img img
Practice Exams:
View All
  • Home
  • Cisco CCNA 200-301 – NAT – Network Address Translation Part 2

Cisco CCNA 200-301 – NAT – Network Address Translation Part 2

  1. NAT Translations – Inside Local, Inside Global, Outside Local, Outside Global

You’ll learn how to understand the output of the show IP net translation command. And strap yourself in for this one. It’s going to get a little bit hairy. If you’ve already watched a few lectures in a row, now is probably a good time to grab yourself a coffee before we get started with this one. You can see here we’ve got inside global, inside local, outside local and outside global. Now this is one of the most confusing and complicated things you’re going to have to learn for the CCNA.

So you probably will find this a bit confusing if it’s the first time you’ve seen it before, actually if it’s the second time you’ve seen it. To be honest, I’ve been working with this stuff for years and it still sometimes makes my head feel like it’s going to explode when I’m figuring out what inside global, what inside local, outside local and outside global is. So let me give you a definition and my definition is a little bit different for some of these than you’ll see in the official material.

And the reason is I’m trying to make it easier to understand here. The official material makes it super complicated. So hopefully this will make it a bit easier to understand. So the definitions inside a local address, that’s the IP address actually configured on the inside host’s operating system. So if we go back to the output from the show IP, not translation again, you see the inside local is Ten 0110.

So that and if I go back to the network diagram again all the way back here, that is the IP address of Interface server 11010. That’s what’s actually configured in the Windows operating system. Moving on to the next one. The next definition is inside global address. That is the Natt address of the inside host as it will be reached by the outside network. So if somebody in the outside network is sending traffic in, what address are they going to be using as their destination address?

So in our example, the inside global address is 203. Org 1133. So inside global, that’s a private address on the inside. Inside global is the public address that is used to reach the inside host. Next one, outside and local address, that is the IP address of the outside host as it appears to the inside network. So if I was a user and I went on to that server in S One and sent some traffic to that host on the outside, what IP address would I use?

Well, in our example I would be using 2030 one 1320. The last one is the outside global address. This is the IP address assigned to the host on the outside network by the host’s owner. So in our example here, it’s the same again, 2030 one 1320. But you may be thinking, well, okay, no, it’s probably using a private IP address as well, so it’s not actually going to be that but the thing is, from R One’s point of view, it doesn’t know anything about that.

So router R one in our example knows one address to reach the outside host 203 one 1320 and it does not translate that address. So for one way Nat, the outside local and outside global addresses will be reported as being the same. So looking back at output again from our show IP not translation command. Inside local is the private address. On the inside ten dot o dot one dot ten. Inside global is the Natt address. Two, three dot O dot one one, three dot three.

And then outside local and outside global are both 2030 one 1320 because R one is not translating that address, so it both shows up as being the same. So now you’re probably wondering, well, when would the outside local and the outside global address ever be different then? And here’s an example of where that would happen, and it’s where we’re doing two way not. Now for the CCNA exam. I’ll tell you now before we get into this, that you don’t really need to know two way not.

I’m just telling you this because if I didn’t, you would be wondering about those outside addresses. So you don’t need to know how to configure this for the exam, but you do need to know those four definitions and this is going to help you really understand about it. So with two Wayne app, where that is most commonly used is if we have a merger between two companies. So here we’ve got company A and company B and they’re both using the private IP addresses 1010 O 24. So what we would do long term here is we would do IP readdressing because within the same company you never want to have duplicate IP addresses on the inside.

But because in our scenario here, we’ve only just done the acquisition, we haven’t had time to do the IP readdressing yet, but we need immediate connectivity between most hosts. To be able to do that, we’re going to have to do two way Nat. Now, in the previous example, static Nat. The way that that is most commonly used and it’s super commonly used is it’s one way Nat. When we’re sending traffic from the inside to the outside, we need to net the private IP address to the public IP address and that’s the source address that we’re changing, but the destination address did not need to change. When we do two Wayne at, we actually change.

We not both the source and the destination address and where it’s needed is for just this exact scenario here, where we’ve had a merger between two companies, they need connectivity to each other and they’re using the same IP addresses. If they weren’t using the same IP addresses, we wouldn’t need to do this. So in our example, ten on the left and on the right as well. So we’re going to do Nat here and for company A on the left, the ten 1010 network, we’re going to nat it to 1010 20. So it looks like 1010 20 to the hosts on the right and company B on the right. We’re going to nat their address to 1010 300. So it looks like 1010 30 to the hosts on the left.

So when we send traffic from host A One to host B One on R one, it will translate the source address from ten 1010 to 1010 2010. This is similar if we were just doing our standard Nat, but we also need to translate the destination address from 1010 30 ten to ten 1010. We need to translate the destination address as well, because if host A One tried to send traffic to host b One’s real IP address, 1010, well, that’s itself, so it would never actually get there.

So we need to translate both the source and the destination as well for connectivity to work. That is two Wayne at. Now, in the real world, hopefully this is quite obvious, it’s very rare that you would ever need to do this. It’s really just that one scenario that I gave you, an acquisition between two companies you haven’t had time to do readdressing yet, and you need to have immediate connectivity.

So it’s a very rare situation when we do this. So the inside local source IP of A One on the left is going to be ten 1010. The inside global source IP will be 1010 2010. That’s the address that we’re notting it to and that it will be presented to is B One, because we can’t send traffic that gets to be one that shows up as coming from ten dot ten dot 1010 dot ten, because that would be a conflict. So we’re changing a one’s source address to ten dot ten dot 2010. When it communicates with B One, the outside local destination IP was 1010 30 ten.

That is the IP address that the host A one actually sends traffic to. And as far as A one is concerned, that is the destination address. But we also need to translate the destination address as well from 1030 Ten to ten 1010, which is B one’s actual IP address. Okay, so that’s how to understand the output of the show IP nat translation command. You’ll actually see me using the command in the next lecture where we’re going to do a lab demo of how to configure static Nat.

  1. Static NAT Lab Demo

In this lecture you’ll see how to configure one to one static Nat rule with a lab demo. So you can see our lab scenario here. I’ve got int S One, that’s my internal S One server inside my company on the left. It’s using private IP address 100 110 on the inside. And I need to know that to a public IP address so that it can accept incoming connections. The public IP address that I’m going to use on my outside interface on R One is 203 1133 and we’re going to need to test this as well.

So that’s why I also have the external S One server that I’m going to use to connect into S One from there. So let’s configure this. So I will jump onto my command line here on R One where I’m going to do the Nat translation rule. I’ll go to global configuration and it’s interfacefast zero, that is my Ipnot outside interface and interface fast 10 is my IP not inside interface. So whenever there is traffic going between those interfaces that match Nat rule, the translation will be applied. I need to configure my translation as well. So my command for that is IP not. Then it’s inside source.

And I’m doing a static translation from ten 0110, the private address on the inside to 203 dot o dot 13 three, the public address on the outside and that’s the whole configuration done. Now whenever that host sends traffic out, it will be translated to the public IP address. And whenever traffic comes into the public IP address, it will be translated to the private IP address. So let’s check that it is working. So first thing I’ll do is I’ll ping from the host on the inside going out to the public server on the outside. So let’s set up a debug so we can see what’s happening.

So on external server One on the outside I’m going to do debug IP ICMP the difference between a show command and a debug command. Whenever you enter a Show command, it gives you a single point in time output. It shows you what the state was when you hit Enter on that show command. When you do a debug, it gets updated in real time. So whenever anything changes, it will show you the output to your command line as and when it’s changing. You’ll see what I mean in a second. So I’ve turned on ICMP debugging on External S One.

So when ping packets come into it, we should get some information there. Let’s go on to internal S One, the host on the inside that we’re doing the Nat rule for and see what actually happens. So I’m going to ping 203 one 1320 which is external S One on the outside. I’ll hit Enter and then I’ll go on to external S One and you can see there is the debugs coming in. Actually to show you debug better, let’s do an extended ping it’s IP target IP addresses 2030 one 1320.

And let’s go for a repeat count of 50. So you can see the debug happening. And I’ll just hit Enter for everything else and jump over there. And you can see that the output is updating every time that a ping packet is coming in. Okay, so let’s look at the output here. And I can see that the echo reply was sent back from the external server to the internal server. The source address used was the external server’s IP address, 2030 one 1310.

And the destination address is 203 01133. So I can see that my Nat rule is working, the actual IP address in the host. If I have a look at that with a Show IP interface brief, this is actually a router I’m using here to emulate the server. And its IP address is ten dot o dot 10. So that’s the IP address configured on that actual host operating system. But when it sends traffic out, that ten 10 address is being translated to 203 1133 by the Nat rule on the router. Okay, so it’s working fine for outbound traffic. Let’s just check the inbound traffic is working as well.

So from the server on the outside, I will check that I can get to my web server on the inside. So I will telnet to its public IP address, 203 01133. And I’ll do that on port 80. Because for this example, it’s a web server on the inside. So enter 80 for the port number and I can see that that is open. So it was able to connect. I’ve already configured the host on the inside to be a web server. Okay, so that is working in both directions. It’s all good. Let’s check the translation table in R One.

So I’ll do a Show IP not Translations, and there okay, I can see that the ICMP entry has timed out already. You’ll see this in the real world as well. That connections time out pretty quickly from the Nat translation table. So let’s do the ping again. So I’ll ping that outside interface again from the inside. And now if I do a Show IP not translations on R one, I see that the output has changed. That was the old one where the ping had actually timed out from the table.

The new entry is here, where I can see there’s the ICMP entry. So there is the ping. So that was the ping. It went from the real IP address on the host. That’s the inside local, which was 100 110. And that source address was natal to 203 01133. So that’s how it all looked to the host on the outside. The host on the outside is 203 one 1320. And R One is not doing any kind of translation for that outside host. So 203 one 1320 shows up as both the outside local address and as the outside global address as well. Because I’m doing one way not here. I’m not doing two way not.

Also, we had that inbound Web Http connection from the outside server going to the inside server, and that was going to pour 80. So there again, I can see that the inside local, the private address is 100 10 and it was connecting on port 80. The public IP address where it was noted from was 203 1133, port 80. And the host on the outside that connected in is 22030 one 1320. And it was using sourcepart 16282. Okay, so that’s it. That’s how we configure a static Nat entry and how we verify it with the show IP Nat Translations Command. See you in the next lecture where we’ll do dynamite.

  1. Dynamic NAT

Structure you’ll learn about dynamic Nat. Dynamic Nap uses a pool of what are usually public IP addresses which are given out on an as needed, first come, first served basis. Dynamic Nat is usually used for internal hosts which need to connect out to the Internet, but they do not accept incoming connections. So looking at our online app again in the last lecture, we configured a static Nat rule to give int s one. Our internal server up in the top left a fixed permanent public IP address so it could be reached by host sending incoming connections in from the Internet.

In this one, we’re going to be doing that for our normal desktop PCs that you see down in the bottom left. So they’re on the 100 two network. They’re just standard desktop PCs, so they never need to accept incoming connections coming in from the Internet. Whenever they’re communicating with the Internet, the traffic is always initiated by them in the outbound direction.

They need to accept return traffic coming back in from the outside, but traffic is never initiated from the outside. So they don’t need to have a permanent fixed public IP address. They can just get the next available public IP address as and when they need it. So in our scenario, we’ve bought the range of public IP addresses 203, one 1328 from the service provider.

It’s the same scenario again that we used for static Nat. 203 01132 is on the outside interface. On R, 123-1131 is being used by the service provider router on the other side of that link. And we’re already using 230-1133 for the static Nat rule that we configured in the last lecture. So that leaves us two or 301134 to 23011 314. The hosts in the 100 224 network do not need to accept incoming connections like I just explained that. They do need to have that outbound connectivity to the Internet.

So they do need to have a public IP address when they do that. So we’re going to use those remaining addresses, two or 3011 314, for this, and we’re going to put them into a pool that are going to be allocated first come, first served. Whenever a host on the inside sends traffic out to the outside, the first host to send traffic out will be translated to the first address in the pool. That’s 203 01134. The second host will get the next address, 203 01135, et cetera, all the way up to 2030 one 1314 at the end of the pool.

Now, with standard Dynamic Nap that we’re discussing in this lecture, you need a public IP address for every inside host that needs to communicate with the outside. So for example, if you had 30 hosts on the inside, you would need 30 public IP addresses. If you had 200 hosts, you would need 200 public IP addresses. When all the addresses in the pool have been used with just standard dynamic map, new outbound connections from other inside hosts will fail because there’s no public IP addresses left to translate them to. So in that case, a host that tried to send traffic out when there was no addresses available, they’re all used up.

It would have to wait for an existing connection to be torn down and the translation to be released back into the pool before it was able to send traffic out. So standard dynamic nat that we’re discussing here is not typically used in the real world. What is used is packed port address translation, and I’ll cover that next. But you need to understand standard dynamic nat first. So that’s what we’re doing here. So our configuration, we need to specify our interfaces again.

So we’ve got interface faster. We say IP not outside. We’d actually already done that in the previous lab for static not. So we don’t need to do it again. The config was already there, but our inside hosts are on a different interface than our inside server was. Remember, our inside server was on fast 10. Our desktop hosts are on fast 20. So we need to say interface fast 20 IP not inside. So for our scenario, we’re actually going to end up having two IP net inside interfaces interface fast 10 that faces the server with the static nat entry and interface fast 20 that is facing our desktop PCs that’s going to be used for the dynamic entry. That’s fine. You can have on all of your interfaces. You can specify outside or inside on there and you can have different interfaces outside and as inside.

So we configure our interfaces. Next up, we need to configure a pool of global addresses that will be available for our hosts. So for that, the command at global config is IP nap pool. Give it a name here, I’ve called it flatbox and then the range of addresses. So it’s going from 203 01134 to 23011 314 and then net mask for the subnet mask.

Well, the subnet mask on our outside interface is 2552-552-5524 A. So that’s what we use here. Next we create an access list which references the internal IP addresses that we want to translate here. We need to identify the hosts on the inside and it’s going to be by their source address. So we can just use a standard ACL here. If you wanted to get more granular Venice, you can also use an extended access control list with source and destination addresses. That’s a valid configuration as well.

But for our configuration here, we’ll keep things simple. We can just do a standard ACL. So our command is access list one permit 100 20 and the wild card is O 255. So we’ve specified the pool of addresses, we’ve specified the hosts that are going to get translated to those addresses. The last thing we need to do is tie them together. So the command to do that is IP net inside source. It’s on list this time and list one means use access list one. And then the pool we’re going to translate them to is pool flackbox. So that’s it. That’s the complete config to do dynamic Nat when we’re not using Pat yet. If we wanted to verify it, it’s the same command as before show IP nat translation.

In the example output here, you can see that we’ve got an entry for inside local. So our inside desktop PC is at ten 210 and it’s been translated to 203 1134, which was the first available address in the pool. And it’s sending traffic out to 203 one 1320. If another host then sent traffic, it would be translated to 203 01135 and we would see an entry for that in the translation table as well. Remember, you need to be quick with this command because entries time out quite quickly. This is a good time to tell you about another couple of Show commands for Nat as well, and the clear command here. So Clear IP nat translation can be used to remove translations from the translation table, and that can be useful when troubleshooting.

So if you’re seeing output that you weren’t expecting, you can clear the translations in there and then send the traffic back out again just to double check what’s actually happening. It’s also often required if you want to edit your Nat configuration. The router will not allow changes when there are active translations. So if you want to edit it, make sure that all the translations are cleared first or you’re going to get an error message. If you try to change a configuration to remove all dynamic translations, it’s clear IP not translation and then a star.

So you can remove just a single specific translation if you want, or you can remove all by using that asterisk wildcard. The other command I wanted to show you was show IP not statistics. So this command, we don’t use it as often as show IP not translation, but this tells us how many addresses have actually been translated. Okay, so that was dynamic nap. In the next lecture, I’ll show you how to configure it with all. I’m dan.

Related posts:

  1. 5 Easiest Jobs to Make a Successful IT Career
  2. 5 New Microsoft Azure Certifications: Which One Will Look Good on Your Resume?
  3. Cisco Certifications Overview 2018
  4. Discover Top 10 Reliable JavaScript Test Tools and Choose the Best One
  5. Explore the Internet of Things Through Seven IT Skills!
  6. How To Launch A Career In IT
  7. Reasons To Get Microsoft MCSA Certification
  8. SY0-501 Section 1.5 -Given a scenario, troubleshoot security issues related to wireless networking.
  9. Top 10 Most Difficult Tech Jobs To Fill In 2018
  10. What Python Certifications Will Be Good for Your IT Career?

Popular posts

Top Vendors On The IT Certification Market

Case Study Hillary’s HillRaisers raising cash for Obama inauguration

Top 5 Agile Certifications You Should Pursue in 2020

SY0-501 Section 1.1- Implement security configuration parameters on network devices and other technologies.

Your Best Career Path With EC-Council Certification

Job Opportunities For MCSE Certification

Reasons To Get Microsoft MCSA Certification

SY0-501 Section 3.2- Summarize various types of attacks.

SY0-501 Section 6.2- Given a scenario, use appropriate cryptographic methods.

First Day at a New IT Job: Do’s and Don’ts to Master Your New Role

Recent Posts

img