WEBVTT 0:00:03.260000 --> 0:00:07.400000 Hello and welcome to this video refresher on a flavor of network address 0:00:07.400000 --> 0:00:11.180000 translation that's called port address translation. 0:00:11.180000 --> 0:00:16.840000 In this video we're going to be going over an overview of it, how it works, 0:00:16.840000 --> 0:00:19.100000 how to configure it and how to verify it. 0:00:19.100000 --> 0:00:25.340000 So let's just do an overview of PAT, which stands for port address translation. 0:00:25.340000 --> 0:00:28.540000 In some documentation you might see that called NAT overload. 0:00:28.540000 --> 0:00:31.080000 They both mean exactly the same thing. 0:00:31.080000 --> 0:00:37.540000 The idea here is we have several different inside private IP addresses. 0:00:37.540000 --> 0:00:42.520000 They're now being all translated to one single public IP address. 0:00:42.520000 --> 0:00:45.460000 So it's a one to many mapping. 0:00:45.460000 --> 0:00:50.900000 So one public address can provide multiple host connections who are in 0:00:50.900000 --> 0:00:52.080000 the private area. 0:00:52.080000 --> 0:00:57.260000 And it is the most scalable and probably well known and most well implemented 0:00:57.260000 --> 0:00:59.660000 form of network address translation. 0:00:59.660000 --> 0:01:01.640000 Here's how it works. 0:01:01.640000 --> 0:01:09.240000 So we have port address translation set up that our inside hosts will 0:01:09.240000 --> 0:01:10.200000 always be there. 0:01:10.200000 --> 0:01:14.700000 Their source addresses will be translated to this one public outside address 0:01:14.700000 --> 0:01:19.440000 of 175 111. So here comes a host right now. 0:01:19.440000 --> 0:01:25.500000 He is 10 111. Notice his source port number is a dynamically generated 0:01:25.500000 --> 0:01:26.900000 ephemeral port number. 0:01:26.900000 --> 0:01:28.260000 We can't predict what it is. 0:01:28.260000 --> 0:01:32.420000 In this case it just randomly happens to be 50,000 and one. 0:01:32.420000 --> 0:01:37.060000 As that comes into our NAT router, we will create this translation entry. 0:01:37.060000 --> 0:01:42.620000 We will say that 10 111 with 50,000 one needs to be translated to 175 0:01:42.620000 --> 0:01:47.480000 111. And there's no other translation entry right now that's using that 0:01:47.480000 --> 0:01:50.120000 port number. So we can just keep it the same. 0:01:50.120000 --> 0:01:52.080000 We don't have to translate the port in this case. 0:01:52.080000 --> 0:01:54.640000 We can keep it as 50,000 one. 0:01:54.640000 --> 0:01:59.260000 Now another host starts up and there goes there goes to the outside world. 0:01:59.260000 --> 0:02:03.300000 Now another host comes in of 10 112. 0:02:03.300000 --> 0:02:06.940000 Notice that the random ephemeral port number selected by this host is 0:02:06.940000 --> 0:02:08.460000 something completely different. 0:02:08.460000 --> 0:02:14.440000 64,000 in one. That particular source port number is not currently in 0:02:14.440000 --> 0:02:16.820000 use in our translation table. 0:02:16.820000 --> 0:02:18.360000 So we can keep it the same. 0:02:18.360000 --> 0:02:22.360000 We can retain it and all we have to do is translate his source IP address. 0:02:22.360000 --> 0:02:28.200000 So you can see the way this works right now is that as reply packets come 0:02:28.200000 --> 0:02:34.140000 back, if a reply packet comes back here with a destination address of 0:02:34.140000 --> 0:02:41.600000 175.1.1.1. If that's all we were using, that would not be enough because 0:02:41.600000 --> 0:02:45.740000 we'd say, hey, we have two translation entries, both of which are using 0:02:45.740000 --> 0:02:50.820000 175.1.1.1. We need some more distinctive information, but we also have 0:02:50.820000 --> 0:02:53.040000 a destination port number here. 0:02:53.040000 --> 0:03:00.200000 So if the reply was coming back to this conversation, the destination 0:03:00.200000 --> 0:03:04.140000 port number would be 50,000 and one. 0:03:04.140000 --> 0:03:09.100000 And we would be able to match that up to this particular translation entry. 0:03:09.100000 --> 0:03:13.780000 And so we can map it back to now the new destination or the old destination 0:03:13.780000 --> 0:03:22.680000 of 10.1.1.1 and destination port of 50,000 in one. 0:03:22.680000 --> 0:03:25.980000 And we'd come back to this guy right here. 0:03:25.980000 --> 0:03:30.000000 So as long as these guys come in with unique port numbers, we're good 0:03:30.000000 --> 0:03:34.180000 to go. But what happens if a third guy comes in, a third guy needs a translation 0:03:34.180000 --> 0:03:39.180000 entry, and it just so happens through random chance, the heat shows the 0:03:39.180000 --> 0:03:43.640000 exact same source port number as one of our current translation entries. 0:03:43.640000 --> 0:03:50.100000 Well, we can't use this for both of them, because if we did that, if we 0:03:50.100000 --> 0:04:05.660000 said, hey, 10.1.1.3, we're going to translate you to 175.1.1.1. 0:04:05.660000 --> 0:04:10.300000 with a destination port of 50,000.1. 0:04:10.300000 --> 0:04:14.060000 We wouldn't know which translation entry to use. 0:04:14.060000 --> 0:04:15.900000 Should we use this one? 0:04:15.900000 --> 0:04:19.740000 Is that conversation ultimately meant to go back to 10.1.1.1? 0:04:19.740000 --> 0:04:23.660000 Or is that conversation ultimately meant to go back to 10.1.1.3? 0:04:23.660000 --> 0:04:25.080000 We wouldn't know. 0:04:25.080000 --> 0:04:29.740000 So in this particular case, because this guy just happened to choose a 0:04:29.740000 --> 0:04:34.500000 source port number that was already in use in an existing translation, 0:04:34.500000 --> 0:04:39.180000 not only do we need to translate his source IP address to 175.1.1.1. 0:04:39.180000 --> 0:04:43.760000 We also need to translate his source port number to something that's unique. 0:04:43.760000 --> 0:04:48.120000 So port address translation will just choose another port that's available 0:04:48.120000 --> 0:04:51.240000 and translate him to that. 0:04:51.240000 --> 0:04:56.840000 So we can have a unique source IP source port number that we can translate 0:04:56.840000 --> 0:05:03.060000 him back to. And this is why it's called port address translation. 0:05:03.060000 --> 0:05:04.660000 How do we configure this? 0:05:04.660000 --> 0:05:09.560000 Well, we still need to define interfaces as NAT inside and NAT outside. 0:05:09.560000 --> 0:05:14.660000 We still need to create our access list, defining what is permitted to 0:05:14.660000 --> 0:05:18.980000 be translated and what is denied from translation. 0:05:18.980000 --> 0:05:24.380000 And then we use our IP NAT inside source command. 0:05:24.380000 --> 0:05:30.740000 But now instead of where we're referencing, where we are referencing a 0:05:30.740000 --> 0:05:37.180000 NAT pool, we are now referencing our list, which is our ACL of what can 0:05:37.180000 --> 0:05:40.140000 be natted and what can't. 0:05:40.140000 --> 0:05:43.580000 And then everything that matches a permit statement in our ACL, we're 0:05:43.580000 --> 0:05:47.280000 not referencing a pool anymore, we're referencing an interface. 0:05:47.280000 --> 0:05:51.620000 That is our interface that has our public IP address on it. 0:05:51.620000 --> 0:05:53.440000 And we are going to overload that. 0:05:53.440000 --> 0:05:57.320000 So that public IP address is going to be shared over and over and over 0:05:57.320000 --> 0:06:02.400000 again for all inside hosts that match the permit statement. 0:06:02.400000 --> 0:06:06.420000 And we're just going to make sure that their source port number is unique 0:06:06.420000 --> 0:06:08.940000 in the translation entries. 0:06:08.940000 --> 0:06:15.920000 Here we can use the show IP NAT translation command and we can actually 0:06:15.920000 --> 0:06:18.460000 see the translation entries. 0:06:18.460000 --> 0:06:27.780000 So for example, here we see that 10111 came in with a source port number 0:06:27.780000 --> 0:06:36.780000 of 59656. We translated him to 99, 99, 99.2. 0:06:36.780000 --> 0:06:40.520000 And because that source port number wasn't in use with any other translation, 0:06:40.520000 --> 0:06:43.700000 we were able to retain it to keep it. 0:06:43.700000 --> 0:06:50.380000 Then somebody else comes in who is 10114. 0:06:50.380000 --> 0:06:54.420000 We translate him to the exact same address. 0:06:54.420000 --> 0:06:57.800000 We overloaded 99, 99, 99.2. 0:06:57.800000 --> 0:07:01.300000 But because the port numbers are unique, we're able to keep these translations 0:07:01.300000 --> 0:07:12.620000 separate. So that concludes this course address translation. 0:07:12.620000 --> 0:07:13.380000 I hope you found it useful.