Now that we've finished doing subnetting, the next thing we want to take a look at is the Private Address Space and Network Address Translation. One of the issues with trying to route from one network to another, so we have our subnets all created, and we want to go from one network to another, is sometimes I may have to go out to some place like the Internet from an internal network. Internal network address spaces are not routable on the Internet, so I need to have some kind of mechanism in place. In this case what's called network address translation that will map a private address on the inside of your network, say, your company or at home to a public address that's exposed to the Internet. And that actually becomes the new source as far as webservers on the Internet are concerned. And that's who the webserver will send their transmission to. So a little bit here on the Private Address Space and NAT. It's kind of different between a large corporate network in which you you might find at home. In both home networks and corporate networks, private addresses provide for some enhanced security for the internal network. They allow for the separation and obfuscation between internal and external Internet networks. Again, the idea is that a private address, and we'll see the ranges here in just a moment, when that hits an Internet router, it would just drop that because an Internet router is not going to route some of these address ranges that we're going to look at here. And these are them right here. We have again we have a 10 network range, 10.x.y.z. So the whole 10 network range is not routable on the Internet. 172.16.0.0- 17 172.31.255.254, again not routable on the Internet. And the 192.168 range, again, these are typically used at home, sometimes in your place of work as well. So what is NAT and why use it? It enables private IP networks that use unregistered IP addresses to connect to the Internet. NAT translates private, not globally unique addresses in the internal network into public addresses before packets are forwarded to another network, such as the Internet. So NAT can be configured to advertise one or more addresses per network to the outside word. This provides some minimal level of security by hiding or obscuring the internal network behind those addresses. As a number of IP four addresses is 2 to 32 or approximately 4 plus billion combinations and those addresses have been rapidly depleted over the years. NAT kind of provides some address conservation by reducing the number of public addresses that are needed. So in the past, a company might have quite a few public addresses and now because of NAT it requires fewer addresses. So this insufficient capacity in the original design of IPv4, really is kind of what has led us up to the use of NAT as a means of reducing dependence on public addresses. Let's take a look, first of all, at Source NAT. We have two different kinds of NAT, Source NAT, and Destination NAT. So we'll look at Source NAT first. In Source NAT, a computer on a private network, for example, 10.5.5.10 wants to go the Internet. It has a private address, its traffic cannot be routed on the Internet. The device running NAT removes the private address from the source portion of the packet and re-appends its own public address as the source. It then sends it to the destination server, such as a webserver. After fulfilling the request, the webserver sends the response to the public address of the NAT device. The NAT device looks up that public address and possibly an associated port in a table to see what the original source address was, rebuilds the packet with that address and forwards the packet to the original computer, in this case 10.5.5. Now let's look at the following Source NAT example. Here an internal host with the IP address of 192.168.2.200 on the private network needs to communicate with a server residing at 131.105.2.20 on the Internet. The firewall receives the host traffic on the trust interface, or what we would say the internal or the inside interface, the trusted network. And forwards it to what we call the untrust interface or the outside network, the external interface, in this case the interface facing the Internet. And it's going to replace the original private source IP address of the packet with the public IP address of the untrusted or the Internet-facing interface of the firewall on the outside. So it looks something like this. If you look in the table before, you see the source address as 192.168.2.200 and then as it goes through, the address changes to 105.51.100.38. And that is now the new source of the transmission to the webserver, say, on the Internet. And so again the webserver then is going to respond to the 105.50.100.38 address as the source of the transmission. Now let's take a look at Destination NAT. In Destination NAT, the process is just basically reversed. Here a server on the Internet wants to initiate a connection with a computer on a private network. The server sends the packet to the NAT device's public address and possibly an associated port, which is mapped to an internal IP and/or port. The process continues just as it did with Source NAT, but in the reverse direction. Next we will look at a Destination NAT example. Here a user on the Internet with the IP address of 131.105.2.20 queries the DNS server for the IP address of the webserver, www.company.com. The DNS server turns an address of 105.51.100.38, the external address of the firewall interface in the zone facing the Internet. Here the outside zone, or what we might call the untrusted zone. For the packet to reach the webserver, the destination IP address must be translated to the private IP address, 192.168.3.300. When the packet arrives on the external outside facing interface with the public address of 105.51.100.38, NAT, running on the firewall, looks up the private IP address that is mapped to it in a table and forwards the packet to that address, in this case, 192.163.3.300. So you can see from the illustration here, From the Internet, the server on the outside, that's initiated connection to 105.51.100.38. And again, that's going to be forwarded internally to the appropriate destination address, in this case, 192.168.3.300. The last section we want to take a look at here is what we call the Reserved Address Space. The Reserved Address Space is an address space of just addresses that are not used for a number of reasons. So here we have what's called the IETF, or the Internet Engineering Task Force, and the IANA, the Internet Assigned Numbers Authority. They have set aside certain ranges for special purposes. Here we see our Reserved Address Blocks. You can see your Class A, Class B, and Class C private network ranges. Off to the right-hand side, you ask to see the RFCs and their numbers there as a reference, what was used to establish this as a standard. We see some other things in here such as Loopback, Link-local. Toward the bottom you can see the multicast range, the 224 range, the reserved or experimental range, 240, and also the broadcast range there at the bottom. Well, this concludes our presentation today, our tutorial for layer 3 addressing. I hope you enjoyed it. And thanks a lot, have a great day.
