Network Address Translation Lab Demo
Video Activity
Network Address Translation Lab In this lab you'll gain experience in converting NAT addresses using a simulation enterprise network with several test PCs. You'll apply your knowledge from the previous lesson in determining public vs private IP addresses in how to configure NAT. You'll also learn about what protocols you'll run and which types of p...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
29 hours 18 minutes
Difficulty
Intermediate
Video Description
Network Address Translation Lab In this lab you'll gain experience in converting NAT addresses using a simulation enterprise network with several test PCs. You'll apply your knowledge from the previous lesson in determining public vs private IP addresses in how to configure NAT. You'll also learn about what protocols you'll run and which types of protocols you'll never run and why, such as BGP, which is a Gateway protocol and the difference between NAT configurations that are internal vs. external to the organization.
Video Transcription
00:04
So, folks, we are going to do a gnat lab
00:07
and what I'm going to do first is we're going to pretend that router to here
00:13
router to
00:15
is our enterprise router, our cooperation router.
00:20
And we're gonna pretend that, um
00:23
PC one and PC to our our private network. These are the people that work in our company. Unfortunately, we only have two companies, so apparently we are a very poor organization. But
00:37
if you remember,
00:39
PC one
00:45
PC one
00:47
has an i. P. Address of 10 10 10 1 which falls within the private range.
00:53
And if we look at P. C. Chu
01:02
wagon types, you in fi g
01:07
BC to
01:12
has an address of 10 10 10 to
01:15
which again is in the private range. Our default gate with of both pc one in PC to is 10 10 10 to 54
01:23
which is the sub interface reciting
01:27
here,
01:29
connecting
01:30
the PCs
01:33
on router to. So if you look at our new show I p interface brief, it's that trunk between router to and switch eight.
01:42
This sub
01:44
interface on router to is our default gateway
01:49
for PC one in PC to
01:52
which is connected here to switch eight. And I just demonstrated that PC one in pc to can ping
01:59
this sub interface which is the default gateway
02:01
to the outside world
02:05
now Router Two, I believe it's still running. Oh, SPF Let's check to show i p o S p f neighbor
02:13
and so is right before I'm gonna remove
02:15
always pf
02:19
between
02:22
So no rattle SPF 100.
02:24
So if I do execute the command do show I'd be
02:29
protocols
02:34
I should not be seeing this
02:37
I removed or SPF show Ron, Let's see if I got rid of it from my running config.
02:42
No, I didn't. So no router. Oh SPF 100
02:47
show I'd be
02:50
protocols and I don't see anything or SPF is gone. And let's get rid of fit from Router four. Also, Router four, we're gonna pretend is our Internet service provider outer or our service right around her.
03:04
So
03:07
new router or SPF 100
03:10
check show I d
03:13
show I be protocols and I don't see anything.
03:17
The reason I'm doing this is because between your outer and rather four,
03:23
you're never going to run an I g. P or Interior Gateway Protocol.
03:29
The protocols We have covered route information Protocol e g r P enhancing Tina get were out in protocol and, oh, SPF standing for open shoulders path first are all considered interior get Reporter called
03:42
that organization's used interior
03:46
to themselves
03:47
with your service provider between matter, too, and rather for you will either do
03:53
static grounding. Or you will run another protocol called Border Gate with Protocol or B G p, which is part of your C c N P exams.
04:02
So right now, just to make this really I got rid off. Oh, SPF or the interior get reported call between route or two, which is our enterprise router and Router four, which is going to simulate our I S P router.
04:16
So let's go configure net. Now remember,
04:19
folks,
04:23
remember folks that our
04:28
our private address ranges tend not 10. That's not zero slash 24. This is our private
04:36
on were translating to 1 1910 10
04:41
That zero slash 24
04:45
this is going to be
04:46
are
04:49
public rage.
04:51
So let's put that aside for a second. Let's log into router to
04:57
gotyou config mode by saying config, terminal
05:01
fig hti
05:03
And first, let's create our pool.
05:06
Our public pool our step one.
05:09
So I've seen that
05:13
if I had question Mark, it asks me
05:15
for the word pool. So I say pool
05:19
and the question mark feature again, I used help feature again by executing the question Mark Command.
05:26
And it is asking me for a pool name. So
05:29
the pool name is going to be Let's make it C c A
05:33
space question mark and you see it is asking me for the first i p address of the start I p address. So in the slash 24 network for 1 90 10 10 0 the first address would be 1 90 10 10 1
05:48
space question mark again. And it's asking me for the last address or the end address,
05:55
which is going to be 1 90 10 10 to 54.
06:01
Space question mark. Now it's asking me for the Net mask or the sub net mask.
06:06
So for the keywords net mask,
06:10
write that in.
06:12
And now he's asking me to type in the actual mask,
06:16
which is 255 doubt true. 55255.0.
06:23
Step two is to create
06:26
a standard access list
06:28
and
06:30
to permit the 10 network, which resides on PC one in PC two, out
06:35
after being translated towards the SP, which is rather four.
06:41
So back to route or two and create our standard access list to permit the 10 network out.
06:46
I'd be
06:47
access this
06:49
standard
06:51
and we will call this access list
06:56
that
06:59
then I'm going to say
07:00
Now, remember, guys, this Nat here is case sensitive. So if you create your access list with
07:08
an upper case with uppercase letters, make sure you match it when you apply
07:12
your access list anywhere.
07:15
Okay, so now coming back to nap, let me coming back to the access list.
07:19
Permit
07:20
ken dot Tenn dot Tenn 0.0.0.0 The wild card is going to be 0.255 Remember to get the wild card, you simply say abstract.
07:30
You're
07:31
network mask, which was
07:34
2552552550
07:38
from 255255255255 with yields 000255
07:46
Exit out of here.
07:47
Now. I'm simply gonna tie step one and step two together with command. I've seen that
07:56
inside source. My inside source
08:01
list is tied to an access list called Nat.
08:07
So in a T in caps
08:11
and then pool the word pool,
08:15
it's giving me two
08:16
options.
08:18
So I'm gonna go with
08:20
pool interface. Option is not relevant for C c. N A.
08:24
So the word pool
08:26
and then our pool name If you remember, I've seen at pull hair was CCN eh?
08:33
We type in CNN.
08:35
If I execute the help feature again,
08:37
there's the key word overload. We're gonna look at that in a moment, but for now, I'm going to ignore it.
08:45
Now I go apply my net.
08:46
So
08:48
if you're seeing
08:50
ab zero slash zero
08:54
is facing Router four, which is my service for a lighter, So f zero slash zero is actually facing the Internet.
09:03
AB zero slash one is facing my inside address addresses, which are the 10 network.
09:09
So as zero size zero is MME outside interface zero slash one is my inside interface.
09:16
Let's go into F zero size zero. First
09:20
facet, innit? Zero slides zero
09:24
and say I'd be Nat. Since this is outside interface,
09:31
I'm gonna tell it that you are going to be the outside facing interface
09:39
then for my inside interface.
09:43
I can't go if executed the do show I p interfaces brief command.
09:50
You see, I cannot go and apply it to the main interface fast, Ethan at 01 because we have router on a stick configured on this interface.
09:58
So I actually have a sub interface carrying the 10 network or with the i P. Address in the 10 range.
10:07
So I'm gonna have to apply my Nance to this sub interface.
10:13
So to apply anything to an interface, you first go inside that interface into face fast. Ethernet zero slash 1.10.
10:22
And I will say
10:26
I'd be napped
10:31
outside.
10:33
So let's do a show, run
10:37
and check our work before we test this.
10:41
As is good practice,
10:43
I have I've bee
10:45
not outside on my fast Internet.
10:50
Wait. I was supposed to say I'd be not inside on the issue of slashed one,
10:56
not 10 interface. So let's go back in there
11:01
as you know, slash 1.10.
11:05
I'd be in that It's actually my inside into face guys
11:09
because it's facing the 10 network
11:13
exit out. Get out again. Now let's check our work show run.
11:20
And on the fast lieutenant, You know, zero
11:24
interface.
11:24
I do have the command. I p net
11:28
inside.
11:30
I've been at outside
11:31
and on the fastest in a zero slash one dot tin command. I have I'd be Nat inside command.
11:39
Let's get rid of this I p access groups you've seen it in. This is from left over from our
11:46
access list lab.
11:50
And I don't want to interfere
11:52
with our nat lab,
11:56
so just copy and paste it with the key word. No, In front,
12:01
Let's check our work again.
12:05
So, once again, fast Internet 00 facing router for our I S P router. I have I p net outside. Since it's the outside interface
12:13
fast Internet zero slash 1.10 has the key word
12:18
has the, uh, command I p net inside. Since it's my inside interface,
12:24
let's check our net commenced. I have my i p net pool ccn a describing my pool for us address being one last address being to 54
12:37
I've tied the pool and the access list together with the I P. Net inside source list. Nat,
12:43
which is why access list. Name pool CCN, eh?
12:46
My pool name is I see here matches with C. C. A name
12:50
and the key word. I mean, the
12:54
listening access list named Nat matches my access listening or my standard access in this name
13:01
permitting the 10 network out.
13:03
At this point, I should be good to go.
13:07
So let's test our net.
13:09
I'm going to attempt to Ping
13:13
Router four
13:15
from P C. One
13:16
So once PC one sends
13:20
and I see MP echo towards router for the source address
13:24
in that echo packet will be 10 10 10 1 since PC ones
13:30
I P address is 10 10 10 1
13:33
Once this packet reaches a route or two router to should replace that 10 10 10 1 which is a private address with a public address,
13:45
that is, our public pool is one the 1 90 range. So it should replace it with 1 90 10 10 1
13:52
Since router four resides in the public domain
13:58
or it is you're so risk for white a router.
14:01
So let's
14:03
try and ping
14:05
p i n g
14:07
1 51 0 on 45.4. If you remember, right, let me just show you anyways,
14:15
rather forced fast Internet 00 interface
14:20
The address is 1 51 a 1 45 4
14:26
Which would be this interface
14:28
fast, Ethan, It zeroes last Ciro.
14:31
So let's go ahead and Ping
14:33
1 51 1 45.0 I mean, $45 for
14:41
first question will time out for the
14:45
our request reply process.
14:48
And the second request is also timing out.
14:54
Let's try this again.
15:07
And our requests Our timing out.
15:09
Now, why is that? Well,
15:13
guys, remember, I took away the routing for a call between router to and router four.
15:18
I'm doing this to emphasize a point. All the nat commands that we did on route or two. I've been at inside the A P net outside and the rest of these commands here,
15:28
this is what you will be. Don't worry about that. I'd be classless command. I will explain what that is later. It's has nothing to do with that. But these commands the Nat commands that you did.
15:39
This is this is what is expected off you on the CC in a lab
15:46
and I've been at inside command and the i p net outside commit the routing part, the static routes that I'm going to create between router to and rather four are not part of the not lab when you're going to solve it
16:00
on your CCN exam,
16:03
so you won't have to do that. It will already be done for you. You just have to take care of the Nat Process
16:10
and ping across and see if it works. But since I've taken away a rounding between router to and rather four, I have to create static routes, as you would have to in the real world.
16:21
So we go to router to,
16:22
and we need to create a route to all destinations on the Internet
16:29
As you remember to create a route for all destinations on the Internet, you have to
16:36
create
16:37
a default route
16:41
or set the gateway off last resort
16:44
so the commands in text would be, I fear. Ouch.
16:47
00000000 which stands for any destination I p. Network. With any destination, I'd be mask,
16:56
and my next top address is my Ice P router, which is rather four. So 1 51 1 $45.4
17:04
and
17:06
let's check around and paint table Do show. I fear out
17:11
Well, I can clear this up by adding the keyword
17:15
static,
17:15
and you see
17:18
that
17:19
we do have a static route configured on rather one and get their classes or just set to go through all traffic going anywhere, destinations that don't exist in my local routing table to 1 51 1 $45. For
17:37
now, I need a route back from writer for drought or two.
17:41
Now think about it, guys. With thy creator Outback pointing to the 10 Network,
17:48
the 10 Network essentially is not visible to the outside world,
17:53
So I cannot create a route back
17:57
pointing to a writer, too,
17:59
towards the 10 Network.
18:00
I actually have to create a route
18:04
to what the outside world sees, which is the public network.
18:10
I will say I peer out,
18:11
and our public networked was 1 90
18:15
10 9 10 0
18:18
Mass was last 24 I point this too.
18:23
F 00 off route or two.
18:26
Check to see if my route exist, too. Sure, I peer out
18:30
static, and yes, it does. It is pointed to route or two
18:37
router Choose F 00 address being.
18:44
Let me show you
18:45
Do show I P interface. Brief
18:49
being the 1 51 a 1 45 dot to address.
18:56
Now let's go see if PC one will Ping
19:00
writer for
19:02
so just a barrel key to bring back the command
19:06
and it works. Let's make sure PC to can also paying so we can see more than just one translation
19:18
and you see, it also works quickly. Go to round or two because in packet trace their sometimes these translations Timeout show I p Nat
19:27
translations
19:29
And here we go.
19:33
Now
19:34
let's look at this table.
19:37
You have the 10 10 10 1 address
19:40
being translated to the 1 90 10 10 1 address
19:45
you have and we sent five pings. 1234 I lied. We sent four pings
19:53
and the 10 10 to address being translated to the 1 90 10 10 to address.
20:00
Now the key roars inside Local
20:06
inside local basically means
20:10
your local address on the inside of your network as you or the people sitting on the inside off your network for your private network will see you.
20:18
So people sitting on the private network will CPC one as 10 10 10 1
20:25
Now the inside global
20:26
means
20:27
you're inside address the 10 10 10 1 as it will be seen globally by the outside world.
20:36
You're outside. Local address
20:38
is
20:40
the address in the return packet The source address in the return packets. So Router four will send the echo reply back to PC one. So the source address in
20:52
the return packet, which will be the address of the F 00 interface on Router four. As seen by you locally on the inside, Never off course you see 1 50 or a 1 $45.45 dollars for return to you and the outside Global is
21:10
the outside address again Router fours address as it has seen globally by the rest of the world, which both these addresses on the same
21:18
because we in this case, are not doing a reverse napped,
21:22
which is part of your C c i E N c, c and people.
21:27
Now I see my net address table. It timed out.
21:33
Let's do a ping again
21:34
so that we can see it again.
21:37
Own real routers. Guys, this doesn't time out so quick, but we're dealing with packet tracer here.
21:44
So
21:47
if I execute the command again again, you see that 0.1 got translate Now, this time 0.1 got translated to dot too.
21:55
So because 0.1 I believe the router believe was already taken. So it
22:02
translated 10 10 10 1 to 10 10 10 to
22:06
It doesn't always work out perfectly with this translations. You just go with the next available address. Now, when it Claire,
22:12
my I mean that
22:15
translations.
22:18
And then I believe there's a start of the end.
22:21
And that's the command.
22:22
If for any reason, I want to clear out my translations. So if now I say Sure, I've seen that translations. I won't see anything.
22:30
This concludes.
22:33
Network address Translation.
Up Next
Instructed By
Similar Content
