Cisco CCIE Security 350-701- ASA _ Network Address Translation (NAT) Part 1

  1. PRivate IP – Public IP

In this video we’ll see the difference between the private and the public IP addresses. Now, generally the public IP addresses are used on the internet. So if you want to send any traffic, any traffic going on the internet must have some registered public IP and this public IP is globally unique. So which means when you are sending any packet on the internet, because internet is a network where everyone is connected. So when the packet is going, it must be unique. So if there is another user using the same IP, then there will be a conflict issue. So just to avoid that, when the traffic is going on the internet, it must be a registered public IP. Now, these are the IPS which are only recognized on the internet. So which means the private IPS are used within the organization or nation or within the organization like land or van and anything going with a private IPS are not recognized on the internet.

Now, why? Because any packet which is traveling with a private IP service portals have a default filtering of denying any traffic coming on the internet within the range of private and private IP addresses in general. So the public IP is given by the Service Order. So when you are registering within a Service Order, service Order will assign some kind of private IP, sorry, public IP, and when you are sending the traffic, it will be translated to a public IP. So which means within the network we might be using a private IP address. So we need to translate that to public IP and that’s what the concept of Nat will be covering in the later form sections. So, whereas private IP addresses are generally given by the administrator because within the organization, whether it is a land or in the van, within the organization, the administrator will decide, the company will decide what will be the Iprocing scheme to be used.

So, as I said, the public IP globally unique addresses and they are registered with some specific customers. Like, let’s say I’m working for ABC organization and all the traffic going out of out to internet from my organization is, let’s say going on this public IP and this public IP is globally unique and it is registered with my company that is ABC. So as long as I’m renewing every year from the same service corner, probably you get this public IP and it is something registered with my company and no other user or no other organization on the internet or anywhere will use the same address. But when you talk about private, private IP addresses are not globally unique, but they will be unique within the organization.

So which means if I use one 9168, one dot network in my company on so and so branch, probably I don’t repeat the same IP within my organization, but maybe there is some other organization XYZ also using the same address, probably because it is an internal iprocing used by individual organizations. So there’s no issue when both uses the same subnet because when they go outside they will be using their own public IPS. Let’s say the ABC organization using 51 one and maybe some XYZ use some other public IP as they go to internet. So you don’t need to pay anything to private IP address to use within the organization and they are unregistered non registered means as I said, if ABC is using this network 100 to 168 one dot network, some other organization might be using the same subnet.

So in case if these two companies merges then probably then will be a problem. So in that case we can still do Nat which is generally used for overlapping subnets also. So we’ll be talking about more on Nat as we go ahead in the later on later on topics. So before we go to the Nat, we need to understand this addressing scheme. Now the next thing is the addressing how to identify the private and the public IP addresses. Now, all the private IP addresses in A class that is from zero to one seven. Of course, we don’t use zero and 127 out of one to six subnets. Only address starting with ten will be your public IP. And rest of the addresses sorry, anything starting with ten is your private IP and rest of the networks will be public IPS. And in the B class, anything starting with 170? 216 to 172 31. So which means 170 16, 1718, 919, up to 31. So these are the private IP addresses and rest of the addresses all are public and in C class anything starting with one eight to 168, 168 starting anything with these addresses are private IP addresses.

  1. What is NAT?

Now the next thing we’ll see, nat stands for Network Address Translation. It’s a matter of translating your private IP addresses. So within our organization we will be using some private IP addresses. So we need to translate them as they go to the Internet with some registered public IP addresses, as they go to the service portals or as they go to the internet. So typically this process of translating your private IP to public IP addresses as they go to the Internet is called Nat. So in the previous sections we discussed the private IP addresses. So you cannot send any traffic with a source with a private IP address because the packets with the source of private IPS are not routed on the Internet. The service porter have the default filtering to deny all the traffic which is coming within the private IP range. So that’s the reason when you send a packet it must get translated into the public IP or use the public IP because practically using all public IPS within the network is not nearly a scalable solution.

So that’s the reason we’ll be using some kind of private IPS and then we can translate them as they go to the internet. So typically the Nat is configured either on the prowess or you can also do this on the ASA or any kind of firewall firewalls or the common devices which are connected to the internet on the outside network. And we can also do on that in some typical small cell networks. We can use some kind of Microsoft servers or lining servers where with some two NAC cards and can be configured with some Nat options. But mostly the Nat will be either configured on the routers or on the Pylons. So the next thing is like the common scenarios as I discussed, the main reason of doing that is we’ll be using some private IPS within the organization. When they go to Internet, you need to send them with some registered public IP. OK?

  1. NAT Types

The next thing we’ll see the different types of Nats. So we have static dynamic and portrait of translation which is called pad in the advanced Nat options we will see later on. Static pad, policy dynamic Nat and policy dynamic pad. But some of these topics do not come in the CCNA security classes, probably in NP level. I’ll be covering some advanced Nat topics now, starting with static Nat. Static Nat is like one to one mapping which is done manually where on the router or on the firewall. We’ll be doing one to one mapping where every one private IP address is mapped with one registered public IP. Like take an example, I have some one one user and I’m translating this with some public IP 51 one and the one two user is translated with some other IP.

So once you do mapping of this public IP with some one one, I cannot use the same public IP for some other IP like one three cannot be mapped with this address because it’s already mapped with one one. So static mapping is commonly used when you’re hosting some kind of service. Let’s say this is my web server which is hosted in my LAN or maybe on the DMZ and then I’m sending it outside. So I want the user sitting on the Internet should be able to access the server but I don’t want this because you cannot host this with some kind of private IP one. So I want this to get translated to some public IP. So when the user on the internet want to access, probably is going to type in 51 one to access the server or maybe some kind of naming if you are using some kind of DNS relations.

So basically stating that is used for mapping your internal servers when they are hosted on the Internet, but technically not used on the internet because if you have thousands of users who want to access Internet, I cannot use static map. Static net. Because if you go with the static net, then you need to have some 1000 public IPS registered for each and every user separately. But static net is commonly used for translating your internal service. So we got some dynamic net. Dynamic net is more similar to static nat. So this is also one to one mapping. But the only difference is the mapping is done dynamically now, which means we need to define the private IP range like the subnet what we are going to use in my land. And then we need to define the range of the public Iprsys with some pool and we write some ACL here and then we do mapping of the private IPRs range and with the public IP pool.

So randomly it will select any one public IP from this pool when the user is going like when the traffic is coming from this source. So this one 1 may use some public IP random, it will select any one public IP which is mapped and again one 2 may use some other public IP, one three random request. So you don’t need to translate each and every IP and manually, but it can be done automatically. But again, technically one to one as I said, which means if this private IP is used using this public IP, probably the same public IP cannot be used for some other private IP. So it’s like one to one mapping. So again, not applicable for internet because if you have thousands of users, you cannot go with thousands of public IP because you need to pay to the service partner for that.

So for internet we use Pat, it’s also called as dynamic net overload or in simple we call it as port address translation, where you got some thousands of users maybe sitting in the land or maybe service portal connecting some multiple customers in any kind of scenarios. So these all can get translated with one single public IP. So to allow the users, thousands of private users can go to internet one with one registered public IP. Now, how it is going to differentiate because you know, when this user one dot one is using the same public IP, one dot two is also using the same public IP, one dot three using the same public IP. So each and every connection is differentiated based on port numbers. So it’s going to use a different port numbers randomly selected based on different port numbers.

It will use unreserved port numbers like from one zero twenty four to sixty five thousand five thirty five. So it will randomly select a unique port number for each connection. So this allows thousands of users, or hundreds or thousands, whatever the range, can go to internet with one registered public IP. But still they are differentiated based on ports. And as a reason, technically we call it as port out of translation or we can call it as dynamic and overload in general.

  1. Dynamic NAT – on ASA

In this video we’ll see dynamic net configuration on Asapol. Now, in the previous sections we discussed dynamic net is a method of translating a complete subnet. Like in my case I want to translate this ten one 10 subnet which is on the route of one LAN. It’s actually a loop back which I have configured. I want this subnet to be translated with some public IP range like in my example I want to use 51 one from 51 10 so I want to do translations and these translations will be like 100 IP addresses should be translated back to this public IP range. So in order to do this configuration, configuration is very simple like here we need to on the asif firewall we need to create something called object networks like in my case we need to create one object network which defines your private IP address.

So I’m using here actually this is a public IP so we need to define this one here, not this. So we need to define the range of IP addresses. We can define a single IP with host or we can define a subnet if you want to define a specific network with a net subnet mask which defines a range of addresses. So we can use any of these options? Depends. Like if you’re using any subnet, we can use submit option, host or range option. And the next thing is I need to create another object network and that object network is going to define my private IP. And inside that object network, we need to say that and then we need to tell what is my inside of it. From where you are getting a private IP. So we are translating from private to public. So I want to translate from my inside interface to outside of it into a public IP.

We need to define the name of the interface, whatever the name you have used. So if you use a name called Land and Van so we can say Land and Van or Land to Internet or whatever the naming you have done on the interface and then we need to say dynamic and then we need to refer this public pool. So which means I’m saying in this command that whatever the addresses are defined in this object network it should be translated from inside towards interface by using the pool, the pool which are defined in the object network public pool. So this is the overall configuration. So the basic prerequisite you need to have to implement and verify this lab is going to be the basic Iprising on all the devices as per the diagram.

And then make sure that you do have reachability from this IP, which we are going to use as my internal private IP address. Should be able to reach because I’m going to initiate some telnet or ICMP traffic. So basic reachability is important. So to do the reachability I do have a routing configured here so let me show you here. On both the routers I do have a default route pointing towards the ASA as well as on the router too. If I say Show IP route sat and on the ASA I do have this basic IP configuration here done on the interfaces, mostly placed on my default lab setup. If you go through with my previous labs you can see Show run, it has to be Showrun interface g zero by one, g zero by two.

So these are only configured with Nat inside and outside names. And then if you verify Show route static to verify the routing I do have a static routes configured on the ASA firewall to provide the reachability. Because when we initiated traffic from this source resistant nation, we need to make sure that ASA should know both the networks. And I have configured some static routing and default routes on the router. You can also use some OSP or EHRP routing to simplify. So this is going to be the basic prerequisite setup and the configuration wise just to test, I do have reachability to the IP, so I’m going to ping from router one or I’m going to ping from ten one the source address, it’s a loopback which I have created on the router one. So I do have each other.

So of course we cannot reach from outside to inside because lower to higher is not allowed. But we do have reachable team. So I have also enabled Inspect ICMP on this because just to test, we want to ensure that ICMP traffic is inspected which is by default not inspected. So if you want to just check this to confirm Show run policy map. So you can see here I have configured the class inspection default and I have configured Inspect ICMP for testing. So I’ll be generating some telnet or ICMP traffic to test. Okay, so let me just quickly go to the ASA and do the configuration according to my setup. So we just need to say Object network and any name you can use. So in my case I’m going to use some name as public pool which represents my public IP or any other IPS in the range 51 one and 51 100.

And then we need to get back to the private IP object network, private address, that’s it. And then first we need to define the subnet. The subnet is going to be ten or one one network, just correction. So here in my router it’s not one one dot network so it’s actually ten dot network. So I updated my workbook with this one. So in the previous versions I used this addressing. So wherever you see this one dot network, just replace that with ten dot one dot actually which I’m using in my lab setup, I modified actually later on. And then we need to tell the mask subnet mask here 255-25-5250. So in there we need to define that and then we need to tell my inside of this as well as outside incapulators of course monitors also taxes and then dynamic so we can also use static.

So if you’re using static Nat, we just need to replace this with static. So we would need to set dynamic and then we want to translate this with not with interface because if you’re using a path we use with interface so we need to tell the mapped IP range or we need to tell the object group or object network name. So in my case I’ve used the object network as public pool public underscore pool I think. So let me confirm the name is it the same public underscore pool? So better you copy paste that’s because sometimes when you are doing this labs if you mistype the names you don’t see the actual outputs sometimes. So if you want to verify these Nat configurations we can say show run Nat, you can see the Nat translations and if you want to see the object groups you can say show run object network.

Sorry. So these are the two object networks what I have created and the Nat is implemented. Now, for testing wise, we need to generate some traffic so that initially I will try to telenet generated traffic from the source. I think source interface has to be loaded back zero and you can see telenet works and if I go to router and if I say Show exploit this is just like equivalent to show IP net translations it will show you where it’s effectively translated from this private IP to this public IP dynamically. And if you go to router one, if I say show users or who command, it shows you it’s actually getting translated with 51 149, which means whenever you show users command here, it shows you because the actual telenet connection is coming from the low back one. Low back zero. Actually, that is of the router one. And when it is going, it is showing as 51 149.

So if I exit the connection and if I try to do it with loopack two I created another loop back and if I say Show users and you can see it’s using 455-1145 and if I say show x light you can see the second translation so that is the second low back what I have created. So you can just create some additional loop bags. So these are just like simulating some pieces so practically adding that many pieces it’s not really possible. So we can generate some telnet or ICMP traffic. So let me try ICMP also so let me close this connection and then say ping. Of course I can ping to ten or one or one or one and you can see already there is a translation entry here.

So for testing you can add some other interface. So if you want to just remove this so if you just want to remove these entries you can say clear Xlet. And then if you see the show, I clicked nothing. Zero entries are shown. And if I try to initiate the traffic here so I should see the excellent entries here once again. So you can see this time the same is getting frustrated with 51 one seven. You can see there’s a default timeout here. That’s a default timeout if there is no traffic, if there is inactive traffic is coming. And then you can see Ie actually indicates that it’s a dynamic entry, dynamic Nat. So this is how you can verify. So the configuration wise, it’s not a big difference in the configurations whether you are doing dynamic Nat or static Nat. Any other things?

  1. Dynamic PAT- ASA

The next thing will see dynamic path configuration. Like in my case I want to translate this ten 10 subnet. Let’s say it’s slash 24 should get translated with one single public IP address. So in my case I’m using 51 one. Now, configuration wise there’s no much difference. As I said, the prerequisite you need to ensure that we do have reachability from here to here based on the previous configurations. Like if you get back to the previous lab, like in the previous video I covered dynamic Nat so the prerequisite remains the same. That’s not going to change. The only thing is I need to make sure that I remove this configuration before I go on with the pat configurations. So I just want to continue this configuration based on the previous lab so that while you’re practicing it will be easy for you to go on and continue.

The next thing is let’s go to the ASA here and on my ASA, if you verify Showrun Object network you can see I do have configured this based on the previous lab. So the first step is I need to remove this object group because I don’t need to remove the private because the private still remains the same. So I’m going to say clear object clear it’s like clear config we need to say clear config object network. So you need to specify the name. If you don’t specify the name it’s going to remove all the object network. So I’m going to say public port object network. I think removing the entire so let me see object network. So I don’t have anyone. So no problem, I’m going to create it. So I’ll say Object Network. So confession wise there’s no much difference. You can see I need to create the object network which defines my private IP and then we need to send Nat transferred from my inside interface going to outside of this.

And then we said dynamic and then we need to tell the public IP what you want to use because in my case it should get translated with one single public IP address. So there’s no need to create another object network for public IP. So I’m going to say object network and then I’ll say private address and then the subnet in my case it is rendered 100:24. So define the private subnet and then we just send Nat inside and outside and then we said dynamic. So in this case I need to define the public IP which I’m going to use. 51 One. That’s it. And the next thing is if it says Showrun Object Network it shows you the object network and if I say Showrun Ad it will show you the Nat configurations inside the object network. Now testing wise it’s going to be the same thing.

We need to generate some kind of traffic from R One to R Two. And if I say Show X Led, you should see the traffic is initiated here of course, let me try to clear Xlet because maybe the output has come from based on the previous lab I’ll try to initiate a telnet better with telnet from lowbag zero which is ten one. If I say show users it shows me the same public IP which I have configured. So let me close this connection and try to turn it with some different IP. That is ten one two the loop back to and if I say show users, it shows you the same IP. And if I go to ASA, if I say Show x slate, I should see both the entries. You can see here 51 one the ten one and ten. These are the loop backs which I have created here for testing low back one and loop back zero loop back to getting cancelled with the same public IP address but using different port numbers.

img