1 00:00:09,590 --> 00:00:15,650 In this lab, you need to configure both static and dynamic net. 2 00:00:23,320 --> 00:00:29,410 So we've been told to configure both static and dynamic NAT to get this network working. 3 00:00:29,980 --> 00:00:32,350 I'm going to connect to the Cisco router. 4 00:00:33,780 --> 00:00:35,340 And open up a console. 5 00:00:36,990 --> 00:00:43,290 The first thing I'll do is configure the router with a hostname and then I'll go to the internet facing 6 00:00:43,290 --> 00:00:54,690 interface and know shut the interface and configure the router with an IP address of 8.82.8. 100 slash 7 00:00:54,690 --> 00:00:55,740 24 mask. 8 00:00:56,630 --> 00:00:59,870 Go on to the inside interface and shut it. 9 00:01:00,620 --> 00:01:07,400 Configure an IP address of ten 11254 slash 24 mosque. 10 00:01:10,340 --> 00:01:13,070 So show IP interface brief. 11 00:01:14,030 --> 00:01:16,940 The router has been configured with IP addresses. 12 00:01:17,210 --> 00:01:24,350 The next step is to configure static NAT for the HTTP and FTP server. 13 00:01:24,920 --> 00:01:30,710 The HTTP server has an IP address of ten one one 100. 14 00:01:32,260 --> 00:01:37,330 A FTP server has an IP address of ten 11101. 15 00:01:40,010 --> 00:01:47,600 So firstly, we need to configure the HTTP server using only the required port. 16 00:01:49,490 --> 00:01:54,830 So IP nat inside source static. 17 00:01:55,590 --> 00:02:02,460 I need to specify the transport, which is TCP IP address of ten one one 100. 18 00:02:02,730 --> 00:02:07,950 The physical IP address and the port number, which is port 80. 19 00:02:08,310 --> 00:02:15,690 And then we need to specify the external or public facing IP address and port number and then press 20 00:02:15,690 --> 00:02:16,320 enter. 21 00:02:16,800 --> 00:02:21,360 Now in a previous lab I configured https as well as http. 22 00:02:21,390 --> 00:02:28,560 Here I'll only configure http because that's all we've been requested to do in the exam. 23 00:02:28,680 --> 00:02:34,770 Read carefully so that you configure the network per the exam instructions. 24 00:02:34,980 --> 00:02:38,850 So IP net inside source static. 25 00:02:39,390 --> 00:02:47,010 In this example, we want to configure the FTP server, but we've been told to use full static net. 26 00:02:47,820 --> 00:02:50,430 So I'm not going to configure a port number. 27 00:02:50,580 --> 00:02:57,330 I'm simply going to configure the entire range of port numbers on the FTP server. 28 00:02:58,950 --> 00:03:02,060 So show IP native translations. 29 00:03:02,070 --> 00:03:04,650 Those are the translations that we've configured. 30 00:03:05,280 --> 00:03:12,260 Show run interface gigabit 2000 packet trace unfortunately doesn't support that command. 31 00:03:12,270 --> 00:03:13,620 So Show Run. 32 00:03:13,920 --> 00:03:16,170 There's our inside interface. 33 00:03:16,170 --> 00:03:20,250 We still need to configure IP Nat inside on that interface. 34 00:03:20,340 --> 00:03:22,380 There's the outside interface. 35 00:03:22,770 --> 00:03:32,280 So interface gigabit 001 IP, Nat outside interface gigabit 000 IP Nat inside. 36 00:03:33,660 --> 00:03:45,210 So we've configured the inside Nat interface, the outside Nat interface and we've configured two static 37 00:03:45,210 --> 00:03:46,800 NAT translations. 38 00:03:47,590 --> 00:03:50,890 We then need to configure dynamic net. 39 00:03:53,380 --> 00:04:00,100 So IP net inside source list. 40 00:04:00,100 --> 00:04:07,540 In this example, I'll choose access list one to keep it simple interface that we're going to overload 41 00:04:07,900 --> 00:04:10,900 is gigabyte 001. 42 00:04:11,020 --> 00:04:13,240 Don't forget to do overloading. 43 00:04:13,420 --> 00:04:17,170 We've got two PCs on the inside that need to be netted. 44 00:04:18,660 --> 00:04:22,780 Create to the access list to access list one permit. 45 00:04:22,800 --> 00:04:24,570 Any in this example. 46 00:04:25,170 --> 00:04:28,230 So show IP nat translations. 47 00:04:28,230 --> 00:04:31,110 We've got our two static nat translations. 48 00:04:31,110 --> 00:04:37,590 We won't see the dynamic nature translations until the PC's sent traffic. 49 00:04:38,280 --> 00:04:39,660 So on inside. 50 00:04:39,660 --> 00:04:44,850 PC one can we open up a browser to Cisco dot com? 51 00:04:47,630 --> 00:04:49,970 Let's look at the net translations. 52 00:04:50,670 --> 00:04:53,600 There's been a DNS response. 53 00:04:54,170 --> 00:04:57,080 It took it a while but notice they Cisco dot com. 54 00:04:57,380 --> 00:04:59,690 Look at the net translations again. 55 00:05:00,590 --> 00:05:05,060 What you can see now is there are the DNS net translations. 56 00:05:05,720 --> 00:05:11,630 PC had to connect to the DNS server and here's the connection to the HTTP server. 57 00:05:12,170 --> 00:05:20,480 So this host on the inside network has been translated to this IP address and it connected to the server 58 00:05:20,660 --> 00:05:22,250 on Port 80. 59 00:05:24,190 --> 00:05:28,810 We can do some proof of that by using NSA lookup cisco dot com. 60 00:05:29,290 --> 00:05:32,020 Notice that's the IP address of Cisco. 61 00:05:32,050 --> 00:05:36,110 We should be able to ping cisco dot com as well. 62 00:05:36,130 --> 00:05:38,050 Notice that resolves. 63 00:05:38,290 --> 00:05:44,740 And if we look at our net translations, you can see the ICMP messages here. 64 00:05:45,670 --> 00:05:49,210 There are the DNS resolutions notice. 65 00:05:49,300 --> 00:05:51,370 The protocol used is UDP. 66 00:05:51,880 --> 00:05:55,780 Here are the TCP connections to the web server. 67 00:05:56,710 --> 00:06:00,160 Let's check a connection to Facebook.com. 68 00:06:00,190 --> 00:06:05,290 So Facebook.com we can connect to Facebook.com. 69 00:06:05,320 --> 00:06:07,450 Show IP natural translations. 70 00:06:08,140 --> 00:06:13,000 This is Facebook so we can see the net connection to Facebook. 71 00:06:13,570 --> 00:06:17,680 We can also verify that by doing GNSS lookup. 72 00:06:20,470 --> 00:06:22,270 Facebook.com. 73 00:06:22,270 --> 00:06:25,480 And there's the IP address of Facebook. 74 00:06:26,080 --> 00:06:28,390 So that looks like it's working well. 75 00:06:28,780 --> 00:06:33,520 But to confirm, let's do something similar on the second PC. 76 00:06:34,510 --> 00:06:39,790 This PC has an IP address of ten 11103. 77 00:06:40,780 --> 00:06:50,200 At the moment, in our native translations, we don't see one or three in the inside local address list. 78 00:06:52,060 --> 00:06:55,780 But if we open up a web browser to Cisco dot com. 79 00:06:56,740 --> 00:06:59,170 The PC can connect to Cisco dot com. 80 00:06:59,470 --> 00:07:05,320 And if you look at the net translations, notice there is a connection to Cisco Rcom. 81 00:07:06,780 --> 00:07:09,120 There's the DNS translation. 82 00:07:10,700 --> 00:07:12,440 Facebook.com. 83 00:07:12,890 --> 00:07:16,630 We can connect to Facebook, show IP native translations. 84 00:07:16,640 --> 00:07:20,000 Here's the translation to Facebook. 85 00:07:21,320 --> 00:07:29,330 Once again, our DNS translation inside PC to connection to Facebook and to Cisco. 86 00:07:29,810 --> 00:07:34,220 Here are the connections from PC one to various servers on the Internet. 87 00:07:34,490 --> 00:07:39,500 So these two internal hosts can connect to servers on the Internet. 88 00:07:39,710 --> 00:07:45,080 Can this outside PC connect to our internal servers? 89 00:07:46,150 --> 00:07:47,590 I'll open up a web browser. 90 00:07:48,490 --> 00:07:50,770 We'll connect to my HTTP dot com. 91 00:07:52,210 --> 00:07:58,690 I can connect to the server and browse the website. 92 00:08:00,640 --> 00:08:03,880 So now show IP net translations. 93 00:08:05,290 --> 00:08:10,780 Notice we see net translations going to 8.8.8 200. 94 00:08:11,590 --> 00:08:18,730 Being netted to ten one one 100 and to the source is 8.8. 820. 95 00:08:19,090 --> 00:08:28,300 So this PC with this IP address, 888 20 is able to connect to the internal web server. 96 00:08:30,410 --> 00:08:31,940 Let's open up an FTP. 97 00:08:31,970 --> 00:08:37,010 So ftp my ftp dot com that connects successfully. 98 00:08:37,520 --> 00:08:40,640 And if we look at the net translations. 99 00:08:42,590 --> 00:08:46,220 Notice this entry 21 that's FTP. 100 00:08:46,580 --> 00:08:50,150 So the client is connecting to the FTP server. 101 00:08:50,540 --> 00:08:59,030 If I type DLR, we get a list of files on the FTP server and if we look at the translations again, 102 00:08:59,540 --> 00:09:02,000 notice we now see this entry. 103 00:09:02,630 --> 00:09:09,140 Previously we didn't have an entry from server ten 11101, we only had 21. 104 00:09:09,710 --> 00:09:16,730 But here we have an additional entry for the passive FTP connection. 105 00:09:17,510 --> 00:09:19,600 So that works. 106 00:09:19,610 --> 00:09:22,700 I think we've successfully configured this network. 107 00:09:23,030 --> 00:09:26,060 Last step is to save the of configuration. 108 00:09:26,880 --> 00:09:31,320 We were able to get the internal hosts to connect to Internet servers. 109 00:09:31,710 --> 00:09:36,210 We were able to get the outside host to connect to internal servers. 110 00:09:37,120 --> 00:09:42,580 We've used a combination of both static and dynamic. 111 00:09:42,580 --> 00:09:50,920 Nat So this is the configuration, this interface is the inside NAT interface, this interface is the 112 00:09:51,040 --> 00:09:52,780 outside NAT interface. 113 00:09:53,440 --> 00:10:00,610 This configuration is for static NAT to allow outside hosts to connect to these two servers. 114 00:10:00,910 --> 00:10:08,770 This is the dynamic net configuration pointing to an access list so any internal hosts can connect to 115 00:10:08,770 --> 00:10:09,520 the internet. 116 00:10:09,970 --> 00:10:18,250 But notice for traffic to the servers they use the static NAT translations static NAT takes precedence 117 00:10:18,550 --> 00:10:21,610 over dynamic NAT translations. 118 00:10:22,030 --> 00:10:23,260 So how did you do? 119 00:10:23,620 --> 00:10:25,960 Were you able to complete the lab?