1 00:00:00,000 --> 00:00:00,810 2 00:00:00,810 --> 00:00:04,310 In a separate Nugget, we focused on port address translation. 3 00:00:04,310 --> 00:00:07,230 And in this Nugget, I'd like to pick up on the same topology 4 00:00:07,230 --> 00:00:09,630 and discuss network address translation 5 00:00:09,630 --> 00:00:13,380 with a one-to-one mapping between a host on the inside 6 00:00:13,380 --> 00:00:17,079 or DMZ of our network and the global routable internet. 7 00:00:17,079 --> 00:00:19,370 So we can use the technique of port address translation 8 00:00:19,370 --> 00:00:22,040 to translate lots and lots of hosts on the inside 9 00:00:22,040 --> 00:00:24,830 to a single IP address on the outside. 10 00:00:24,830 --> 00:00:27,710 But what if we have a server, like one of these guys 11 00:00:27,710 --> 00:00:29,720 right here, that a user on the internet, 12 00:00:29,720 --> 00:00:32,049 like Bob, needs to access? 13 00:00:32,049 --> 00:00:33,950 To facilitate that, it's very likely we're 14 00:00:33,950 --> 00:00:36,860 going to have a static hard-coded network address 15 00:00:36,860 --> 00:00:37,900 translation. 16 00:00:37,900 --> 00:00:39,930 And that implies a one-to-one relationship. 17 00:00:39,930 --> 00:00:41,638 So if we have a server on the inside that 18 00:00:41,638 --> 00:00:45,270 has a internal address on this DMZ of 10.7.0.77-- 19 00:00:45,270 --> 00:00:46,991 that's it's real IP address. 20 00:00:46,991 --> 00:00:48,740 What we can do is, we could hard code that 21 00:00:48,740 --> 00:00:50,510 to a routable address on the internet. 22 00:00:50,510 --> 00:00:55,420 So if our internet service provider gave us 23.1.1.50, 23 00:00:55,420 --> 00:00:58,070 we could statically configure a translation 24 00:00:58,070 --> 00:01:01,550 on this router, this NAT router, between this inside address 25 00:01:01,550 --> 00:01:03,080 and this globally-reachable address. 26 00:01:03,080 --> 00:01:04,580 And that way, if Bob on the internet 27 00:01:04,580 --> 00:01:06,530 makes a request to this global address, 28 00:01:06,530 --> 00:01:09,030 the router says, oh, I know exactly where that goes. 29 00:01:09,030 --> 00:01:10,790 The router translates that address over 30 00:01:10,790 --> 00:01:15,060 to 10.7.0.77, and forwards the packet to that server. 31 00:01:15,060 --> 00:01:17,120 So NAT is usually a one-to-one correlation 32 00:01:17,120 --> 00:01:19,790 between one inside address and one outside address, 33 00:01:19,790 --> 00:01:22,380 where port address translation is usually 34 00:01:22,380 --> 00:01:24,470 a many-to-one scenario. 35 00:01:24,470 --> 00:01:27,050 In the case of hundreds or thousands of computers 36 00:01:27,050 --> 00:01:29,750 all being overloaded to a single, global routable 37 00:01:29,750 --> 00:01:32,390 address, and the router using additional layer 4 information 38 00:01:32,390 --> 00:01:34,864 and ports to keep track of all those translations. 39 00:01:34,864 --> 00:01:36,530 So another question might come up, well, 40 00:01:36,530 --> 00:01:37,940 what would this translation table 41 00:01:37,940 --> 00:01:40,650 look like on a router doing network address translation 42 00:01:40,650 --> 00:01:42,260 or port address translation? 43 00:01:42,260 --> 00:01:44,210 And here's an example of just that. 44 00:01:44,210 --> 00:01:45,910 This is from a Cisco router. 45 00:01:45,910 --> 00:01:48,710 In this column, the pro doesn't mean it's not a amateur. 46 00:01:48,710 --> 00:01:49,950 It means protocol. 47 00:01:49,950 --> 00:01:52,280 So these are the various protocols that currently 48 00:01:52,280 --> 00:01:54,050 have translations in place. 49 00:01:54,050 --> 00:01:56,540 The one here at the bottom implies a static translation 50 00:01:56,540 --> 00:01:57,090 for NAT. 51 00:01:57,090 --> 00:02:00,800 This simply maps the internal resource of 10.7.0.77 52 00:02:00,800 --> 00:02:03,950 to the global routable address of 23.1.1.50. 53 00:02:03,950 --> 00:02:06,890 The inside local implies what the clients are really using. 54 00:02:06,890 --> 00:02:09,710 So based on this translation, a client 55 00:02:09,710 --> 00:02:13,390 on the inside at 10.1.0.11, very likely PC1, 56 00:02:13,390 --> 00:02:15,950 used the source port of 23904. 57 00:02:15,950 --> 00:02:18,200 And then when the router translated that and forwarded 58 00:02:18,200 --> 00:02:20,000 the packet out to the outside, it 59 00:02:20,000 --> 00:02:22,940 used the IP address of 23.1.1.1. 60 00:02:22,940 --> 00:02:26,012 And it chose to use the port 4501. 61 00:02:26,012 --> 00:02:27,470 So from the internet's perspective, 62 00:02:27,470 --> 00:02:29,678 it looks like it's a client coming from the source IP 63 00:02:29,678 --> 00:02:33,770 address of 23.1.1.1, with a source port of 4501-- 64 00:02:33,770 --> 00:02:36,070 although, the reality on the inside is this. 65 00:02:36,070 --> 00:02:38,570 So when a reply comes back from that server on the internet, 66 00:02:38,570 --> 00:02:40,700 the router would then untranslate that-- 67 00:02:40,700 --> 00:02:43,130 both the layer 4 and the layer 3 information-- 68 00:02:43,130 --> 00:02:45,259 so that when the client received that response, 69 00:02:45,259 --> 00:02:47,300 it's what the client is expecting to receive back 70 00:02:47,300 --> 00:02:48,420 from the server. 71 00:02:48,420 --> 00:02:52,420 And we also have an entry from a client at 10.2.0.22. 72 00:02:52,420 --> 00:02:56,810 That could very well be Computer 2, with a source port of 51553, 73 00:02:56,810 --> 00:03:01,160 which got translated out to the global address of 23.1.1.1, 74 00:03:01,160 --> 00:03:04,850 appearing to the internet to use a source port of 4097. 75 00:03:04,850 --> 00:03:06,320 And because the layer 3 information 76 00:03:06,320 --> 00:03:07,736 from both of these hosts are being 77 00:03:07,736 --> 00:03:10,610 mapped to the same exact global address, the same routable 78 00:03:10,610 --> 00:03:14,690 address of 23.1.1.1, this is an example of using PAT-- 79 00:03:14,690 --> 00:03:15,782 Port Address Translation. 80 00:03:15,782 --> 00:03:17,990 And if we take a look at the static translation being 81 00:03:17,990 --> 00:03:21,830 used between 10.7.0.77 and 23.1.1.50, 82 00:03:21,830 --> 00:03:24,590 that bottom entry would be an example of NAT, 83 00:03:24,590 --> 00:03:26,480 as far as the configuration on the router, 84 00:03:26,480 --> 00:03:29,660 with a one-to-one relationship between the inside real address 85 00:03:29,660 --> 00:03:31,006 and the mapped address. 86 00:03:31,006 --> 00:03:32,630 And then we can also see with this line 87 00:03:32,630 --> 00:03:34,910 right here that that translation currently 88 00:03:34,910 --> 00:03:36,710 is in use on this router. 89 00:03:36,710 --> 00:03:39,260 The router didn't need to translate anything at layer 4. 90 00:03:39,260 --> 00:03:41,810 So the TCP source port that the client chose to use 91 00:03:41,810 --> 00:03:44,270 is still being used as that packet is forwarded out 92 00:03:44,270 --> 00:03:49,100 to the outside with its new source address of 23.1.1.50. 93 00:03:49,100 --> 00:03:51,140 In this Nugget, we've taken a big-picture look 94 00:03:51,140 --> 00:03:53,450 at the concepts of NAT and PAT. 95 00:03:53,450 --> 00:03:55,610 I hope this has been informative for you. 96 00:03:55,610 --> 00:03:58,979 And I'd like to thank you for viewing. 97 00:03:58,979 --> 00:03:59,478