1 00:00:01,000 --> 00:00:07,330 So let's look at a demonstration of static NAT, in this example, I have three routers, router 1, router 2 00:00:07,330 --> 00:00:11,560 2 and router 3, router 1 is connected to router 3 00:00:11,560 --> 00:00:15,710 2 using network 10.1.1.0/24. 4 00:00:16,300 --> 00:00:18,670 This will represent the outside network. 5 00:00:19,240 --> 00:00:26,170 Router 2 in turn is connected to Router 3 using 8.0.0.0/24. 6 00:00:26,650 --> 00:00:28,870 This will represent the outside network. 7 00:00:29,740 --> 00:00:33,370 Network 8 is owned by Level 3 communications. 8 00:00:33,850 --> 00:00:39,430 This is one of a range of /8 public IP addresses. 9 00:00:39,970 --> 00:00:45,750 Others include 12 for AT&T, 17 for Apple and 19 for Ford. 10 00:00:46,570 --> 00:00:52,120 So for our demonstration, we'll pretend that this is the Internet or outside network. 11 00:00:52,660 --> 00:00:57,940 All I've done on these routers is configure IP addresses and a static route on router 1. 12 00:00:58,180 --> 00:01:06,610 So on Router 1 show run interface F0/0, you can see the IP address and show IP route 13 00:01:06,910 --> 00:01:12,970 shows me that that network is directly connected to FastEthernet 0/0 and Router 14 00:01:12,970 --> 00:01:16,870 1 has a static default route to Router 2. 15 00:01:18,150 --> 00:01:20,760 Router 3, however, does not have routing. 16 00:01:22,020 --> 00:01:26,880 I've configured an IP address on the FastEthernet interface 17 00:01:29,750 --> 00:01:34,670 but show IP route shows us that there is no default route. 18 00:01:36,110 --> 00:01:43,430 There are no IP protocols running on this router, it only has this IP address configured on FastEthernet 19 00:01:43,480 --> 00:01:47,960 00, router 2 in turn has 20 00:01:49,630 --> 00:01:59,830 10.1.1.2 configured on FastEthernet 00 and 8.1.1.1 configured on FastEthernet 01. 21 00:02:03,140 --> 00:02:04,730 It also has no static routes 22 00:02:06,300 --> 00:02:12,600 and no routing protocols enabled, all it has is an IP address on this interface and an IP address on 23 00:02:12,600 --> 00:02:18,030 this interface. At the moment, Router 3 is not able to ping Router 24 00:02:18,030 --> 00:02:21,570 1, notice the pings are timing out. 25 00:02:24,050 --> 00:02:26,330 If we use the command debug IP packet 26 00:02:27,930 --> 00:02:34,740 and ping that address again, we can see that the traffic is unroutable, router 3 doesn't know 27 00:02:34,740 --> 00:02:36,870 how to get to 10.1.1.1. 28 00:02:37,920 --> 00:02:46,410 I'll turn the debug off, it can, however, get to a triple one, in other words Router 2, so Router 29 00:02:46,410 --> 00:02:51,230 3 can ping router 2 but is not able to ping Router 1. So on Router 1. 30 00:02:51,240 --> 00:02:56,310 I'll do it debug IP ICMP so we can see when traffic does arrive on that. 31 00:02:57,300 --> 00:03:00,750 So once we do our ping tests, we'll be able to see the output on Router 32 00:03:00,750 --> 00:03:07,140 1 show IP NAT translation's shows me that on Router 2, no NAThas been enabled. 33 00:03:07,800 --> 00:03:09,480 There are no translations at the moment. 34 00:03:10,170 --> 00:03:15,540 So CONFT interface F 0/1 IP NAT outside. 35 00:03:18,920 --> 00:03:26,120 This is going to be outside network on Router 2, you need to tell the router which interfaces are 36 00:03:26,120 --> 00:03:28,700 inside and which interfaces outside. 37 00:03:29,360 --> 00:03:33,920 In this example, I'm using GNS3, so it's taking a while to bring up NAT 38 00:03:34,920 --> 00:03:35,690 but there we go. 39 00:03:37,070 --> 00:03:46,910 On the inside interface, we need to configure IP NAT inside, and now that we configuring static NAT, 40 00:03:46,970 --> 00:03:48,590 we use the common IP NAT. 41 00:03:49,810 --> 00:03:56,020 We have a few options we can do NAT of inside hosts or NAT of outside hosts. 42 00:03:56,530 --> 00:04:01,500 In our example, we want to NAT this IP address, which is an insider, inside host 43 00:04:01,510 --> 00:04:08,130 ao I'm going to specify inside. We're going to NAT, the source IP address of packets, not the destination. 44 00:04:08,440 --> 00:04:14,770 So when traffic gets sent from R1 to R3, the source IP address is going to be natted 45 00:04:14,770 --> 00:04:16,990 and not the destination IP address. 46 00:04:18,440 --> 00:04:26,090 We could use a list, a route map or static in our example, we want to use static, we want to specify 47 00:04:26,090 --> 00:04:28,790 a static local to global mapping. 48 00:04:29,300 --> 00:04:35,230 So on Cisco devices, the first IP address that you're going to configure is the actual IP address of 49 00:04:35,240 --> 00:04:36,000 a device. 50 00:04:36,380 --> 00:04:41,390 So in my example, this is the actual IP address of this host, some specifying that. 51 00:04:42,110 --> 00:04:43,550 So I need to specify source. 52 00:04:47,310 --> 00:04:55,050 I then have a few options, I can specify the IP address and protocols in my example, I want to NAT 53 00:04:55,050 --> 00:05:00,210 IP address 10.1.1.1, which is the actual IP address of this device. 54 00:05:00,930 --> 00:05:03,720 All IP traffic is going to be natted. 55 00:05:04,380 --> 00:05:12,030 You can specify that only TCP or UDP traffic is natted, but in our example we are specifying 56 00:05:12,030 --> 00:05:14,370 that all IP traffic is needed. 57 00:05:14,970 --> 00:05:21,090 More complex examples are not necessary for the CCNA, but I will demonstrate them just to make sure 58 00:05:21,090 --> 00:05:22,610 that you understand those options. 59 00:05:23,010 --> 00:05:26,610 Here we are simply doing a one to one mapping of an IP address. 60 00:05:27,970 --> 00:05:34,060 We then need to specify the global IP address or an interface, so in my example, I'm just going to 61 00:05:34,060 --> 00:05:39,070 pick an IP address in this range 8.1.1. 62 00:05:39,700 --> 00:05:42,950 So I'm simply going to choose 8.1.1.5. 63 00:05:43,480 --> 00:05:46,390 That address is not physically configured anyway. 64 00:05:48,410 --> 00:05:54,620 We can specify various options, but I'm simply going to use carriage return to create to the NAT entry. 65 00:05:55,400 --> 00:06:02,570 So now when I type show IP NAT Translations, we can see that the inside local address. 66 00:06:02,870 --> 00:06:06,530 So the physical PC on the inside network went on. 67 00:06:06,530 --> 00:06:12,170 The local area network has this IP address inside local IP address on the LAN. 68 00:06:13,240 --> 00:06:17,800 So logically, we are saying that this is our land or local area network. 69 00:06:19,580 --> 00:06:26,750 And this is the Internet in our example, so global Internet. 70 00:06:28,080 --> 00:06:33,970 So this hosts IP address on the global Internet will appear as follows. 71 00:06:34,380 --> 00:06:35,910 So on Router 3, 72 00:06:37,080 --> 00:06:38,790 Can we ping 10.1.1.1? 73 00:06:39,600 --> 00:06:47,420 No we can't, we can't ping that address at the moment because this device has no route to get to this 74 00:06:47,430 --> 00:06:48,060 IP address. 75 00:06:48,480 --> 00:06:51,900 However, can it ping 8.1.1.5? 76 00:06:53,960 --> 00:07:01,070 Took it a while, but notice the ping started succeeding and on Router 1, we see the echo reply from 77 00:07:01,070 --> 00:07:05,840 a source of 10.1.1.1 to a destination of 8.1.1.2. 78 00:07:06,440 --> 00:07:08,980 Router 1 is replying using this address. 79 00:07:09,860 --> 00:07:12,590 But what is Router 3 actually think it's pinging? 80 00:07:13,430 --> 00:07:15,680 So let's do a debug IP ICMP on the site 81 00:07:17,110 --> 00:07:19,270 and ping, 8.1.1.5. 82 00:07:20,860 --> 00:07:25,090 Notice it's receiving traffic from 8.1.1.5 83 00:07:26,170 --> 00:07:32,170 but router 1 is actually sending it from 10.1.1.1, So from router 3s point of view, the 84 00:07:32,170 --> 00:07:35,360 destination IP address is 8.1.1.5. 85 00:07:35,830 --> 00:07:43,060 That gets translated to 10.1.1.1 hits this router and it replies with a source IP address of 10. 86 00:07:43,060 --> 00:07:43,690 1.1.1. 87 00:07:44,660 --> 00:07:51,290 When it hits router 2, it's translated to 8.1.1.5 and forwarded to router 3.