Configure NAT on Cisco router.

What is NAT. How the network broadcast of addresses is set up. Technical nuances

The rapid growth of the Internet, soon after its appearance, brought the problem of lack of addresses. Now this is partially solved by the introduction of the new IPV6 protocol, which will provide many times more available addresses for network units. But one renewal of the protocol cannot be dispensed with. NAT technology was invented, which allowed nodes from a private network, connecting to the Internet using only one external IP address. Thus, the scaling of private local networks has become much easier, when trying to connect them to the Internet. Now we will analyze in detail NAT technology.

Let’s imagine for example that we have a local network that includes 3 workstations. We decided to connect the Internet. The provider identified us 1 external IP address, which we must prescribe in the settings of our router. As a result, we get the following picture.

Our three computers will be combined into a local network with addressing “192.168. “

If you are already familiar with the basics of local networks, you should know that in the settings of network cards, in the “default gateway” field, 192 should be valued for our computers.168.one.one. Thus, all requests that do not belong to our local network, we must send to our router. Simply put, all Internet requests will be redirected to it.

As we have already noted, the external IP we have only one. This is where the most interesting. As three computers with different IP addresses, they will be able to go on the Internet, if there is one external address?

As you can see, inside the network all nodes have addresses in one subnet. This allows them to implement data transmission. In the event that the request is sent to the Internet, it will be transferred to the internal router integration. Then using NAT technology, the data will be slightly changed. They will be assigned an external IP address. And after that, the packages will go to the network.

Surely you already understand the principle of operation of the technology of broadcasting network addresses. With its help, all internal addresses of the network are assigned a single external address. This allows, if there is a single external address, to go to the network to several computers at the same time.

What should you pay attention to here. Firstly, it does not have to be only one external address. There may be several of them.

Secondly, the use of NAT technology imposes some restrictions related to IP locking. This is manifested when you try to access the resource on which only one host can be connected from one IP. In the event that someone from your network is already connected to it, you will not be able to establish a connection.

Cisco NAT. Setting the broadcast of network addresses

NAT (Network Address Translation). broadcasting network addresses, technology that allows you to convert (change) IP addresses and ports in network packages.

NAT is most often used to access devices from the network of the enterprise (at home) on the Internet, or vice versa for access from the Internet on any resource inside the network.

The network of the enterprise is usually built on private IP addresses. According to RFC 1918, three blocks were allocated to private addresses:

ten.0.0.0. 10.255.255.255 (10.0.0.0/255.0.0.0 (/8)) 172.16.0.0. 172.31.255.255 (172.16.0.0/255.240.0.0 (/12)) 192.168.0.0. 192.168.255.255 (192.168.0.0/255.255.0.0 (/16))

These addresses are not routed on the Internet, and providers should discard packages with such IP addresses of senders or recipients.

For converting private addresses into global (routes on the Internet), NAT is used.

In addition to the possibility of access to the external network (Internet), NAT has several more positive aspects. So, for example, the broadcast of network addresses allows you to hide the internal structure of the network and limit access to it, which increases safety. And this technology allows you to save global IP addresses, since many hosts can be released under one global address on the Internet.

NAT setting up on cisco routers under the control of iOS includes the following steps

Prescribe internal (inside) and external (outside) intenses

Determine for whom (what IP addresses) should be broadcast.

Choose which type of broadcast to use

Let, for example, we will have a router R1 with two Inteys.

FASTETHERNET0/0. connected to the local network 192.168.56.0/24 and has an IP address: 192.168.56.254/24

FASTETHERNET0/1. connected to the external network (provider) and has an IP address: 10.0.0.253/30 (in this example, the external network also uses a private address, since this is only an example, in the real situation you will most likely use a global address)

The internal integse is usually the one to which the local network is connected. External. to which an external network is connected, for example, the Internet provider.

Thus, Fastethernet0/0 is an inSide integration, and Fastethernet0/1. outside

R1 (Config) #interface Fasthernet 0/0r1 (config-violet) #ip Nat Insider1 (Config-Afig)#Exitr1 (Config)#

R1 (Config) #interface Fasthernet 0/1R1 (Config-Fi) #ip Nat Outsider1 (Config-Afig)#Exitr1 (Config)#

We will make a broadcast for the entire local network 192.168.56.0/24

R1 (Config)#Access-List 1 Permit 192.168.56.0 0.0.0.255r1 (config)#

There are three types of broadcasts Static NAT, Dynamic NAT, Overloading.

Static NAT. Static NAT, converting IP addresses one to one, that is, one address is compared from the internal network with one address from the external network.

Suppose that the provider is routed by network 10.eleven.eleven.0/24, thus providing not one, but 255 IP addresses. And we want from the external network to address 10.eleven.eleven.10 our internal server 192 was available.168.56.10, then the following command should be entered:

R1 (Config) #ip Nat Inside Source Static 192.168.56.10 10.eleven.eleven.10r1 (config)#

Thus, the internal address of the source 192 is replaced.168.56.10 to external address 10.eleven.eleven.10 when passing the package from the internal network to the external. When following the package is followed, the external IP of the appointment of 10 will be replaced.eleven.eleven.10 on the internal 192.168.56.ten. All services that are launched on the internal server 192.168.56.10 are available from the external network when contacting the address 10.eleven.eleven.ten

If there is no need to open all the ports (services), then you can limit yourself to certain ones, for example:

R1 (Config) #ip Nat Inside Source Static TCP 192.168.56.10 22 10.eleven.eleven.10 2222R1 (config)#

In this case, when contacting the external network to the address 10.eleven.eleven.10 and TCP Port 2222 will connect with the 22nd TCP port of the internal server 192.168.56.ten

Dynamic NAT. dynamic NAT, transformation of the internal address/OV into one of the group of external addresses. Before using a dynamic broadcast, you need to set the NAT-Pool of external addresses

R1 (Config)#R1 (config) #IP NAT POOL GLOBALPOOL 10.eleven.eleven.20 10.eleven.eleven.100 Netmask 255.255.255.0r1 (Config) #ip Nat Inside Source List 1 Pool Globalpool1 (Config)#

In this case, addresses from the network 192.168.56.0/24, when accessing the external network, will be transformed into the addresses from the Globalpool pool until it ends. If there are no free addresses in the bullet, then the broadcasts will not be performed. That is, in our example, only 80 addresses from the network 192 will be released at the same time in the external network.168.56.0/24, the rest will have to wait until any broadcast is over.

Overloading. allows you to convert several internal addresses into one external. For such a broadcast, ports are used, so sometimes such NAT is called PAT (Port Address Translation). Using Pat, you can convert internal addresses to the external address, set through the pool or via the address on the external intese.

R1 (Config)#R1 (config) #IP NAT POOL GLOBALPOOL 10.eleven.eleven.3 10.eleven.eleven.3 Netmask 255.255.255.0r1 (Config) #ip Nat Inside Source List 1 Pool Globalpool Overloadr1 (Config)#

Here all internal addresses from the network 192.168.56.0/24 (described in Access-List 1 above) will be transformed into external address 10.eleven.eleven.3

R1 (Config)#R1 (config) #IP Nat Inside Source List 1 Interface Fasthernet 0/1 overloadr1 (Config)#

All internal addresses 192.168.56.0/24 will be transformed on the Fasthernet0/1 integust (I remind you that it is in our example 10.0.0.253/30)

You can see the existing broadcasts with the Show IP Nat Translations command. Debugging is launched by the “Debug IP NAT” command

R1#R1#Show IP Nat Translationspro Inside Global Inside Local Outside Local Outside Globaludp 10.0.0.253: 60672 192.168.56.10: 60672 8.eight.eight.8:53 8.eight.eight.8: 53TCP 10.0.0.253: 59235 192.168.56.10: 59235 74.125.143.94:80 74.125.143.94: 80r1#

9 Комментарии и мнения владельцев: Cisco NAT. Setting the broadcast of network addresses

Thanks, affordable and informative material. helped a lot.

Please tell me, and if internal sabinteis are used on the router (for example FA0/0.10. for VLAN 10), then they also need to be assigned IP Nat Inside ? And if so, whether in this case it is necessary to assign the IP Nat Inside on the FA0/0 itself and the FA0/0 itself should be turned on or off (with FA0/0 on.ten ) ?

Yes, the IP NAT Inside must be assigned on the Poddinteis (FA0/0.10), there is also an IP address there (if when you leave this VLAN10 network, it is necessary to broadcast addresses). On the main integse (FA0/0) in this case, nothing needs to be prescribed if the 1st van or native van is not used. With the FA0/0.10, the main FA0/0 integration should also be included

Is it possible to register two routes on one port?

Hello, help a config error

Current Configuration: 844 Bytes ! Version 12.4 Service TimeStamps Debug Datetime MSEC Service TimeStamps Log Datetime MSEC No Service Password-Encryption ! Hostname Router ! Boot-Start-Marker Boot-End-Marker ! ! No AAA New-Model ! Resource Policy ! IP Subnet-Zero ! ! IP CEF ! ! IP NAME-SERVER 95.167.167.96 ! ! ! ! Interface Gigabithernet0/0 IP Address 192.168.ten.1 255.255.255.0 IP Nat Inside Duplex Auto Speed ​​Auto ! Interface Gigabithernet0/1 IP Address 190 255.255.255.252 IP NAT OUTSIDE DUPLEX AUTO SPEED AUTO ! IP Classless IP DNS Server ! IP http Server IP NAT Pool FSB 190 190 Netmask 255.255.255.252 IP NAT Inside Source List 100 Interface Gigabitehernet0/1 Overload ! Access-List 100 Permit IP 192.168.ten.0 0.0.0.255 Any ! Control-Plane ! ! Line Con 0 Line Aux 0 Line VTY 0 4 LOGIN ! Scheduler Allocate 200 1000 ! end

The bottom line is as follows: there is a locker for 6 computers in 2 different computers I plan to connect on the swords Cisco 2960, all the rights have equal rights. From this good, the cable goes to the Cisco 2851 router on which it is necessary to configure NAT, at the second end there is 1 IP address from Rostelecom with a static address.

As I understand it, it is required to configure ACL, in it I indicate full access for all network subscribers, then I indicate that from 0/0 internal 0/1 of the external and in this place I have nothing to work for me, while the ping from the Roalter Rostelekomovsky gateway, but there is no network to the computer, although everything is fine in the other direction.

Checking the work NAT

Use the SH IP NAT TRANSLATIONs command to see the active rules for broadcasting addresses. The command of the team should look something like this: R-Deltaconfig-1#SH IP NAT TRANSLATIONS PRO Inside Inside Local Outside Local Outside Globobal. one.one.one.1 10.0.0.5. one.one.one.2 10.0.0.6 ICMP 192.168.ten.10: 19662 192.168.ten.10: 19662 1.one.one.1: 19662 10.0.0.5: 19662

The script described above does not prohibit the use of “ordinary” NAT in parallel. If you need to mask the real address of the workstation for some external, then it is necessary to create standard rules, for example, for a dynamic broadcast. Suppose that the real address of the workstation 192.168.ten.5 (source address) must be disguised as a fictional address 2.2.2.2

Add settings for the dynamic broadcast of the source address: IP Access-List Extended ACL_NAT Permit IP Host 192.168.ten.5 Any

IP NAT POOL NAT 2.2.2.2 2.2.2.2 Netmask 255.255.255.0

IP Nat Inside Source List ACL_NAT Pool NAT as a result.168.ten.5 to the address 1.one.one.1 After passing through the router, it will turn into a package from address 2.2.2.2 to address 10.0.0.5

Important! Do not forget to check the routing on each of the devices of your network if you encounter problems. Devices should “know” not only about these addresses, but also about the dummy.

Cisco asa (iOS after 8.3)

Pat Object-Group Network Net_lan Network.object 192.168.ten.0 255.255.255.0 NAT (Inside, Outside) Source Dynamic Net_lan Interface Static Nat Object Network Nat_outside_1.one.one.1 Host 10.0.0.20 NAT (DMZ, Outside) Static Interface

Important! A more detailed description of the Static NAT settings also referred to as “Port Passes” are given in the Cisco Asa article. “Port Port” or Static NAT.

Cisco iOS Router

Pat Interface Ethernet X IP Address 192.168.ten.1 255.255.255.0 IP NAT Interface Ethernet Y IP Address 1.one.one.1 255.255.255.252 IP Nat Outside

IP NAT POOL POLOL_PAT 1.one.one.eleven.one.one.1 // There are no typos here. The same address is indicated twice. IP Access-List Standard ACL_PAT PERMIT IP 192.168.ten.0 0.0.0.255 IP Nat Inside Source List ACL_PAT POOL POLOL_PAT Overload

Static Nat Interface Ethernet Z IP Address 10.0.0.1 255.255.255.0 IP NAT Interface Ethernet Y IP Address 1.one.one.1 255.255.255.252 IP Nat Outside

IP Nat Inside Source Static 10.0.0.20 Interface Ethernet Y

Important! The article deliberately shows the most simple examples of broadcast settings. complex examples are described in articles on the basic setting of Cisco and Cisco Asa routers.

Important! In these examples, your own source address changes. If in the process of working on the Cisco router it is necessary to broadcast the destination address. let the traffic to a fictional address to get to a certain real one, then read the article IP NAT OUTSIDE.

Laboratory work: Cisco Packet Tracer. NAT Settings (1.eleven.2018)

Hi all! Today we’ll talk about setting NAT. technology for broadcasting network addresses that allows nodes from a private network a transparent way to users to access the external network nodes. If at the moment you are studying computer networks, this work will help you see the broadcast of network addresses and ports when studying the topic “Protocol IP: redirection and addressing of data on the Internet. The theory on this issue can be found in textbooks [1, with.392. 396], [2, with.847. 852].

Address table

Tasks

• Creating a computer network in the working area of ​​logical topology
• Setting up on computers and the local server IP addresses
• Creation of the segments of the local network via VLAN on a switch and SUB-intenses on the router
• Connecting a local network to the provider
• Setting up overloaded NAT
• Access Last setting
• Setting static NAT

Creating a computer network in the working area of ​​logical topology

Launch Packet Tracer

a. Launch Packet Tracer on your PC or laptop.

Twice click the “Tracer package” icon on the desktop or go to the directory containing the executable Packet Tracer file, and run the package tracer. The Tracer package should open with the empty working area of ​​logical topology by default, as shown in the figure. Here I am using the new version of the program for today 7.2.one., Although you can use the old

We build a topology

a. Add network devices to the workspace.

Using the device selection window, add network devices to the workspace, as shown in the topology diagram.

To place the device in the working area, first select the type of device from the window “Choosing type of device”. Then click the desired device model in the “Choosing device” window. Finally, click on the location in the working area to place your device in this place. If you want to cancel your choice, click on the “Cancel” icon for this device. In addition, you can click and drag the device from the window “Select a particular device” to the workspace.

b. Add network devices to the workspace.

Using the device selection field, add network devices to the workspace, as shown in the topology diagram. To place the device in the working area, first select the type of device from the window “Choosing type of device”. Then click the desired device model in the “Choosing device” window. Finally, click on the location in the working area to place your device in this place. If you want to cancel your choice, click on the “Cancel” icon for this device. In addition, you can click and drag the device from the window “Select a particular device” to the workspace.

With. Select in different colors of filling areas of a computer network.

To highlight the sections of the computer network with different colors, click the rectangle icon on the toolbar, set the switch and flag as shown in the figure in the dialog box that appears. Select the desired border color and fill color buttons. In the working area Packet Tracer Logical, holding the left mouse button, circle the corresponding network segment.

D. Add physical wiring between devices in the working area

Using the device selection field, add physical wiring between devices in the working area, as shown in the topology diagram.

To connect to the PC switch, you will need a copper straight cable. Select a copper straight cable in the “Choosing device” window and attach it to the FASTETHERNET0 integral on PC (PC0) and the Fastethernet0/3 switch. Attach the PC1 computer to the FastETHERNET0/4 switch, the PC2 computer to the FASTETHERNET0/5 switch intense. Server (server0) attach to the FASTETHERNET0/2 switch.

To connect the Router0 router to the Router1 router, use cross.drawing copper cable. Select a cross.handed copper cable in the “Choosing device” window and attach it to the Fasthernet0/0 Router0 router integrant, and at the other end to attach to the Fastethernet0/0 router R0uter1.

To connect to the server (Server1) for the Router1 router, a copper straight cable is required. Select a copper straight cable in the “Choosing device” window and attach it to the FASTETHERNET0/1 router integrant and the Fastethernet0 integral on the server named Server. Check by the drawing correctness of the connections.

Further laboratory work is fully presented in the video.

Ready laboratory work on NAT settling below. When creating the model, the Cisco Packet Tracer version 7 was used.2

Dynamic Nat Translation settings

Dynamic Nat Translation broadcasts Source Addresses, which are located behind Higher Security Interface (or addresses) located on Less Secure Interface.

Starting from the Cisco Asa Version 8 versions.3 (March 8, 2010) NAT configuration was completely redone. This article is devoted to just such new settings.

Generally ASA supports Network Object NAT and Twice NAT. Cisco recommends the use of Network Object NAT. We will do it.

Network Object NAT implies that we will work with objects.

Create Network Objects to determine Real IP Addresses, as well as Mapped IP Addresses.Network Object can include both one address and subnet or Range of IP.

In this example, PAT is implemented using the address on Outside Interface while the NAT team is used in the following form: NAT (Real if. Mapped if) Dynamic [Mapped-I. Mapped.obj] Subnet. This is an internal subnet or Lan to be Translate.

Thus, in this example, the internal network 192.168.0.0 255.255.0.0 will be hidden behind the Mapped IP Address on the Outside integration. In this case, they say that we raised the Dynamic Nat Translation between Inteats Inside and Outside.

Settings Static Port Address Translation (Port Redirection)

Network Address Translation (NAT). One of the two most important elements necessary to configure the operation of the ASA. NAT. what provides the actual broadcast. The second element is Access Control List (ACL), which is necessary for traffic. If not a single ACL is used on the integration, then only Outbound Access Traffic is allowed by default, or traffic in the direction of Inside to outside. The incoming traffic Outside to Inside is prohibited by default.

• For Outbound Traffic (Higher to Lower Security LEVELS), ACL uses Real IP Addresses hosts and networks.
• For Inbound Traffic (Lower To Higher Security Levels), you must also use Real IP Addresses when turned on NAT
• ACL is always checked before broadcasting.

In the following example, we will allow ICMP traffic, which is useful for checks.

NAT settings practice on Cisco equipment.

What reality requires us? one. The control network has no Internet access at all2. Hosts from the PTO network have access only to profile sites, for example, Linkmeup.ru3. Cute ladies from accounting need to cut down the window into the world of client-banks.four. FEO not to let go anywhere, with the exception of the financial director5. On the OTHER network, our computer and the admin computer. we will give them full Internet access. Everyone else can be opened at a written request.6. Do not forget about branches in St. Petersburg and in Kemerovo. For simplicity, let’s configure complete access for Enics from these subnets.7. With servers a separate song. For them, we will configure port redirection. All we need:-a. Web server should be available on the 80th port-b. Postal server on the 25th and 110th-in. File server is available from the world by ftp.eight. Admine computers and ours should be available from the Internet via RDP. Actually, this is the wrong way-for remote connection, you need to use a VPN connection and already using RDP in a local network, but this is a topic for a separate completely different article.

Internet connection will be organized through the existing link, which provides the provider. He goes to the provider’s network. We remind you that everything in this cloud is an abstract network that can actually consist of dozens of routers and hundreds of switches. But we need something controlled and predictable, so we hoist here another router. On the one hand, it is in it from the switch, on the other server on the Internet.

We will need the servers as follows: 1. Two clients for accountants (Sperbank.ru, mmm-bank.ru) 2. Linkmeup.ru for Ptoshnikov3. Yandex (Yandex.ru)

For such a connection, we will raise one more van on MSK-ARBAT-GW1. His number, of course, is consistent with the provider. Let it be VLAN 6 will be subject, the provider provides us with a subnet 198.51.100.0/28. The first two addresses are used to organize the Link (198.51.100.one and 198.51.100.2), and we use the remaining ones like a pool for nat’a. However, no one completely prevents us from using and address 198.51.100.2 For the pool. So we will do: Pul: 198.51.100.2-198.51.100.14 Dast of simplicity, suppose that we have public servers in the same subnet: 192.0.2.0/24.How to set up links and addresses you are already in the know.Since we have only one router in the provider’s network, and all networks are connected directly to him, there is no need to configure routing.But ours MSK-ARBAT-GW1 I must know where to send packages on the Internet, so we need a default route:

Now, in order of the first to configure the address of the addresses

Now let’s go on the practical tasks listed at the beginning of the article. one. Control network. It is logical that it does not have access to the Internet, so we miss. Consider, ready.

Hosts from the PTO network. Have limited Internet access. Only to the right specialized sites. Indicate the IP into which he will resolve.

Accounting. Here we just allow the hosts access to servaki.

four. Feo. Here we are interested in only one host. financial director, let’s call him so.

Other, computers of the engineer and administrator. Full access.

Hosts in branches. In our practical task, these are computers in the networks of St. Petersburg and Kemerovo.For simplicity, we will accept that all the addresses of our Enike there will be a view 172.16.X.222

At the moment, the final ACL looks like this:

Oh yes, do not forget to configure the intenses.Let’s say on an external WAN-integrate IP Nat Outside, and in the LAKLAK (LAN), say IP Nat Inside:

Now the router will know which algorithm to subject the coming packages.

To access the servers by their domain names (and not just IP), it would be necessary to cut off in our cozy net DNS server.In the sandbox, the TRISAR package will look like this: let’s prescribe the DNS address on those hosts with which the check will be carried out. Note! Yes, we touched the DNS server like this, but we will definitely return to it, t.to. This topic is important!

We check in the meantime access with PC Admin: only the site is available to the ptoshniki and then exclusively by webu, on the 80th port.

Only the director goes from the FEO network on the Internet (IP 4.123):

Accounting computers are available only customer banks. But the permits are given on the IP in general, therefore, for example, ping are also available.

Service. From the most obvious here, you need to configure the passage of ports to turn to them from the outside. a) web server.

We will check from test PC 192.0.2.7, Only nothing will work at once, t.to. on the MSK-ARBAT-GW1 We have not configured the appropriate integration:

We check the availability. b) file server.In fact, ftp? So:

Remember how we are in ACL servers-out opened twenty and 21 port? For the sake of this moment. c) mail server.

1) First set up the mail server. Indicate the domain and create two users. Next, bring the domain to DNS. This step is optional. you can contact the server by IP, but why not? We set up a computer from our network: from the external: prepare a letter: on the local host, click the Receive:

eight. Access via RDP to the admissive computers and our. Like this:

Practical work 9-3-1. Static broadcast of nat addresses

In Fig. 9.17 There is an external address 20.twenty.twenty.20 (external FA0/1) and internal network 10.ten.ten.0 (internal FA0/0). You need to configure NAT. It is assumed that the addresses have already been spelled out, and the network is raised (working).

Add Access-List to R0, we allow everything (ANY)

We allow all traffic, that is, any IP address (rice. 9.eighteen).

Create a broadcast rule

Now we’ll configure the broadcast on the Inte Wees (on the internal Inside, on the external. outside), that is, for R0 we indicate the internal and external ports (rice. 9.19).

We leave the global configuration regime and write down the settings of the router in the memory microcircuit (rice. 9.twenty).

Check the operation of the network (viewing the condition of the NAT table)

With PC0 we ping the provider and make sure that PC1 and the server can communicate (rice. 9.21).

To view the status of the NAT table, at the same time with the ping, use the Router#SH IP Nat Translations command (I launched the ping from the car 10.ten.ten.1, t.e., from PC1 to address 20.twenty.twenty.21, t.e., on s0). rice. 9.22.

We are convinced of successful routing in the simulation mode (rice. 9.23).

Task 9.3

If you add PC1 to the circuit (rice. 9.24), whether the static NAT will work between it and S0?

Practical work 9-3-2. Setting static NAT

Static NAT. compares one Nat Inside (internal = private local IP. Address) with one nat outside (global = public external IP.address). rice. 9.25. Here ISP (Internet Service Provider). Supplier of the Internet.services (Internet. Provider).

Settings algorithm R1

Below is the sequence of commands for configuration of the router R1 by steps.

Setting up an internal integration in relation to NAT

Setting up an external integration in relation to NAT

Setting up comparison of IP addresses.

R1 (Config)# IP Nat Inside Source Static 10.ten.ten.2 200.ten.21.5

As a result of this IP address 200 command.ten.21.5 will always correspond to the internal IP-address 10.ten.ten.2, t.e. If we contact the address 200.ten.21.5 will answer PC1.

Commands for checking the work NAT

Check the mechanism of the static NAT: the Show IP Nat Translations command displays active transformations, and the Show IP Nat Statistics command displays NAT transformation statistics (rice. 9.29).

From the illustration we see that the global IP address 200.ten.21.5 corresponds to the local IP-address 10.ten.ten.2, as well as what the intense is external, and which.internal.

The network scheme of this example is presented in the form of the TASK-9-4 file.PKT.

CISCO 200-125 CCNA V3 Training.0. Day 29. Pat and NAT

Today we will study PAT (Port Address Translation), IP broadcasting technology using ports, and NAT (Network Address Translation), transformation technology for transit packages. PAT is a special case NAT. We will consider three topics:

-private, or internal (intra-network, local) IP addresses and public, or external IP addresses;. NAT and Pat;. NAT/ Pat setup.

Let’s start with internal addresses Private IP. We know that they are divided into three classes: A, B and C.

Internal addresses of class A occupy the range “dozens” from 10.0.0.0 up to 10.255.255.255, and external. range from 1.0.0.0 to 9. 255.255.255 and from 11.0.0.0 up to 126.255.255.255.

Internal addresses of class B occupy a range from 172.16.0.0 to 172.31.255.255, and external. from 128.0.0.0 to 172.fifteen.255.255 and from 172.32.0.0 to 191.255.255.255.

Internal addresses of class C occupy the range from 192.168.0.0 to 192.168.255.255, and the external. from 192.0.0 to 192.167.255.255 and from 192.169.0.0 to 223.255.255.255.

Class A addresses are addresses /8, class B. /12 and class C. /16. Thus, the external and internal IP addresses of different classes occupy different ranges.

We have repeatedly discussed what is the difference between private and public IP addresses. In general terms, if we have a router and a group of internal IP addresses, when trying to enter the Internet, the router converts them into external IP addresses. Internal addresses are used exclusively in local networks, and not on the Internet.

If, using the command line, I will look at the network parameters of my computer, I will see my internal LAN IP address 192 there.168.one.103.

In order to find out your public IP address, you can use the Internet service such as “What IP I have”? As you can see, the external address of the computer 78.100.196.163 differs from its internal address.

In all cases, my computer is visible on the Internet precisely on the external IP address. So, the internal address of my computer 192.168.one.103, and external. 78.100.196.163. The internal address is used only for local communication, you can’t reach the Internet with it, for this you need a public IP address. You can remember why a division was made into private and public addresses by revising the video tutorial on day 3.

Consider what NAT is. There are three types of NAT: static, dynamic and “overloaded” NAT, or Pat.

There are 4 terms in Cisco describing NAT. As I said, NAT is a mechanism for converting internal addresses into external. If the device connected to the Internet will receive a package from another device from the local network, it will simply drop this package, since the format of the internal address does not correspond to the format of the addresses used on the global Internet. Therefore, the device should receive a public IP address to enter the Internet. So, the first term is the Inside Local, meaning the IP address of the host in the internal, local network. Simply put, this is the primary address of the type 192 source.168.one.ten. The second term, Inside Global, is the IP address of the local host, under which it is visible in the external network. In our case, this is an IP address of the external port of the router 200.124.22.ten.

We can say that Inside Local is a private IP address, and Inside Global is a public IP address. Remember that the term Inside is used in relation to the source of traffic, and Outside. in relation to the purpose of traffic. Outside Local is an IP host of a host in an external network, under which it is visible for the internal network. Simply put, this is the address of the recipient, visible from the internal network. An example of such an address is IP address 200.124.22.100 devices located on the Internet.

Outside Global is a host IP address visible in the outer network. In most cases, the address of Outside Local and Outside Global look the same, because even after the transformation of the IP appointment we see for the source the same as before the transformation.

Consider what is a static NAT. Static NAT means mutually unambiguous transformation of internal IP addresses into external, or transformation “one to one”. When the devices send traffic to the Internet, their internal addresses Inside Local are converted to internal addresses Inside Global.

There are 3 devices in our local network, and when they are going to go on the Internet, each of them receives its own address Inside Global. These addresses are statically attributed to traffic sources. The principle of “one to one” means that if 100 devices are located in the local network, they receive 100 external addresses.

NAT appeared in order to save the Internet in which public IP addresses ended. Thanks to NAT, many companies, many networks can have one common external IP address, into which local devices will be transformed when the Internet goes to the Internet. You can say that in this case there is no saving of the number of addresses, since a hundred local computers are assigned a hundred external addresses, and you will be completely right. However, the static NAT still has a number of advantages.

For example, we have a server with an internal IP address 192.168.one.100. If any device from the Internet wants to contact it, it will not be able to do this using the internal address of the destination, for this it needs to use the external address of server 200.124.22.3. If static NAT is configured in the router, all traffic addressed 200.124.22.3, automatically redirected by 192.168.one.100. Thus, external access to devices of the local network is provided, in this case, to the company’s web server, which may be necessary in some cases.