1 00:00:00,180 --> 00:00:06,720 Now, if there were multiple hosts on the inside network, let's say we've got PC one and PC two. 2 00:00:06,840 --> 00:00:09,930 PC one has an IP address of 10.1 and 1.1. 3 00:00:10,020 --> 00:00:13,350 PC two has an IP address of 10.1, point one or two. 4 00:00:13,680 --> 00:00:21,000 In this example, if we were using 1 to 1 net rather than port address translation or pat, we would 5 00:00:21,000 --> 00:00:24,510 need to create a net entry for each host. 6 00:00:24,510 --> 00:00:32,009 So a host one as an example, would be netted to 1.1.1 or two and host two or PC two would be netted 7 00:00:32,009 --> 00:00:33,960 to 1.1, point one, two and three. 8 00:00:34,380 --> 00:00:44,670 The net entries would look as follows ten 111 is netted to 1112 ten 112 isn't added to 1.1.13 as the 9 00:00:44,670 --> 00:00:49,590 inside global address outside local outside global in this example would be the same. 10 00:00:49,590 --> 00:00:53,670 So the inside local address would be the actual IP address of the host. 11 00:00:53,910 --> 00:01:00,240 The inside global address would be the netted global address as seen on the internet. 12 00:01:00,420 --> 00:01:05,580 The outside, local and outside global addresses in this example would remain the same because we're 13 00:01:05,580 --> 00:01:08,430 not matching the destination IP address. 14 00:01:08,640 --> 00:01:12,270 Only the source IP address will be netted in this example. 15 00:01:12,810 --> 00:01:19,410 The problem with pure network address translation, as shown in this example, is that you would need 16 00:01:19,410 --> 00:01:27,060 a public IP address for every internal host that uses a private RFC 1918 address. 17 00:01:27,450 --> 00:01:33,570 That kind of defeats the whole purpose of network address translation where we want to conserve IP addresses. 18 00:01:33,810 --> 00:01:41,580 In the real world, we tend to use pat or port address translation, which Cisco also call Nat overloading. 19 00:01:41,760 --> 00:01:49,860 Pat allows multiple inside host addresses such as ten 111 and ten 112 to be noted to the same public 20 00:01:49,860 --> 00:01:50,790 IP address. 21 00:01:51,180 --> 00:01:57,960 So in this example, both PCs are annotated to the same inside global address. 22 00:01:57,990 --> 00:01:59,970 It's not a 1 to 1 mapping. 23 00:02:00,150 --> 00:02:06,390 In this example, two private IP addresses are netted to a single public IP address. 24 00:02:06,660 --> 00:02:13,080 In addition, in this example, 1.1.1.1 is the ROUTER'S configured IP address. 25 00:02:13,320 --> 00:02:20,550 That raises another issue how does the router to free initiate traffic that's destined to itself versus 26 00:02:20,550 --> 00:02:26,400 traffic destined to PC one versus traffic destined to PC two. 27 00:02:26,400 --> 00:02:32,820 So when PC one sends traffic onto the Internet to the server and the traffic is returned, how does 28 00:02:32,820 --> 00:02:40,320 the router know that that traffic belongs to PC one rather than PC two if the traffic is going to the 29 00:02:40,320 --> 00:02:41,610 same IP address? 30 00:02:41,910 --> 00:02:47,610 So in other words, how does the router differentiate between different sessions or different flows 31 00:02:47,610 --> 00:02:52,350 if multiple hosts on the inside are talking to the same server on the Internet? 32 00:02:52,530 --> 00:02:55,920 Well, that's where port address translation comes in. 33 00:02:56,490 --> 00:03:00,060 In this example, multiple hosts are sharing the same IP address. 34 00:03:00,060 --> 00:03:08,700 So the way to make the entries unique is to combine an IP address with a port number to differentiate 35 00:03:08,700 --> 00:03:14,190 between the different sessions or different host devices. 36 00:03:14,580 --> 00:03:21,000 And that's where the port address translation term comes in, because multiple hosts are sharing the 37 00:03:21,000 --> 00:03:22,290 same IP address. 38 00:03:22,410 --> 00:03:30,810 The way to get a unique entry in the inside global table is to combine a port and an IP address. 39 00:03:31,050 --> 00:03:38,850 So the combination of port and IP address provides a unique value which allows the router to differentiate 40 00:03:38,850 --> 00:03:39,960 between entries. 41 00:03:40,290 --> 00:03:47,970 So in this example, both PC one and PC two are sharing 1.1, .1.1 as the inside global address. 42 00:03:48,240 --> 00:03:54,720 However, when host one initiates a session to the server, it's going to choose a random or ephemeral 43 00:03:54,720 --> 00:03:59,910 port number to uniquely identify the session on the local PC. 44 00:04:00,240 --> 00:04:07,740 When the traffic hits the router, the router will use that chosen source port number to represent the 45 00:04:07,740 --> 00:04:09,360 net entry in the table. 46 00:04:09,540 --> 00:04:18,300 So the PC chose 1024, and that's the entry used in the inside global net table entry. 47 00:04:18,630 --> 00:04:25,230 If PC two initiated a session to the server and let's say for argument's sake, it chose 1025 as the 48 00:04:25,230 --> 00:04:26,340 source port number. 49 00:04:26,490 --> 00:04:31,230 That's the entry used on the router to uniquely identify the session. 50 00:04:31,470 --> 00:04:37,500 So when traffic is sent from these PCs to the server and it's returned back to the router from the server, 51 00:04:37,530 --> 00:04:44,580 the server is able to differentiate between traffic that's destined to 10.1 to 1.1 versus traffic that's 52 00:04:44,580 --> 00:04:51,390 destined to 10.1 and 1.2 because of the unique IP address and port number combination. 53 00:04:51,570 --> 00:04:57,930 So what happens if both PCs, for whatever reason, randomly choose the same source port number? 54 00:04:57,960 --> 00:04:59,550 So let's assume both. 55 00:04:59,630 --> 00:05:02,330 PC one and PC two chose 1024. 56 00:05:02,480 --> 00:05:09,770 Well, all the router does is it just changes the entry in the inside global table to keep the entry 57 00:05:09,770 --> 00:05:10,550 unique. 58 00:05:10,550 --> 00:05:19,190 So ten 112 chose 1024 is the port number and the router simply changes that to another port number to 59 00:05:19,190 --> 00:05:21,320 keep the values unique in the table. 60 00:05:21,560 --> 00:05:28,970 So when the server sends traffic to the router destined to one point, one point, 1.1 port number 1025, 61 00:05:29,000 --> 00:05:35,450 the router simply changes the address to ten .1.12 to port number 1024. 62 00:05:35,990 --> 00:05:41,530 So if you were sniffing the traffic on this local area network connection, you would see traffic with 63 00:05:41,540 --> 00:05:50,660 a source address of 10.1 1.1 port 1024 going to the server with address 2222 port 80 you would also 64 00:05:50,660 --> 00:06:00,380 see traffic from PC two with IP address ten .1.122 port number 1024 going to the same server 2.2.222 65 00:06:00,380 --> 00:06:01,280 port 80. 66 00:06:01,340 --> 00:06:05,630 However, when the traffic hits the router, the router is going to change those values. 67 00:06:06,110 --> 00:06:11,870 When the traffic is netted by the router before sending the traffic onto the internet, the router will 68 00:06:11,870 --> 00:06:13,880 change the source addresses. 69 00:06:14,120 --> 00:06:20,240 So if you were sniffing the traffic on the internet interface, you would see traffic from PC one. 70 00:06:20,240 --> 00:06:28,940 Now having a source IP address of 1.11.1 port 1024 destination address remains the same. 71 00:06:29,270 --> 00:06:34,190 We are not changing the outside, global and outside local addresses. 72 00:06:34,370 --> 00:06:43,970 You would also see traffic from PC to the source address would now be 1.1.1.1 port 1025 on this interface 73 00:06:43,970 --> 00:06:46,700 with the destination set to the server. 74 00:06:46,940 --> 00:06:54,050 So the router has noted both the IP address and in this case it's also changed the port number to keep 75 00:06:54,050 --> 00:06:55,340 the values unique. 76 00:06:55,880 --> 00:07:02,480 The server in this example believes that it's got two sessions from the same host 1.1 and 1.1, whereas 77 00:07:02,480 --> 00:07:09,620 in actual fact, they are two separate PCs, but the server is unaware of that as it only sees the netted 78 00:07:09,620 --> 00:07:10,580 IP address. 79 00:07:10,880 --> 00:07:16,940 When the server returns traffic to the router, it's going to return traffic to 1.1 and 1.1 port. 80 00:07:16,940 --> 00:07:26,420 1024 Source address would now be 2 to 2 .2.2 port 80 as well as destination address of 1.1 and 1.1 port 81 00:07:26,420 --> 00:07:27,470 1025. 82 00:07:27,500 --> 00:07:31,220 Source address of 2.2.2.2 port 80. 83 00:07:31,400 --> 00:07:36,890 The server once again believes that it's talking to the same host but different sessions. 84 00:07:36,890 --> 00:07:39,800 So same IP address but different port numbers. 85 00:07:41,140 --> 00:07:46,450 The rotten Nats that ingress traffic based on the inside global table. 86 00:07:47,090 --> 00:07:58,130 So traffic destined to 1.1.1.1 put 1024 is changed to ten .1.1.1 port 1024 and forwarded onto the local 87 00:07:58,130 --> 00:08:09,710 segment traffic destined to 1.11.1 port 1025 is translated to 10.1 1.2 port 1024 and forwarded onto 88 00:08:09,710 --> 00:08:10,850 the local segment. 89 00:08:10,850 --> 00:08:16,940 The PCs, as well as the server, are unaware that their traffic has been netted. 90 00:08:17,330 --> 00:08:23,300 They are essentially oblivious to the changes that have been made by the router to the IP addresses 91 00:08:23,300 --> 00:08:24,410 and port numbers. 92 00:08:24,950 --> 00:08:31,880 Traffic is routed correctly, pieces are unaware of what's going on and that's essentially how not overloading 93 00:08:31,880 --> 00:08:35,179 or port address translation or pat works.