1 00:00:00,000 --> 00:00:01,160 2 00:00:01,160 --> 00:00:05,130 I remember hearing the saying that the packets don't lie. 3 00:00:05,130 --> 00:00:07,850 So let's leverage that reality and take a look at some packets 4 00:00:07,850 --> 00:00:10,520 both before and after they go through a router 5 00:00:10,520 --> 00:00:13,060 that's performing network address translation. 6 00:00:13,060 --> 00:00:15,554 And so let's use this typology once again. 7 00:00:15,554 --> 00:00:16,970 And for the internal device, let's 8 00:00:16,970 --> 00:00:19,850 go ahead and use PC1 or computer one that's 9 00:00:19,850 --> 00:00:23,510 at the IP address of 10.1.0.11. 10 00:00:23,510 --> 00:00:26,600 Let's also imagine that there's a server here on the internet, 11 00:00:26,600 --> 00:00:30,495 and its AP address on the internet is 67.83.0.2. 12 00:00:30,495 --> 00:00:31,920 Oh, wait a sec. 13 00:00:31,920 --> 00:00:33,650 Oh my gosh, hey. 14 00:00:33,650 --> 00:00:37,490 So I just got a text that my grandson was just born. 15 00:00:37,490 --> 00:00:38,330 His name is Connor. 16 00:00:38,330 --> 00:00:39,860 Six pounds, 13 ounces. 17 00:00:39,860 --> 00:00:41,120 All right, so. 18 00:00:41,120 --> 00:00:43,550 I'll reply to that text after this Nugget is done. 19 00:00:43,550 --> 00:00:45,340 So that new baby is from my son, Brody 20 00:00:45,340 --> 00:00:48,680 and who more importantly from his wife, Sabrina. 21 00:00:48,680 --> 00:00:50,270 So congratulations to you both. 22 00:00:50,270 --> 00:00:51,620 I'll get right back with you. 23 00:00:51,620 --> 00:00:53,600 So getting back to our typology with the network address 24 00:00:53,600 --> 00:00:55,590 translation, and network address translation 25 00:00:55,590 --> 00:00:57,210 doesn't have to be done by a router. 26 00:00:57,210 --> 00:00:59,296 It could be done by a firewall or a router. 27 00:00:59,296 --> 00:01:00,920 And in some environments, it's possible 28 00:01:00,920 --> 00:01:03,128 that we're having network address translation or port 29 00:01:03,128 --> 00:01:05,780 address translation in multiple points in the network 30 00:01:05,780 --> 00:01:07,460 between the client and the server 31 00:01:07,460 --> 00:01:08,780 that it's communicating with. 32 00:01:08,780 --> 00:01:10,730 So for our protocol analysis, let's imagine 33 00:01:10,730 --> 00:01:16,160 that this computer 10.1.0.11 is making a TCP synchronization 34 00:01:16,160 --> 00:01:19,520 request over to the server and that it's using 35 00:01:19,520 --> 00:01:24,380 the source port of 21,585. 36 00:01:24,380 --> 00:01:27,080 So it's source IP address will be 10.1.011. 37 00:01:27,080 --> 00:01:29,960 And the TCP source port will be 21,585. 38 00:01:29,960 --> 00:01:31,790 Now if we're using PAT, the device 39 00:01:31,790 --> 00:01:33,920 performing the network address translation with PAT 40 00:01:33,920 --> 00:01:36,982 gets to choose what the new source port is going to be. 41 00:01:36,982 --> 00:01:39,440 So for discussion let's imagine that the translation device 42 00:01:39,440 --> 00:01:43,970 is going to use a new source port for the translation of TCP 43 00:01:43,970 --> 00:01:46,530 port 40 96. 44 00:01:46,530 --> 00:01:48,960 And regarding the IP address for translation, 45 00:01:48,960 --> 00:01:52,820 let's use the IPv4 address of 23.1.1.1. 46 00:01:52,820 --> 00:01:54,980 So before translation we have the source IP address 47 00:01:54,980 --> 00:01:56,620 and source TCP port. 48 00:01:56,620 --> 00:01:59,620 And after translation, we'd have the source AP address of this 49 00:01:59,620 --> 00:02:01,275 and the source TCP sort of this. 50 00:02:01,275 --> 00:02:03,650 And if this client is sending a packet to the destination 51 00:02:03,650 --> 00:02:05,480 right here of the server, that destination 52 00:02:05,480 --> 00:02:07,938 is not going to change in the packet after the translation. 53 00:02:07,938 --> 00:02:11,060 The destination is still going to be 67.83.0.2. 54 00:02:11,060 --> 00:02:12,560 And let's imagine that the server is 55 00:02:12,560 --> 00:02:17,750 listening on TCP port 21,586. 56 00:02:17,750 --> 00:02:19,880 Some custom applications is using that port. 57 00:02:19,880 --> 00:02:22,535 As that packet goes out, all the NAT/PAT device 58 00:02:22,535 --> 00:02:25,330 is going to be doing is swapping out the source information. 59 00:02:25,330 --> 00:02:27,080 And it's going to leave the destination IP 60 00:02:27,080 --> 00:02:29,400 address and the destination port intact. 61 00:02:29,400 --> 00:02:30,747 It's not going to change those. 62 00:02:30,747 --> 00:02:32,330 And then when the server responds back 63 00:02:32,330 --> 00:02:34,820 to the IP address and port, the translation device 64 00:02:34,820 --> 00:02:37,284 will then untranslate the port and the IP address 65 00:02:37,284 --> 00:02:39,200 and then forward that response from the server 66 00:02:39,200 --> 00:02:41,540 back to the client at the IP address 67 00:02:41,540 --> 00:02:44,090 and port that that client is expecting that response 68 00:02:44,090 --> 00:02:45,360 to come in on. 69 00:02:45,360 --> 00:02:48,050 So here we have a capture of the original packet 70 00:02:48,050 --> 00:02:50,690 somewhere on the network before it went through the translation 71 00:02:50,690 --> 00:02:51,930 device. 72 00:02:51,930 --> 00:02:53,630 So here we have the source IP address 73 00:02:53,630 --> 00:02:57,500 of 10.1.0.11, the destination address of the server, 74 00:02:57,500 --> 00:03:00,470 and then here we have the TCP source port and the TCP 75 00:03:00,470 --> 00:03:01,970 destination port. 76 00:03:01,970 --> 00:03:03,770 And then after translation, we can 77 00:03:03,770 --> 00:03:07,540 see that the source address is now 23.1.1.1. 78 00:03:07,540 --> 00:03:09,650 And the source port has also been translated 79 00:03:09,650 --> 00:03:12,290 to show a source port of 4,096. 80 00:03:12,290 --> 00:03:14,300 We can also see right here in the packet capture 81 00:03:14,300 --> 00:03:16,880 that the destination IP address and destination 82 00:03:16,880 --> 00:03:19,070 port after translation is the same 83 00:03:19,070 --> 00:03:20,904 as it was before translation. 84 00:03:20,904 --> 00:03:22,820 Because all we're doing on the initial packets 85 00:03:22,820 --> 00:03:24,486 to go out to the servers is we're simply 86 00:03:24,486 --> 00:03:27,000 translating the source IP address and source port. 87 00:03:27,000 --> 00:03:29,300 And if we were to look at the translation table 88 00:03:29,300 --> 00:03:32,600 on the router or firewall that's doing the translation for us, 89 00:03:32,600 --> 00:03:35,250 it would reflect that same information. 90 00:03:35,250 --> 00:03:38,060 So inside local, the real IP address that the PC is using 91 00:03:38,060 --> 00:03:41,900 is 10.1.0.11 with a source port of 21,585. 92 00:03:41,900 --> 00:03:44,437 That matches up with our protocol capture right here. 93 00:03:44,437 --> 00:03:46,520 And it's also showing us that when it gets mapped, 94 00:03:46,520 --> 00:03:50,000 it's going to have an outside routable address of 23.1.1.1 95 00:03:50,000 --> 00:03:51,770 which maps up with that guy right there 96 00:03:51,770 --> 00:03:54,530 and also a new source port of 40 96 97 00:03:54,530 --> 00:03:56,222 which is reflected right here as well. 98 00:03:56,222 --> 00:03:58,430 And regarding the server information, the destination 99 00:03:58,430 --> 00:04:00,200 port and the destination IP address 100 00:04:00,200 --> 00:04:02,570 did not get changed based on the translation we're 101 00:04:02,570 --> 00:04:04,490 doing on behalf of the client who's 102 00:04:04,490 --> 00:04:06,380 going out to the internet. 103 00:04:06,380 --> 00:04:07,950 In this Nugget, we've used Wireshark 104 00:04:07,950 --> 00:04:11,210 to take a look at the before and after picture with port address 105 00:04:11,210 --> 00:04:12,810 translation. 106 00:04:12,810 --> 00:04:15,620 And now my friend, it is time for me to get back to my son 107 00:04:15,620 --> 00:04:18,089 and wish him congratulations on the new baby. 108 00:04:18,089 --> 00:04:19,880 So thanks for joining me in this Nugget. 109 00:04:19,880 --> 00:04:22,160 I hope this has been informative for you. 110 00:04:22,160 --> 00:04:25,600 And I'd like to thank you for viewing.