1 00:00:00,000 --> 00:00:00,497 2 00:00:00,497 --> 00:00:02,330 You know what I've discovered over the years 3 00:00:02,330 --> 00:00:05,790 is that users occasionally access the internet. 4 00:00:05,790 --> 00:00:07,730 In fact, they do it all the time. 5 00:00:07,730 --> 00:00:10,310 And, also, we might have servers in our DMZs 6 00:00:10,310 --> 00:00:13,730 or at our cloud locations that customers on the internet 7 00:00:13,730 --> 00:00:15,480 are accessing, as well. 8 00:00:15,480 --> 00:00:17,870 So as we consider this network topology, 9 00:00:17,870 --> 00:00:20,510 there is a huge problem, and that problem 10 00:00:20,510 --> 00:00:22,400 is private addresses. 11 00:00:22,400 --> 00:00:26,390 Inside of IPv4 addressing, there are certain ranges of addresses 12 00:00:26,390 --> 00:00:28,460 that can be used by anybody. 13 00:00:28,460 --> 00:00:30,980 So company A can use them, Company B can use them, 14 00:00:30,980 --> 00:00:33,350 Company C can use them, but they're all private, 15 00:00:33,350 --> 00:00:36,080 meaning they aren't routed and won't be forwarded 16 00:00:36,080 --> 00:00:37,400 over the public internet. 17 00:00:37,400 --> 00:00:39,441 And here are some examples of the private address 18 00:00:39,441 --> 00:00:41,150 space-- anything that begins with a 10 19 00:00:41,150 --> 00:00:43,670 or anything that begins with 172 dot and then 16 20 00:00:43,670 --> 00:00:47,150 through 31 dot anything, and then any IP address 21 00:00:47,150 --> 00:00:49,850 that begins with 192.168. anything. 22 00:00:49,850 --> 00:00:52,190 Those are all IP addresses at layer 3 23 00:00:52,190 --> 00:00:54,110 that the internet will not forward, 24 00:00:54,110 --> 00:00:56,270 because they're part of the private address scheme. 25 00:00:56,270 --> 00:00:58,520 And that's going to cause some problems in our network 26 00:00:58,520 --> 00:01:01,700 if we've got some VLANs, which are layer 2 broadcast domains, 27 00:01:01,700 --> 00:01:04,700 and associated with each of those respective VLANs, 28 00:01:04,700 --> 00:01:06,920 we're using IP network addresses-- which we are-- 29 00:01:06,920 --> 00:01:08,280 in that private address space. 30 00:01:08,280 --> 00:01:10,760 So, here, we have a layer 2 VLAN 100, 31 00:01:10,760 --> 00:01:13,430 and associated with that, all the devices on that VLAN 32 00:01:13,430 --> 00:01:15,150 100 are using the network address 33 00:01:15,150 --> 00:01:17,840 base of 10.1.0, those first three numbers 34 00:01:17,840 --> 00:01:18,682 being the network. 35 00:01:18,682 --> 00:01:20,390 And then we have the individual computers 36 00:01:20,390 --> 00:01:22,830 with the final number in this topology. 37 00:01:22,830 --> 00:01:27,410 So computer 1 would be at 10.1.0.11 inside of VLAN 100. 38 00:01:27,410 --> 00:01:30,110 And computer 2, perhaps its last number is 22, 39 00:01:30,110 --> 00:01:32,894 and its IP address is 10.2.0.22. 40 00:01:32,894 --> 00:01:34,310 And so the big problem is, though, 41 00:01:34,310 --> 00:01:36,530 is that, when computer 1 or computer 2 42 00:01:36,530 --> 00:01:39,039 wants to forward packets to servers on the internet-- 43 00:01:39,039 --> 00:01:41,330 we'll draw a little happy server out here, because he's 44 00:01:41,330 --> 00:01:43,250 up and alive on the internet-- and let's 45 00:01:43,250 --> 00:01:49,820 imagine his address on the internet is 67.83.0.2. 46 00:01:49,820 --> 00:01:51,920 So that's the publicly reachable IP address 47 00:01:51,920 --> 00:01:53,630 of this server on the internet. 48 00:01:53,630 --> 00:01:55,550 And computer 1 and computer 2 want 49 00:01:55,550 --> 00:01:58,040 to send packets back and forth between themselves 50 00:01:58,040 --> 00:01:58,899 and that server. 51 00:01:58,899 --> 00:02:00,440 And the problem is that they're using 52 00:02:00,440 --> 00:02:03,620 private IP addresses, which the internet will not route. 53 00:02:03,620 --> 00:02:06,020 So to solve that, we're going to go ahead and do 54 00:02:06,020 --> 00:02:08,607 a little game called lying. 55 00:02:08,607 --> 00:02:09,440 We are going to lie. 56 00:02:09,440 --> 00:02:11,950 We are going to lie about the real IP addresses 57 00:02:11,950 --> 00:02:13,640 that these devices are using. 58 00:02:13,640 --> 00:02:16,370 And that lying game, regarding lying about the IP addresses, 59 00:02:16,370 --> 00:02:20,720 is called network address translation, or its cousin, 60 00:02:20,720 --> 00:02:22,430 port address translation. 61 00:02:22,430 --> 00:02:25,340 Both of them have the end result of taking a packet that's 62 00:02:25,340 --> 00:02:28,490 going from a private IP address going out to the internet, 63 00:02:28,490 --> 00:02:30,830 lying about that IP address to make it appear 64 00:02:30,830 --> 00:02:33,560 as a globally routable address, an address that can really 65 00:02:33,560 --> 00:02:34,650 work on the internet. 66 00:02:34,650 --> 00:02:36,650 It's always good to start off with a plan as far 67 00:02:36,650 --> 00:02:38,770 as accomplishing network address translation, 68 00:02:38,770 --> 00:02:41,940 to do so, let's go ahead and use this router right here. 69 00:02:41,940 --> 00:02:45,000 And that will be our NAT device, our NAT router. 70 00:02:45,000 --> 00:02:47,330 Let's also imagine that, working with our ISP, 71 00:02:47,330 --> 00:02:52,994 we've been assigned the routable internet address of 23.1.1.1. 72 00:02:52,994 --> 00:02:54,410 So that's a starting point, having 73 00:02:54,410 --> 00:02:56,822 a routable address that we can use on the internet. 74 00:02:56,822 --> 00:02:58,280 And if we only have one IP address, 75 00:02:58,280 --> 00:03:00,410 we might have hundreds or thousands 76 00:03:00,410 --> 00:03:02,660 of customers that need to be translated into that one 77 00:03:02,660 --> 00:03:03,400 address. 78 00:03:03,400 --> 00:03:06,006 That is what's referred to as port address translation. 79 00:03:06,006 --> 00:03:08,630 And let's talk for a moment why it might be called port address 80 00:03:08,630 --> 00:03:09,320 translation. 81 00:03:09,320 --> 00:03:12,170 If we have 1,000 computers, and they're all sending packets 82 00:03:12,170 --> 00:03:13,790 out to the internet, and they all 83 00:03:13,790 --> 00:03:17,000 appear like they're coming from one single IP address, when 84 00:03:17,000 --> 00:03:19,760 those replies all come back, it would be handy 85 00:03:19,760 --> 00:03:21,380 if the router could keep track of all 86 00:03:21,380 --> 00:03:25,250 those individual sessions so it could untranslate the replies 87 00:03:25,250 --> 00:03:27,290 and send them back to the actual computers. 88 00:03:27,290 --> 00:03:30,440 So to do so, the router, as it tracks all those sessions going 89 00:03:30,440 --> 00:03:32,240 through it for translation, is going 90 00:03:32,240 --> 00:03:34,340 to be looking not only at layer 3 information, 91 00:03:34,340 --> 00:03:37,700 but also layer 4 information, including port numbers. 92 00:03:37,700 --> 00:03:40,340 And by using a combination of both layer 3 information, 93 00:03:40,340 --> 00:03:42,650 for example, computer 1's source IP address, 94 00:03:42,650 --> 00:03:44,870 as well as the ports involved at layer, 95 00:03:44,870 --> 00:03:48,094 4 if we're using TCP or UDP, all that information 96 00:03:48,094 --> 00:03:49,760 goes into the translation table so that, 97 00:03:49,760 --> 00:03:51,520 when the reply comes back, the router 98 00:03:51,520 --> 00:03:53,840 can keep track of which PC should 99 00:03:53,840 --> 00:03:56,880 receive that reply that's coming back from the server. 100 00:03:56,880 --> 00:03:58,880 And because it's doing port address translation, 101 00:03:58,880 --> 00:04:03,634 a client, when it makes a request, may use port 1234, 102 00:04:03,634 --> 00:04:06,050 and the router could go ahead and use something completely 103 00:04:06,050 --> 00:04:08,726 different, like 4359. 104 00:04:08,726 --> 00:04:11,750 And as that request goes out using a source port of 4359, 105 00:04:11,750 --> 00:04:13,729 the server is going to reply back 106 00:04:13,729 --> 00:04:15,770 to that port, at which point this router is going 107 00:04:15,770 --> 00:04:19,579 to untranslate that and put back 1234 and send that packet back 108 00:04:19,579 --> 00:04:20,550 to that port. 109 00:04:20,550 --> 00:04:23,750 So, in that sense, it literally is-- for UDP and TCP traffic-- 110 00:04:23,750 --> 00:04:26,720 it is also doing port address translation, as well as 111 00:04:26,720 --> 00:04:28,389 the IP address translation. 112 00:04:28,389 --> 00:04:30,680 So we can use the technique of port address translation 113 00:04:30,680 --> 00:04:33,380 to translate lots and lots of hosts on the inside 114 00:04:33,380 --> 00:04:36,350 to a single IP address on the outside. 115 00:04:36,350 --> 00:04:38,510 I hope this has been informative for you, 116 00:04:38,510 --> 00:04:41,980 and I'd like to thank you for viewing.