1
00:00:08,550 --> 00:00:15,690
This is one of multiple videos where I discuss not on network address translation in this video answering

2
00:00:15,690 --> 00:00:23,130
a question from Pedro who's attending my Jeana's three CCN a course the link to the Course can be found

3
00:00:23,130 --> 00:00:23,420
below.

4
00:00:23,420 --> 00:00:24,170
This video

5
00:00:36,510 --> 00:00:38,380
Pedros Thanks for the question.

6
00:00:38,590 --> 00:00:42,730
Here's the answer in this genius three typology.

7
00:00:42,800 --> 00:00:47,230
I have three Cisco Iowas routers acting in service.

8
00:00:47,300 --> 00:00:56,360
I also have a Cisco Iowas router acting as a PC and will configure a fifth Cisco Iowas a Virata with

9
00:00:56,360 --> 00:01:03,500
Nat to allow the client to access their three servers on the internal network.

10
00:01:03,500 --> 00:01:07,760
Now all I've done here is configure IP addresses on the devices.

11
00:01:07,760 --> 00:01:15,170
I've also configured a default gateway on the servers to point to the router but the client router has

12
00:01:15,170 --> 00:01:24,410
no routing enabled so here is router 3 acting as a client show IP ROFFT shows us that they are no rants

13
00:01:24,420 --> 00:01:28,850
in the writing table except connected and local routes.

14
00:01:28,860 --> 00:01:30,990
No gateway of last resort is set.

15
00:01:31,150 --> 00:01:41,390
There's no default draft no routing protocols such as OSPF BGP or Jappy are enabled on the router.

16
00:01:41,730 --> 00:01:52,760
So if we run a debug IP packet and then try and ping one of the internal servers this is Rodda one acting

17
00:01:53,000 --> 00:01:54,900
as our first server.

18
00:01:55,130 --> 00:02:03,560
What we're told is that the packet is unreadable the rodded doesn't know how to get to the destination

19
00:02:03,560 --> 00:02:08,450
network.

20
00:02:08,460 --> 00:02:15,970
The same is true for any of the other server IP addresses.

21
00:02:16,130 --> 00:02:22,900
The PC doesn't know how to get there because there is no routing enabled and it has no route to serve

22
00:02:22,910 --> 00:02:34,890
a 1 7 2 0 7 3 router 1 acting as server 1 is configured with a default route pointing to Ratatouille

23
00:02:35,580 --> 00:02:39,680
which is acting as the next router.

24
00:02:39,780 --> 00:02:48,800
It could as an example try and ping WATERSTREET acting as the PC and you'll notice that the traffic

25
00:02:48,800 --> 00:02:49,440
hits the road.

26
00:02:49,460 --> 00:02:53,340
But it doesn't know how to return the traffic back to the server.

27
00:02:53,630 --> 00:02:56,470
So there's a zero percent success rate.

28
00:02:56,540 --> 00:03:04,620
In other words this server sends the traffic to its default gateway which is this router Roths the traffic

29
00:03:04,620 --> 00:03:10,150
onto the segment it hits the PC that the pc doesn't know how to get back again.

30
00:03:10,560 --> 00:03:18,410
Now typically RF see 19:18 addresses are not readable on the Internet because Internet routers will

31
00:03:18,410 --> 00:03:21,680
block traffic sent from those IP addresses.

32
00:03:21,680 --> 00:03:28,870
So what we need to do is configure Nat on the router to allow this PC to access the servers and to allow

33
00:03:28,870 --> 00:03:34,830
the traffic to be noted when going on to the outside or the Internet.

34
00:03:34,850 --> 00:03:38,480
So let's configure router 2 with nat.

35
00:03:38,620 --> 00:03:47,720
OK so this is routed to which is our next router show IP interface brief shows us the IP address is

36
00:03:47,720 --> 00:03:55,490
configured on those Raanta gigabit Zurr one is configured with an IP address and that 8 8 8 range that

37
00:03:55,490 --> 00:03:58,390
is a public IP address used by level 3.

38
00:03:58,700 --> 00:04:05,970
So here we are pretending that that interface is the outside or the Internet facing interface on the

39
00:04:06,050 --> 00:04:07,030
router.

40
00:04:07,250 --> 00:04:14,970
Gigabit is 0 0 0 2 and 0 3 are using RAFC 19:18 addresses.

41
00:04:14,990 --> 00:04:20,240
In other words private IP addresses not ratable on the Internet.

42
00:04:20,330 --> 00:04:29,840
So what I'll do is configure gigabit 01 as a net outside interface.

43
00:04:29,900 --> 00:04:32,830
In this example I'm using an Iowas Virata.

44
00:04:33,080 --> 00:04:37,970
So we saw a CPQ hug message but the road has come back now.

45
00:04:39,740 --> 00:04:50,820
So I'm using a 15 6 2 version of IRA's V interface gigabit 0 0 0 IP not inside interface gigabit.

46
00:04:50,910 --> 00:04:56,190
0 2 IP not inside interface gigabit.

47
00:04:56,210 --> 00:04:59,410
0 3 moppy not inside.

48
00:04:59,600 --> 00:05:03,140
We have to tell the router which interfaces on the inside.

49
00:05:03,140 --> 00:05:11,170
In other words internal networks and which interfaces are on the outside or internet facing.

50
00:05:11,180 --> 00:05:21,060
So what we've done thus far is configure gigabit 00 as an inside interface.

51
00:05:21,240 --> 00:05:23,820
Gigabit 0 1 is outside

52
00:05:26,850 --> 00:05:34,460
and gigabit 0 2 and 0 3 are inside net interfaces.

53
00:05:34,570 --> 00:05:41,640
Now we can use the command IP that what are we going to not in this example if we going to net inside

54
00:05:42,030 --> 00:05:43,230
addresses.

55
00:05:43,230 --> 00:05:49,240
In other words we are getting addresses for hosts on the inside of our network.

56
00:05:49,290 --> 00:05:56,460
Think of the term inside as belonging to an insider someone who's inside your organization.

57
00:05:56,460 --> 00:06:01,800
I'm an outsider so I'm on the outside of your organization.

58
00:06:01,800 --> 00:06:07,830
You work for a company perhaps you are an insider in that company.

59
00:06:07,980 --> 00:06:11,760
On the other hand I'm an outsider to your company.

60
00:06:11,760 --> 00:06:18,540
So an insight host is an insider and they have addresses on the local area network.

61
00:06:18,720 --> 00:06:26,910
So I'll talk about some terms in a moment but a local inside address is an address of the host found

62
00:06:26,910 --> 00:06:28,790
on the local LAN.

63
00:06:28,800 --> 00:06:37,080
In other words an inside local address is a inciters IP address when found on the local LAN and inside

64
00:06:37,080 --> 00:06:40,110
a global address is an IP address that belongs to the inside.

65
00:06:40,110 --> 00:06:44,180
Host found on the global Internet.

66
00:06:44,380 --> 00:06:48,090
In this example we want to know an inside host address.

67
00:06:48,100 --> 00:06:52,570
In other words an address that belongs to a host on the inside of our network.

68
00:06:52,570 --> 00:07:00,070
In other words internal to our network Baganda not to the source IP address of that internal host.

69
00:07:00,070 --> 00:07:06,880
And in this example we want to use a static net entry because we want devices from the Internet to be

70
00:07:06,880 --> 00:07:10,170
able to initiate sessions to the host.

71
00:07:10,270 --> 00:07:14,410
So we asked for the inside local IP address.

72
00:07:14,500 --> 00:07:17,820
This is the real IP address of the host.

73
00:07:18,010 --> 00:07:25,780
The host is on the inside of our network and its connected to the local area network.

74
00:07:25,780 --> 00:07:35,770
So the inside local IP address is the physical IP address of that device on the local area network.

75
00:07:35,770 --> 00:07:44,230
Now what are we going to net the address to in this example I'm going to net it 2 8 8 8 8 8 1 that IP

76
00:07:44,230 --> 00:07:47,400
address does not exist in the network.

77
00:07:48,510 --> 00:07:55,560
So going on to rodders 3 which is acting as our P.S. In this typology at the moment it's not able to

78
00:07:55,700 --> 00:08:02,300
pin 8 8 8 8 8 1 because that address doesn't exist.

79
00:08:02,300 --> 00:08:07,660
Notice we're getting encapsulation failed show up.

80
00:08:07,790 --> 00:08:11,790
We're getting an incomplete arp entry for that host.

81
00:08:11,950 --> 00:08:19,400
The PC is not able to discover 8 8 8 1 and that's because it doesn't exist.

82
00:08:19,400 --> 00:08:24,550
We get to create a virtual IP address for that host.

83
00:08:24,550 --> 00:08:29,310
Now I'm going to use extendable to complete the NAT translation.

84
00:08:29,470 --> 00:08:35,770
So going back on to rodders free are we able to ping that address.

85
00:08:35,770 --> 00:08:37,520
Yes we are.

86
00:08:37,830 --> 00:08:41,260
We just don't stop the debug previously

87
00:08:43,780 --> 00:08:45,890
we couldn't ping this address.

88
00:08:46,030 --> 00:08:55,710
We had encapsulation failed the OP was incomplete but after we created the data entry we could ping

89
00:08:56,080 --> 00:08:58,300
8 8 8 8 1.

90
00:08:58,380 --> 00:09:01,970
So let's do that again.

91
00:09:02,090 --> 00:09:05,870
And what I'll do is run a debug on the server.

92
00:09:05,920 --> 00:09:07,390
So this is server 1

93
00:09:09,960 --> 00:09:19,900
debug IP ICMP will do a single ping from rotor 3 which is acting as our PC.

94
00:09:20,120 --> 00:09:28,800
And what you can see here is a source of 10 dot wondered wondered one sent a reply to 8 8 8 8 1 but

95
00:09:31,810 --> 00:09:40,660
the Internet device doesn't know that it's talking to 10 10 attended one because the address is being

96
00:09:40,660 --> 00:09:51,810
Nottage the Internet PC thinks it's talking to 8 2 8 8 8 1 and that's because show IP translation shows

97
00:09:51,810 --> 00:10:01,890
us on router to the NAT router that 8 8 8 8 8 1 is being translated to 10.

98
00:10:02,010 --> 00:10:02,520
Wondered.

99
00:10:02,520 --> 00:10:03,940
Wondered one.

100
00:10:04,110 --> 00:10:05,880
This is the inside a local address.

101
00:10:05,880 --> 00:10:17,000
This is the actual physical address of the PC as we can see here is the address.

102
00:10:17,030 --> 00:10:19,720
This is the inside a global address.

103
00:10:19,720 --> 00:10:24,290
In other words this is the nattered address of that PC.

104
00:10:24,310 --> 00:10:30,460
This is the address of that PC when traffic is sent on to the Internet.

105
00:10:30,460 --> 00:10:33,010
I hope you found the video useful.

106
00:10:33,370 --> 00:10:38,010
If you enjoyed it please like it and please subscribe to my YouTube channel.

107
00:10:38,020 --> 00:10:39,460
I wish you all the very best.