going to create a nap pool. 0:03:00.440000 --> 0:03:03.060000 We're going to give our nap pool a name. 0:03:03.060000 --> 0:03:06.540000 We're going to give a starting and ending IP address. 0:03:06.540000 --> 0:03:14.120000 So for example, you know, maybe my entire range of inside hosts is 10 0:03:14.120000 --> 0:03:24.140000 dot 0 dot 0 dot one through 10 dot 0 dot 0 dot two fifty four. 0:03:24.140000 --> 0:03:28.720000 Maybe those are all the private IP addresses I have in my company, but 0:03:28.720000 --> 0:03:32.740000 I say, hey, not all of them are going to need the public resources at 0:03:32.740000 --> 0:03:39.380000 one time. So I'm going to give you my nap pool starting with one fifty 0:03:39.380000 --> 0:03:41.580000 dot one dot one dot one. 0:03:41.580000 --> 0:03:49.160000 And maybe one fifty dot one dot one dot, let's say one hundred. 0:03:49.160000 --> 0:03:55.460000 OK, so I'm assuming that any any given time I'll need no more than one 0:03:55.460000 --> 0:03:59.420000 hundred translation entries, even though I've got two hundred fifty four 0:03:59.420000 --> 0:04:03.600000 hosts. I don't think any more than one hundred of them will need to be 0:04:03.600000 --> 0:04:05.640000 translated any given time. 0:04:05.640000 --> 0:04:09.100000 So that's going to be my starting IP and my ending IP. 0:04:09.100000 --> 0:04:13.180000 And then you say the word net mask and you put a sub net mask. 0:04:13.180000 --> 0:04:14.560000 Now, how's that work? 0:04:14.560000 --> 0:04:15.900000 Well, let's take a look at the graphic here. 0:04:15.900000 --> 0:04:18.060000 I think it's really good that explains this. 0:04:18.060000 --> 0:04:19.860000 Look at this here. 0:04:19.860000 --> 0:04:22.560000 I created a pool of addresses. 0:04:22.560000 --> 0:04:29.040000 That was one thirty five one one one through one thirty five one one ten 0:04:29.040000 --> 0:04:31.220000 ten. And then I did a ten addresses. 0:04:31.220000 --> 0:04:33.860000 And yet I did a net mask. 0:04:33.860000 --> 0:04:35.520000 Of two forty eight. 0:04:35.520000 --> 0:04:39.660000 Well, a two forty eight a sub net mass that ends with two forty eight 0:04:39.660000 --> 0:04:44.480000 only allows six host addresses, not ten. 0:04:44.480000 --> 0:04:47.940000 And so this is telling me that's a bad pool. 0:04:47.940000 --> 0:04:50.280000 That mask is too small. 0:04:50.280000 --> 0:04:54.100000 I need to have a mask of at least two forty. 0:04:54.100000 --> 0:04:58.480000 To have this range of addresses. 0:04:58.480000 --> 0:05:05.200000 So the net mask is really just a check to see if the quantity of addresses 0:05:05.200000 --> 0:05:12.120000 you have allocated fits in this sub net block in this net mask block. 0:05:12.120000 --> 0:05:21.700000 And then we use our IP net inside source list command. 0:05:21.700000 --> 0:05:24.980000 So what this command does. 0:05:24.980000 --> 0:05:26.180000 Is it see it's a sub net block. 0:05:26.180000 --> 0:05:31.460000 It says anybody that matches a permit statement in our ACL. 0:05:31.460000 --> 0:05:33.640000 So here's our ACL right here. 0:05:33.640000 --> 0:05:37.960000 Anybody that matches a permit statement here is allowed to be translated 0:05:37.960000 --> 0:05:47.000000 into an address of our available pool that's named right here. 0:05:47.000000 --> 0:05:52.960000 So this is enforcing who is allowed to be translated and what pool they 0:05:52.960000 --> 0:05:55.960000 are allowed to be translated from. 0:05:55.960000 --> 0:06:02.040000 Now with dynamic net. 0:06:02.040000 --> 0:06:04.400000 Once somebody is translated. 0:06:04.400000 --> 0:06:07.740000 We don't want their translation entry to be good forever. 0:06:07.740000 --> 0:06:09.800000 That would be like a static translation entry. 0:06:09.800000 --> 0:06:14.400000 We want their translation entry to time out after a certain period of 0:06:14.400000 --> 0:06:18.820000 inactivity so that public address could be put back in the pool and given 0:06:18.820000 --> 0:06:20.160000 to somebody else. 0:06:20.160000 --> 0:06:24.760000 Now you should be aware that dynamic net has certain default values. 0:06:24.760000 --> 0:06:28.200000 For those translation timeouts. 0:06:28.200000 --> 0:06:40.100000 And these are the most common ones you should be familiar with. 0:06:40.100000 --> 0:06:44.500000 That once you stop your packets once your packets are no longer flowing 0:06:44.500000 --> 0:06:49.780000 that TCP connection will age out after one day 24 hours. 0:06:49.780000 --> 0:06:55.240000 UDP is a lot more aggressive UDP is every five minutes it will age out. 0:06:55.240000 --> 0:06:58.340000 I see MP like a paying ages out after one minute. 0:06:58.340000 --> 0:07:01.180000 Now you might think to yourself hey you know what. 0:07:01.180000 --> 0:07:06.040000 Once I initiate a web browsing connection which uses TCP and I'm done 0:07:06.040000 --> 0:07:08.420000 going to that website. 0:07:08.420000 --> 0:07:12.180000 Why should that connection why should that translation entry stay in there 0:07:12.180000 --> 0:07:13.960000 for a day I'm done with it. 0:07:13.960000 --> 0:07:17.060000 Let's age it out more aggressively than that so somebody else can use 0:07:17.060000 --> 0:07:21.020000 that same address I was using for their translation entry. 0:07:21.020000 --> 0:07:25.980000 So we can modify that with the IP net translation command we could say 0:07:25.980000 --> 0:07:30.960000 IP net translation TCP timeout and bring it down to something like maybe 0:07:30.960000 --> 0:07:35.340000 an hour or two hours instead of a whole day. 0:07:35.340000 --> 0:07:40.320000 And here's how we verify dynamic net the same command we saw before show 0:07:40.320000 --> 0:07:42.400000 IP net translation. 0:07:42.400000 --> 0:07:45.140000 And you can see in this particular output here. 0:07:45.140000 --> 0:07:50.720000 That someone with an inside local address of 10 1 1 1 1. 0:07:50.720000 --> 0:07:54.480000 They initiated a telnet. 0:07:54.480000 --> 0:08:00.140000 To. 99 99 99. And I can tell it's telling that because it's port number 0:08:00.140000 --> 0:08:07.480000 23. It was TCP. And so we didn't change their destination. 0:08:07.480000 --> 0:08:11.640000 The destination IP address and their destination port number were retained 0:08:11.640000 --> 0:08:15.020000 so we did not change that but we did change them. 0:08:15.020000 --> 0:08:19.740000 To. This right here. 0:08:19.740000 --> 0:08:28.100000 We did change them to an inside global address of 99 99 99.5. 0:08:28.100000 --> 0:08:32.380000 So just as a topology diagrams to sort of visualize what that is. 0:08:32.380000 --> 0:08:38.520000 Here's somebody right here who is 10 dot 1 dot 1 dot 1. 0:08:38.520000 --> 0:08:43.620000 They went through our company you know this is any number of routers and 0:08:43.620000 --> 0:08:49.640000 switches here. Until eventually they got to our net router. 0:08:49.640000 --> 0:08:55.440000 And. The net router. 0:08:55.440000 --> 0:09:00.380000 Is connected to physically connected to something right here. 0:09:00.380000 --> 0:09:04.440000 That is 99 dot 99 dot. 0:09:04.440000 --> 0:09:13.940000 99 dot 3. His own address is probably also going to be in the 99 network. 0:09:13.940000 --> 0:09:20.180000 And we create a translation entry. 0:09:20.180000 --> 0:09:30.660000 Saying that 10 dot 1 dot 1 is now going to be translated to 99 99. 0:09:30.660000 --> 0:09:35.820000 99 dot 5. So the thing we're trying to tell that to was actually directly 0:09:35.820000 --> 0:09:37.760000 connected to our net router. 0:09:37.760000 --> 0:09:41.180000 But the translation would be the same if we're going to something way 0:09:41.180000 --> 0:09:46.220000 out there like 30 hops away from our translation from our net router. 0:09:46.220000 --> 0:09:55.120000 And that concludes this overview or refresher of dynamic network address