Try our training for free.

Gain instant access to our entire IT training library for 1 week. Train anytime on your desktop, tablet, or mobile devices.

Cisco CCNA certification proves your professional worth. It tells prospective employers that you can handle the day-to-day work of running a mid- to large-sized Cisco network....
Cisco CCNA certification proves your professional worth. It tells prospective employers that you can handle the day-to-day work of running a mid- to large-sized Cisco network.

The two-exam CCNA process covers lots of innovative features, which better reflect the skills and knowledge you'll need on the job. Passing both exams is your first step towards higher-level Cisco certification, and trainer Jeremy Cioara has mapped these CCNA training videos to the 640-816 test. This CCNA training is not to be missed.

Here's how one user described Jeremy's training: "By the way, Jeremy Cioara has to be by far one of the BEST Cisco trainers I have ever had the privilege to learn from overall. He not only keeps your attention but his energy is contagious and he provides the information at a level where you grasp it rather easily."

The last day to take the 640-816 exam is Sept. 30, 2013. After that date, the only ICND2 exam available will be 200-101. CBT Nuggets has a training course for the 200-101 exam here.

All trademarks and copyrights are the property of their respective holders.
1. Review: Rebuilding the Small Office Network, Part 1 (33 min)
2. Review: Rebuilding the Small Office Network, Part 2 (28 min)
3. Review: Rebuilding the Small Office Network, Part 3 (23 min)
4. Switch VLANs: Understanding VLANs (16 min)
5. Switch VLANs: Understanding Trunks and VTP (39 min)
6. Switch VLANs: Configuring VLANs and VTP, Part 1 (35 min)
7. Switch VLANs: Configuring VLANs and VTP, Part 2 (39 min)
8. Switch STP: Understanding the Spanning-Tree Protocol (28 min)
9. Switch STP: Configuring Basic STP (21 min)
10. Switch STP: Enhancements to STP (29 min)
11. General Switching: Troubleshooting and Security Best Practices (29 min)
12. Subnetting: Understanding VLSM (18 min)
13. Routing Protocols: Distance Vector vs. Link State (26 min)
14. Routing Protocols: OSPF Concepts (30 min)
15. Routing Protocols: OSPF Configuration and Troubleshooting (39 min)
16. Routing Protocols: EIGRP Concepts and Configuration (32 min)
17. Access-Lists: The Rules of the ACL (27 min)
18. Access-Lists: Configuring ACLs (34 min)
19. Access-Lists: Configuring ACLs, Part 2 (48 min)
20. NAT: Understanding the Three Styles of NAT (20 min)
21. NAT: Command-line NAT Configuration (35 min)
22. WAN Connections: Concepts of VPN Technology (33 min)
23. WAN Connections: Implementing PPP Authentication (34 min)
24. WAN Connections: Understanding Frame Relay (28 min)
25. WAN Connections: Configuring Frame Relay (30 min)
26. IPv6: Understanding Basic Concepts and Addressing (34 min)
27. IPv6: Configuring, Routing, and Interoperating (23 min)
28. Certification: Some Last Words for Test Takers (13 min)
29. Advanced TCP/IP: Working with Binary (25 min)
30. Advanced TCP/IP: IP Subnetting, Part 1 (55 min)
31. Advanced TCP/IP: IP Subnetting, Part 2 (22 min)
32. Advanced TCP/IP: IP Subnetting, Part 3 (19 min)

Review: Rebuilding the Small Office Network, Part 1

Review: Rebuilding the Small Office Network, Part 2

Review: Rebuilding the Small Office Network, Part 3

Switch VLANs: Understanding VLANs

Switch VLANs: Understanding Trunks and VTP

Switch VLANs: Configuring VLANs and VTP, Part 1

Switch VLANs: Configuring VLANs and VTP, Part 2

Switch STP: Understanding the Spanning-Tree Protocol

Switch STP: Configuring Basic STP

Switch STP: Enhancements to STP

General Switching: Troubleshooting and Security Best Practices

Subnetting: Understanding VLSM

Routing Protocols: Distance Vector vs. Link State

Routing Protocols: OSPF Concepts

Routing Protocols: OSPF Configuration and Troubleshooting

Routing Protocols: EIGRP Concepts and Configuration

Access-Lists: The Rules of the ACL

Access-Lists: Configuring ACLs

Access-Lists: Configuring ACLs, Part 2

NAT: Understanding the Three Styles of NAT

NAT: Command-line NAT Configuration

00:00:00

Now that we understand the concepts, we turn our attention to the NAT command line configuration. In ICND1, we configure NAT through the SDM, the gooey, and that was as simple as next next finish, and we were essentially done. Now we're gonna do it from the command line where we have complete control over exactly how NAT is going to operate. Of course, with

00:00:23

control comes complexity, so we'll start off with the most common form of NAT, which is configuring NAT overload. Once we're done with that, we should have clients in our network that's able to access the Internet. From there we'll be able to configure static NAT,

00:00:38

which will be used to host some internal servers on our network from the outside world. Last but not least, we have configuring dynamic NAT with overload. This is something you would do in a larger network to allow multiple internal clients to translate out to the Internet to a pool of addresses that can be overloaded themselves. Meaning, once you tap all the port numbers

00:01:02

that are available on one IP address, it can move over to a second one. As we do our configuration, most of our focus will be on router one, because that's where all the action's happening, and this is the router that's doing NAT. Now I want to go in and just test a

00:01:17

few things and do some proofs to make sure that our Internet routing is working okay, and our, our normal routing is working okay. I'm gonna to router one, and what I'm going to do, is on router one I'm gonna ping the ISP, to make sure I'm getting there and make sure I'm getting out to the Internet. So on router one I'll just

00:01:34

do a show IP interface brief. There's my public IP address. I'm gonna ping 171.97, which is my ISP, and sure enough, it's working. Now I'm getting some pretty slow response times because I have a massive file upload going on in the background. So we're not really concerned about performance right now, I just want to make sure I'm connected. Now let me ping my, my favorite IP address

00:01:58

in all the world. 4.2.2.2, that is a public DNS server out on the Internet, and I can verify my routing table, I have a default route, it is going to my ISP. Obviously that default route is working right now, because I'm able to get to that DNS server. By the way, here's a tip of the day for you. If you ever want your

00:02:17

router to use a, a name server, you can type in IP name-server 4.2.2.2, and then I'll type in ip domain-lookup, which turns on name look up, and then you can actually ping things like google.com. See that? Says translating, it went to the DNS server and there's Google's IP address. If you don't give it a DNS server, it won't be

00:02:38

able to resolve those names to IP addresses. So, you'll always have to ping by IP address. So that's pretty cool. All right, so we've got, we know we're connected to the Internet, we know that our router one can even get to Google, for crying out loud. So let's now

00:02:53

do some other tests. I to make sure that router one can get to router two, and, and specifically, I'm going to be working on this host down here. I have a connection to him in the CISCO lab, so he is going to be our Internet host. So let's, let's make sure

00:03:08

that we can ping that host. I'm gonna go to 192.168.10.50, and what that's gonna do is come into router one on fast ethernet zero, flip back around on a router on a stick out fast ethernet 0.10 into the switch and hit this host. So let's even go one step further, I'll do traceroute

00:03:27

one and seven, or 192.168.10.50, that was the IP address, right? 192.168.10.50. All right. Good, and it, sure enough, there we go. It went through router two and then hit that host 10.50. So I'm at, I am able to ping that host. Now I happen to have a remote desktop connection to that host right here.

00:03:48

Let me bring it in the picture. Actually, I'm may just kinda shrink things down. Get my QuickTime player out of there, and I'm going to do an ipconfig, and there, yup, this is the host 10.50. I'm gonna make sure that I can ping 192.169.10.1. It's good, and let's, let's even do a traceroute to 192.168.1.1, which is my Internet router, router one, and just verify ah, gotta love it.

00:04:16

I'm gonna do traceroute -d. Windows always tries to look up names, which makes it hang there forever. So, in what I mean by names, it's trying to figure out what domain name 1.1 really has, which it has none, so it hangs there for a long time. So -d ignores that, and you can see it went through router two, 10.1, and then reached router one. So I am getting to router one, so

00:04:42

let's go ahead and do a trace. Let's, let's see if this host can get to our same DNS server, hang on, -d. All right. It went through 10.1, went to 1.1 and I'm dying. Asterisk, asterisk, asterisk, it's just gonna keep on asterisking, meaning, as soon as it got to 1.1, it died. Now if I were to actually pull out a packet sniffer right now, I would see these packets coming from this host, they'd, they'd be coming up through router two, going out, back up through router one, and they'd be actually getting sent out to the ISP, but remember, it's going out without NAT right now. The ISP is getting a private address, and it's

00:05:30

saying you are denied; you are not allowed to come into the Internet, because all ISP's block private addresses. So what I have to do is I have to NAT my private address to a public address, so that it is able to go through and look as though it's coming from 171.98. Now that goes back to all the NAT concepts we talked about in the previous video.

00:05:54

So we can see our, our request is getting nowhere, so I'm just gonna cancel that guy and shoot back up over here. Let's go to router one and implement NAT. You can see my steps to configure NAT overload. That will be the first one that we implement. A flyby review. NAT overload is the one that allows many

00:06:14

internal hosts to share the same public IP addresses by using port numbers to distinguish between all of them, and we'll see that happen before our very eyes, with, with our client in VLAN 10 down here. So here's our steps. Number one, label the interfaces. We need to identify which interfaces represent

00:06:32

the inside network and which one represents the outside. Second, we need to tell router one what is the valid internal IP addresses to be translated. We do that by using a access list, and this is why this video is after we talked about access lists, I'll show you that in a moment. Finally we turn on NAT overload.

00:06:52

So here's what I'm gonna do. I'm gonna go step by step. Number one, label the interfaces. On router one, this is actually the easiest step. I'm gonna look at my interfaces. I see Ethernet 0/0 and 0/1. 0/0 connects to the inside of my network, so I need to go under that interface, and type in the command, ip nat inside. That

00:07:13

tells the router, that is my inside interface. I'll go under interface ethernet 0/1, which connects the outside of the network, and you probably are thinking what I'm thinking, ip nat outside. That connects to the outside of the network. That's it. That's

00:07:29

step one, we've labeled the interfaces. Second step, identify internal IP addresses to be translated. Meaning, I need to tell my router one which IP addresses should be translated, and even what IP address shouldn't be translated. Maybe I don't want Internet access for these

00:07:46

guys. Well, I could prevent them with an access list from getting out there, or I could just deny them from getting NATed out to the Internet. I do this by using a access list, and I'm going to use a named access list. It is much easier for me to identify. I'm gonna type in ip access-list,

00:08:09

and it says, what kind of access list? Well, I would like a standard remember, a standard access list only allows you to permit or deny based on source addresses. Now, we've been thinking about access lists up till now as permitting or denying access, like you are denied from going through this router completely, but in this case, we're gonna to set up this access list to permit or deny people to be NATed. So, here's what we'll do. We'll

00:08:36

go ahead and say, access-list standard, and we'll name it, you can see word, what name would you like? The word will be NAT_ADDRESSES. I always type my names in all capitals so I can identify them when running config pretty easily. Now underneath here I'm gonna do my permit and deny

00:08:55

statements. I'm gonna say, permit, you know what, just, just for this example, I'm gonna permit everybody to be NATed. Know what? Except, just for fun of it, I'm, just like I had my arrow pointed over here, I'm going to deny these people from being NATed.

00:09:14

So, I'm gonna put my deny first. I'm gonna say, instead of permit, deny 192.168.3.0. 0.0.0.255, that's my wild card mask, so the first thing I'm doing I'm denying these guys from being included in the NAT addresses, or addresses to be NATed. Now, I'm gonna go in and do a permit after

00:09:38

that, 192.168.0.0 0.0.255.255 is my wild card mask, which says, match everything that starts with 192.168, and I don't care what comes after that. Now because this is an ordered access list, I'll do a show access-list. It's going to deny these people first, if they come in, but if you are not this essentially says, if you are not 192.168.3.0, but you are anything that starts with 192.168, then you are permitted. That's my second step. I have now created an access list, which

00:10:15

identifies internal IP addresses to be translated. Now the last step, enabling NAT overload. I can enable NAT overload by using the NAT command, and this is the biggest command that we have with NAT, and trust me, it, it will look confusing at first but I'll explain it in English. I'm gonna say, in global config

00:10:38

ip nat, essentially I want a NAT. The router's gonna ask me, well, how do you want a NAT? I wanna NAT from the inside of my network outside, and I'm gonna say, based on the source address translation, the source addresses that I'm going translate are gonna be in access list, you can see access list, describing local addresses right here, in access list, and it says, well, what's the name of the access list? That name is NAT_ADDRESSES. Oops. Gonna paste the whole thing, there we go

00:11:09

NAT_ADDRESSES. That's the list that identifies, and it says, well okay, do you wanna send that to a pool of global or public IP addresses, or do you just want to specify what interface those are going to be going out, and use the interface IP address. Well, in this example,

00:11:25

for simplicity, I'm gonna use the interface. I'm gonna say, go ahead and send them out interface, and let's look back at our diagram, ethernet 0/1 is our public interface. So I'll say, interface ethernet 0/1, and I'm going to follow that up by saying, please overload. Meaning, please allow multiple internal hosts to share

00:11:46

this one IP address. So let me hit the upper arrow on that command, go back to the beginning. I'm gonna read it to you in plain English. ip nat says, I would like to NAT, and the router says, well how would you like to NAT? I would like to NAT from the inside of my network to the outside, the source addresses that I would like to NAT are identified in the access list's NAT addresses.

00:12:08

Anything that's permitted by that access list, is going to be permitted to be NATed, and I would like to NAT them out interface ethernet 0/1, and please overload that address, if you, you can see, it's cut off here at the end, please overload that address, because if I don't include overload, only one host will be able to get out, and then it will say, okay, you've used up the address on interface ethernet 0/1, nobody else can use it, so use overload. Now I know, it's a very long line of syntax, but unfortunately that's the command you have to type in, and we'll, we'll keep seeing that as we look at the different forms of NAT. So at this point, our

00:12:45

host should be able to get out. Ready to test it? I'm gonna hit that up arrow, let's do a traceroute, goes the router, goes the public IP address. Oh, ho, ho, ho. Look at that! Look at that! It's getting out. We have a, we have it going to router two, it goes to router one, it then goes to the next hop IP address, 68.110.171, I, I think I killed it. There we go, it's, it's still going. It's, it's trying to get to 4.2.2.2. It's ho, it's going around the whole Internet right now, trying to get to our DNS server, and finally it gets there. The ultimate

00:13:23

test, of course, is to open up a web browser, on our client, oh, look at that! Beauty! Shrink it down right here, and verify that our little client right here can go to the best site in all the Internet. It's the CISCO blog. No, cbtnuggets.com. and I know my Internet connection is bogged down right now, but there, in the flesh, is CBT Nuggets.

00:13:54

Now check this out. I'm going to take this another step and start verifying. Now on router one, we now have NAT translations going through, watch this. I do show ip nat translations. Oh my word, look at that. Look at this, look, okay, okay, okay, look at this. You have inside local, right? Inside local identifies

00:14:18

the address inside of your network, and if you were to diagram this, the inside local addresses represents these guys. I'll put IL, IL. Anything that is inside, and a local, it's a private IP address inside my, my network. Inside global, and I always say, inside means whose control is it under? It's under my control, global versus local, that's public or, global is public, versus private. Look at what's happening

00:14:45

here. My client, you see 10.50 is being translated to a 68.110.171.98. That is, the public IP address on router one. It's being translated to that, and notice, it's using that source port number to translate it through. Now notice it's, it's going, this, it's, it's going

00:15:07

from the inside private to the, the inside global, that's the public address, then outside local and outside global, these will always be the same if we're, if we're doing this kind of NAT translation. You can see that it's going to this IP address, that IP address, this IP address, all these different IP addresses on port 80. That's the destination for it, that's our web surfing port.

00:15:27

Initially, when I opened my web browser, it went to ah, to Firefox the, the little Firefox homepage, and, where did we go? We're right here, and it went to this page right here. Now this page is comprised of a, a graphic, a little Firefox guy here, a Google search field, we got some customization options down here, images, maps, blah, blah, blah, blah, blah.

00:15:48

So when you're seeing these translations, we went to one website but we were probably redirected and got information from many different websites. That's why we see all these translations, even though we only went to google.com and cbtnuggets.com. So all these are the different websites,

00:16:08

and as time pass, as time passes, you'll see that they are timing out, they're slowly fading because the connections are being severed. You also notice I have an ICMP message, that's my ping that I did it, to 4.2.2.2. When I, when I tested that, when I did my traceroute, to get to that server it was using ICMP, the ICMP protocol to do that. Isn't that amazing?

00:16:30

I, I don't know, NAT always blows my mind, this NAT overload concept. I could, I could go in there and, it, I'm trying to think what else can I do? That's it. I, I can, that's NAT. It's, it's working, so all of these different clients on my network are able to get through except this one.

00:16:48

This is what I wanted to emphasize. 192.168.3.whatever will not be allowed to get through, and the reason why is because the access list denies them. To, to simulate that, I'm gonna go over to router three, let's do a show ip interface brief, my little alias here, and I'm gonna type in, on router three, well, first off I'll do ping 4.2.2.2. Sure enough, router three can get there, and you might be thinking, well I thought router three was denied. Well, it is, if it's coming from

00:17:18

an IP address on this LAN, but router three came from 192.168.2.2. Matter of fact, let's check it. Jump back to router one, show IP nat translations, and, right there, notice 192.168.2.2 was using ICMP to ping that DNS server. So that was allowed to get through. Let's try this. I'm gonna go back to router three and do a ping

00:17:45

4.2.2.2, but I'm gonna follow that up with a source interface of, oh what interface was that? Ethernet 0/0. That's the one that connects to the LAN, ethernet 0/0. Now you can see, we're dying because it's pinging from a source address, it's coming from a source of 3.1, and if I were to jump over to my router one, and do a show, let's do a show access-list.

00:18:13

You can see my NAT, my NAT addresses, 10, sequence 10, denied 192.168.3.0, and I've had five matches. Hmm. Five pings that came from router three. The permit, everything else that started with 0, 0, had twenty three matches. Those are being permitted to be NATed. Now I want to make sure we catch something here before

00:18:34

I move on to the other forms of NAT. When I created that access list to identify the internal addresses to be translated, that's exactly what it's doing, permitting or denying them to be translated. Router three is coming out here, it's going tuk-a-tuk-a-tuk-a-tuk-a-tuk-a all the the way through the network, when I pinged from this source of 3.1, and router one's getting it, and it says, you are denied from being NATed, not denied from being routed. So router one

00:19:04

is sending those packets out from router three. When I did this little, I did it again, my, my screen jumped. I don't know how I do that. Anyhow, let me see if I can fix this here. When I went into router three, and I did this ping right here from a source of 3.1, 3.1 was allowed through, it was just denied from NATing. So if I were to go to my ISP,

00:19:33

if I had some kind of packet sniffer at my ISP, I would see packets coming in from 192.168.3.1. It was not denied from routing, it was denied from being NATed, so I wanted to make sure I specify and emphasize that that's what that access list really does. All right, so that is NAT overload. Now

00:19:50

let's talk about static NAT. Static NAT is what allows me to create mappings to let internal hosts be accessible from the outside. What I mean by that is, right now we have a NAT barrier, which is a form of security on my network. Meaning, nobody can get

00:20:10

into my network without first being invited from an internal host. Meaning if this, this smiley guy down here didn't go out to the Internet and say, CNN, I would like your web page, CNN would never be able to come back in and say, here's a, here's a web page. So NAT, in essence, is an impenetrable form of security,

00:20:29

because the outside cannot access the inside. Now I wanna make sure I emphasize that NAT security is not the only kind of security that you can have. The, it needs to be combined with many things, it's not perfect security is what I'm trying to say. So, what I can do is, let's say that this smiley host down here is a web server, and I want to allow people to access that web server from the Internet.

00:20:55

Well, I need to create a static NAT mapping that maps this host to a public IP address in order for people to be able to access him. Now, first things first, you need to make sure that you get public IP addresses from your ISP. As of right now I have 1, 68.110.171.98 assigned to that interface, but if I wanted to be able to have servers on the inside of my network, I would typically, or normally, I'll show you a way around this, but I would normally want to go to my ISP and say, ISP, I would like to get more IP addresses, and they will say, we will charge you this much a month, and you say, okay, and they will say, okay, you can have a, 68.110.171, one seven one,.99, and.100. You know these different IP addresses that you can use for your internal network. So let's say, just

00:21:47

for ease of this example, and I'll show you some cool ways around this, let's say they, they gave us 99, right, and I want 99 to map to my internal web server. That's gonna to require a static NAT mapping. The way that I do it, is I move to global config mode on my NAT router, and I say, ip nat. That says, I want a NAT, I want a NAT from the inside

00:22:10

of my network. Now, I know you might be thinking, I thought that would be outside, I thought you were NATing from the outside to the inside. Well, you are in a way, and you could do it by typing ip nat outside, and then say, this address to this address, but really, when you start working with NAT, it's best just to use one direction. When I say, ip nat inside, that says I'm gonna NAT

00:22:32

from the inside of my network out, which is true, but anytime you do that, you're actually creating two-way NAT mappings. So it will NAT from the inside to the outside, but it will also NAT from the outside to the inside. So you might wonder, well, why I would

00:22:46

I use NAT outside? Good question. I never do. As long as you, you learn one direction and get comfortable with that, you never have to use the other. You could also start with NAT outside, say, I, you know, I wanna use NAT outside, and use NAT outside for anything, and never use NAT inside. I just always like using inside, because it

00:23:05

makes more sense to me. So, I'm saying, I want a NAT from the inside, and it says, well, what, what do you want to translate? I wanna translate the source address, when somebody comes in, and I'm gonna make this a static NAT mapping, notice it says local to global.

00:23:19

Let me stop right there. If I would have said, ip nat outside, all it would do is say, well, you wanna map global to local, so you would just type the outside address first, and then the inside address second. Typing ip nat inside, will let you type the inside address, or local address first, and the outside address second. That's really the only difference

00:23:39

between the two. It's just what direction are you looking from, what, what direction do you prefer, but functionally, they're the same. So, this is going to be a static mapping, and I'm going to map the inside local IP address 192.168.10.50. That's my little guy down here, smiling guy.

00:24:03

He's my web server. I wanna NAT him to the outside IP address 68.110.171.99, that's the new IP address that my ISP gave me, and or sold me, and allowed me to use on the Internet as long as I'm using them. That point, I hit Enter. I've now created a static NAT mapping. Now this is where I want to explain

00:24:27

what I mean by two-way. Any time this inside host decides I would like to access the Internet, 10.50. He will go out, and go to router one and go out and be seen on the Internet as this address, 68.110.171.99. Likewise, anytime anyone on the Internet accesses that address 71.99, router one will get that and translate it back to the inside host. That's what I mean by two-way mapping,

00:24:59

it goes in, and it comes out. So, let me do a show ip nat translation, and you can see, all my translations have timed out. This is a static. It says, any time somebody accesses that, it will become that, and any time this one accesses the Internet, it will become that, and be sent out as that. Now you can see this doesn't have

00:25:20

any IP addresses, because as of right now, nobody is accessing that, nobody is, is accessing this IP address right here, and so when somebody does, if somebody does access my "website", their IP address will show up here, because they will be NATed to my inside address right here. That is known as simple static NAT mapping.

00:25:44

Now I mentioned I was going to show you a way to kind of overcome this, like, you know, we only, let's say you're with a company and they only have one IP address from an ISP, and either the ISP will not give you any more IP addresses, because some of them work that way, or the company does not want to buy any more IP addresses, because it can get kind of expensive.

00:26:04

What we can do, is we can use the IP address that we have on our public interface right here, the 68.110.171.98 and use it as somewhat of a static NAT mapping. Let me show you how this works. We're, right now, using this for NAT overload, and let me first go in; I'm going to remove this static NAT mapping, no, put a no at the beginning. So

00:26:31

that one's gone. Go back, verify, show ip nat translations, we've got nothing. All right, we've removed our static NAT mapping, and we only have one IP address, and I would like to use that IP address to still allow access to the web server. Well, as of right now that IP

00:26:46

address is being used for NAT overload, so as hosts surf the net they're going to be seen as that IP address. So I can't statically map that whole IP address to the web server. This is what we know as static port mappings. Watch this. You may have seen it when I was doing the command before. I'll type in ip nat inside

00:27:06

source static. This is same thing as before, same command, but I'm gonna hit the question mark. Now when I did the last example, right here, I typed in the private IP address. Now I'm gonna do something a little bit different. I'm gonna type a protocol.

00:27:22

I'm gonna statically map TCP to the inside local, the private IP address, 192.168.10.50, and I'm gonna map port 80 to the outside global. It says what is the global IP address, 68.110.171., or wait a sec, I'm not gonna do that. I only have my interface, the IP address on my interface,

00:27:49

right? 68.110.171.98, so instead of mapping it to a different global IP address, I'm gonna map it to the IP address on the interface, and I'll say, interface ethernet, was it 0/0? 0/1. 0/1, question mark, port 80. You see what's happening here? What I'm doing is, any time my outside interface, 0/1, my Internet facing interface, gets a request on port 80. Now what's TCP port 80? Web services, right? That's http. It will translate that request to the inside IP address,

00:28:29

192.168.10.50 on its port 80. That's pretty hot, because now, when I go back here, I'll do show ip nat translations. I can see that this translation is happening oh, it looks like we had some other, our little host went out and accessed a time server, but we're not gonna talk about that. This is my static NAT mapping, I've got http, nobody's

00:28:55

using it as of right now, but the host can still, let's, let's ah, let's bring my ah, host back to the stage. Our host can still, let's go to ah, www.ciscoblog.com, only the coolest blog on the Internet, and, you know, we're accessing the CISCO blog, minimize that guy and, wait a sec, minimize this whole thing, come back here and do a show ip nat translations, we're still accessing the Internet, we're still overloading, but we're now borrowing one port from that public IP address, and giving it to that host. Now this gives us a lot of flexibility guys, look at this.

00:29:31

I just assigned port 80 on that IP address. If anybody from the Internet accesses that on port 80, it'll forward into my client, but I could totally split that address apart to access all kinds of things, like let's say, let's say this is an email server, email, and that I have inside of my company. That email services used TCP port 25, known as SMTP, simple mail transfer protocol. I could assign

00:29:56

port 25 of that public IP address to a totally different internal host. I could split apart an IP address for however many services I really wanted to use. It's very powerful, because with simple static NAT, you dedicate a full public IP to a full private IP, and you may only use one or two ports off of that. Well, why not use each public IP address to the

00:30:19

max? That's what that port static nat mapping is all about. So you can, you can split it up in many different ways. So we've talked about NAT overload, we talked about static NAT. There is one more concept I want to show you, and this is for larger companies.

00:30:36

It is dynamic NAT with overload. Now, as of right now, I'm gonna do a, a show run, and I'm gonna include lines that have IP nat in them, because I just want to filter it down, and there's, there's my ah, my command that I typed in to NAT the private IP addresses in that access list, to the interface and overload it. That's

00:30:58

NAT overload, but I'm gonna remove that, and do a copy, global config, put no paste and paste that in there. So this dynamic mappings are in use, do you want to kill them all? It means, there's some people using that right now, are you sure you want to do that? Yep, sorry, Internet has gone down. So we now have a clean slate, and I want to show you

00:31:20

how you can configure dynamic NAT meaning, poh, multiple public IP addresses using NAT overload. What I can do is I can approach this a little different. Instead of using the public IP address on the interface, I can create an ip nat pool. You can see I can type ip nat pool, says what would you like to name it? I'll say PUBLIC_ADDRESSES, do a space question mark, it says, what start IP address would you like to put in that pool, and I'll say, well let's say we purchased IP addresses from our ISP, the 68.110.171.99 and one hundred, I'll put 68.110.171.99, and the end IP address will be 68.110.171.100. Those are our public IP addresses that we've gotten. To a question mark it says, what, you can either type in

00:32:14

the net mask, meaning the decimal subnet mask, or the prefix length. What it means by prefix length is, what bit notation /24/32, that kind of thing. I'll just put, you know it's only looking for the number, so 24, which means, let's say, class C subnet mask, or this is a preference, you can also use the net mask option and type in the decimal subnet mask, 255.255.255.0. Okay. So what I've done is I've created a NAT pool of two addresses. Now I can use that same command that I

00:32:47

used before, and I'll type it in again, ip nat inside source, to, to turn on NAT overload right? I'm gonna do a source list, the access list was NAT_ADDRESSES. Right, that was the access list we created, I wanna NAT from that access list. Now before, we were going specifically out in interface,

00:33:09

using whatever public IP address we had on that interface. The advantage of that is it's very simple, and you only need one public IP address. The disadvantage, well there's not a real disadvantage, but the problem is, is if you have a very large company, it will eventually run out of ports. Meaning, as you get hundreds and thousands

00:33:27

of hosts on the inside of your network, surfing the Internet, this will run out of ports that it can use on that public IP address, and it'll start killing NAT sessions and people will kind of lose their connection to the Internet from time to time. So what we can do is give a pool of two public addresses

00:33:43

that we created, so I can say, go ahead and use that pool when one of them is full, meaning there's enough people using that, switch over the next one. So if I wanted to do that, I would just say, I wanna, I want to NAT, I'll read this in English, ip nat, I want to NAT from the inside of my network, that is identified as the source IP addresses in access list NAT_ADDRESSES. Now I wanna NAT

00:34:06

them to the pool of addresses that I just created, the name of the pool is PUBLIC_ADDRESSES, ip nat pool PUBLIC_ADDRESSES, and then, I would like to overload that pool. If you forget the overload keyword, what's gonna happen is it's going to allow two people, meaning the two public addresses that you have, to access the Internet, and then it'll say, sorry, we're out of public IP addresses.

00:34:31

That is known as dynamic NAT with overload. You're dynamically going from a group of addresses to a group of other addresses, a group of private to a group of public, and we're overloading it so when one of those public addresses get full, it will fail over to the second one. That is NAT in all its flavors.

00:34:50

Still to this day, I think NAT is one of the most fun configurations that you can do on a CISCO router. I, I don't know why, I just, I just think it's, it's such a neat concept. So let's wrap things up. We saw configuring NAT overload, that was the first thing that we did, labelling our inside and outside interfaces, creating a private IP address access list, or what addresses we would like to translate, and then combining all that in the ip nat command to enable overload. We then configured

00:35:19

static NAT to allow outside access to our internal IP addresses, and then finally, we saw a dynamic NAT, which is going from private IP addresses to a pool of public IP addresses, and we combine that with overload, so that when one of them ran out of port numbers, the other one could take over. I hope

WAN Connections: Concepts of VPN Technology

WAN Connections: Implementing PPP Authentication

WAN Connections: Understanding Frame Relay

WAN Connections: Configuring Frame Relay

IPv6: Understanding Basic Concepts and Addressing

IPv6: Configuring, Routing, and Interoperating

Certification: Some Last Words for Test Takers

Advanced TCP/IP: Working with Binary

Advanced TCP/IP: IP Subnetting, Part 1

Advanced TCP/IP: IP Subnetting, Part 2

Advanced TCP/IP: IP Subnetting, Part 3

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
16 hrs 32 videos

COURSE RATING

Basic Plan Features


Speed Control
Included in this course
Play videos at a faster or slower pace.

Bookmarks
Included in this course
Pick up where you left off watching a video.

Notes
Included in this course
Jot down information to refer back to at a later time.

Closed Captions
Included in this course
Follow what the trainers are saying with ease.

NuggetLab
Files/materials that supplement the video training

Premium Plan Features


Practice Exams
These practice tests help you review your knowledge and prepare you for exams.

Virtual Lab
Use a virtual environment to reinforce what you are learning and get hands-on experience.

Offline Training
Included in this course
Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching
Included in this course
Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara
Nugget trainer since 2003