Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 35
48. Lecture-48: Network Address Translation Theory.
Because what is meant and for the Great Firewall and how we can the 1948 firewall, so it means a network address, translation, network address, translation means translating network address and network. This is nothing but the IP address. Okay, class ABC.
So, when we’re translating from translating one IP to another IP, we got this mechanism. Nate, when we translate private IP to public IP, we call this technique network address translation so it can be from one brother to another private, either from one public to another public, either from private to public. Most of the time you will see this type of thing. From Broadway to politics to this concert, we call them network address translation. You know, an old house is whatever you have, you are using Wi-Fi. Maybe you are using Wi-Fi or other cable. You are using that. We call them more than those, more than a router or switches. You can call them anything reaching at home, deploying your home broadband. All of them, they are using that to translate a private prototypes to public.
So, in this way we can save the IP and we can hide our private IP and we can protect the insert devices due to Knecht. Like in my case, if I go there, I’m using cable, but I’m connected to my modem.
So, instead of using prediabetes, 192, 168, really what you see 192 to is private range is Raino, then that includes a private 192, 168 in glassy private and 172 that something 232. This is called Glasby private addresses. And most commonly, you will see such served up in every home, you will see such type of ipis.
So, I’m using this to say when I be some sort of what I iPhone. Kids, iPad, my mobile phone, my wife, mobile phone, all of them, they private lives, but all of them can walk them to one, I believe this is what our public life is outside.
So, in most cases, we are using to convert private APIs to public APIs.
So, instead, I have 192 168 Dear Dibia, but this is not my actual IP when I go outside to the Internet.
So, this is my IP. What is my IP address? It will show me my public IP. It’s better to use. She can. There is one way of saying they will show you that I bet you can have something. Because I’m using 036, so this is my public IP, so NSWRL 18 system connected phone and laptop, solar, water systems, desktop and outside I’m using one IP to reach all the world. Who the hell is doing this for me this minute? So, nobody can directly hurt me because my insert IP is 100 160 hundred seventy eight. But they really hit my modem so I’m protected due to net.
So, basically net saving the IP, the translating one IP doing that IP and most cases they’re translating private IP to public IP and they protect your devices from directly hurting because we have limited IP before and IP before we can only use plus A, B and C, we cannot use those multicast. We cannot use either for research purposes. Then in class we cannot use one segment due to IP. Then we can use dendrite, which is private range. Then in Glasby we cannot lose one to two range then plus we cannot lose 100 all 68 range then and plus we cannot lose one to six to nine billion, which is a PIPA. And the whole world is connected to the Internet.
So, how they will get the IP, we don’t have that much IP billion and a billion people are connected.
So, we are using the techniques to save the IP network address translation. And they have so many advantages. Yeah, it’s slow down the connection because it will be translated, it will take some time, but that’s okay.
So, when we are talking about network address translation, so basically translating one IP to another IP, it means it’s working on layer three because IP work only three. But there is another concept we call the import and translation. And normally you will see both word Nembhard. They will say I configure lakebed support and translation Payatas, different thing. And that is different thing here. You have to modify layer three and layer for both means. The number will also work and board number is working on layer four.
So, you are jumping to two lives.
So, important this translation will translate for as way IP is already translated, but we got more forward as well.
So, then we call them Boardriders translation. Then the two main category of net source net and destination net. If your sources change, so we call them source named. If the need to change your source IP, so this type of need, we call them Sosnick if the net change or destination IP, so we call them destination node. Then if we come to 48 for one, so there are two methods to configure the method to where two techniques to configure named, I’m not talking about type of named to method to configure. One is called firewall policy, which is in every policy you will find on it. We know this and another one is Central Connect. Not only we call them central Ethernet.
So, we can configure to win the net and for the Great Firewall, insert the policy and centralize leverage, we call them Centrelink and last time when we were doing live, we enable central net in one more, you remember, and policy and every policy I told you that we will discuss. Now they’re there to discuss. Named in every policy. There was a net concept. And definitely then we will see two type of net.
So, to dopaminergic and foreign policy and to open it and central naped.
So, it’s better to draw you the basic concept, so we have met for a year or two for a while, forget about Cisco is here for a while, most of the time. And I hear from two, three, five one like Jundal, one of them here. The firewall is totally different. Just going to say I don’t know how many metadata in it. Maybe it will intervene. Method was needed. They have a different approach on it. Then we configure source and destination. They don’t bother to file one. Now today we will discuss it in a different way and for the Great Firewall.
So, categorize in two main categories sosnick and destination that we know if the source has changed was alternate. If their destination port and destination IP has changed, so does the nation need then source and it can be configure and insert firewall policy and it would be for policy. We will need and effort exchange centrally to be gardam central and then there will be no net insert the policy and the same kesby and destination to where to configure destination that instead of the foreign policy and centrally. Then saws can be configured through different static dynamic make and central. And the same destination need to be configured in three different way. Work will be steady, work will be with services and what will be report 40. And certainly inside dynamic, there are four method to configure them. This the confusion part. Dynamic name can be configured for the source Nurdin talking about source when we are changing the source IP.
So, dynamic it can be done if we go to war, lord, one to one fix for grades and board, black education and definitely central, it is the other, which is the third method to configure sausen it. And definitely a destination. It is also three way to kind of finger.
So, these are the. Just what you need to configure and we will do all these one by one. We will do Centrosaurus made inside the policy, then we will do so centrally, but we will do sosnick how many more than one, two, three, four, five, six. Say one way. When Indirectly say one way, but it’s basically three ways to configure. But in dynamic can be configured in four different method. And then we will do destination with three different way. This the whole story.
So, this is Connect most of the time we configure it with our inside user, going to the Internet most of the time, but it can be reworked as well. Maybe you have some one in Bamsey.
So, when the people from outside the user are hurting, you ought to be able to access Web, somewhat immense database server. Then we need a destination named. But when you are inside an internal network, you are going to the outside.
So, this that we call them source it because souls will be changed and altered. IP will be used because sources Gen3 call them shortener. But if the user is coming from outside to access your system, so it means sources not change, your destination will be change. The fine I’d be willing to insert so this legal destination named. Instead of the policy, you saw this one year use outgoing interfaith service and using dynamic people, which I’m sure you saw outgoing interfaith means to use the public IP of the old site interface.
So, it’s basically buried what we call them, static McKernon for the Great Firewall. And if you want to choose Dynamic Method, then it will show you four different methods were loaded onto one for export and or block allocation. Insert the policy I’m talking about. But if you enable Central that which we can enable when you change from profile based to policy based, either you can enable directly as with which we’re done in next generation for one mode which reject.
So, when you enable central air in central L.A., again, we have so many method to. Couldn’t figure. Now, coming to the source network address translation is I told you that is, let me source network address translation. When did your souls change either your source for this change? So, this type of name, we call them source named. And normally when you have private IP, just like in my case now I’m using swordsmen in Zarni IP, this one, but when I want to access Facebook, my IP will be changed. I have 187, but we need exos. Facebook, Facebook will see my public IP, this IP, so sources Chindia.
So, it means this is ScanSource and. And if my borders are so chainsawed gun. Also sought to make it can be anything, it can be, can you repeat either it can be bought.
So, I’m accessing Google when Google don’t know about my IP eighty-seven, then only this IP, what is my IP address? Which I assure you. I bet you can.
So, we will know this IP, this IP communication to Google, Google responds to this IP, this IP, give it to me.
So, this method when we can work one IP to another, we call them net and render sources change. We call them SportsNet. But if somebody from outside want to excuse my incentive system, this is to say one, so they will this Alpay. And this IP will change the destination and will excuse me and will give it to them, then in that case we call them destination. Okay, so this is sword neck, and normally you will see Sword Snake, we are using this Phoenician as well, but in most cases in your organization, you will see this type.
Sourcing it, then sourcing it can be what law enforcement means to use one IP and everybody will use one IP, just like in our home, like two IP, which I show you my IP.
So, inside I have a data system connected. They all are using only one IP to access the whole world.
So, this type of man, we call him one lone wolf, will use one eye again and again, but in 40 for a while, when I begin to support up to this type of number six zero four one six, when I begin translate this much, I thought no.
So, if you have so many people and they are going outside, so if it is reach to six four one six session, I will say S.A.S. so that you can understand better because every session create a new board is really not really.
So, it will stop working if you save six zero four one eight, because when I begin and only this type of board. In most cases, they are using outside interface.
So, these are my insert, p.s. one, two, three, four, five, just like my home.
So, when we are going through, we are using to do IP here and they are doing communication and bringing back to give to them.
So, sources change. We call them sosnick and because we are using only one IP, we call them Warroad source named. They’re just changing the board, no same IP, but changing the IP to distinguish them every packet in the room with their and and source best dynamic source name instead. If suppose you have a big organization where so many people so sick, zero for one six is not enough.
So, what you can do, you can use dynamic source names instead of using one IP. What you can do in dynamic when you have so many methods were lowered one to one for export and or block allocation.
So, the first one is Werlau. Well, how many public IP range you want to use, the more you give the range, the more you multiply when I suppose if you used to IP before it was when IP only the exit interface, so only this much was supported six zero four one six. But this time we were say no, I want to use to IP and what to do with that range. Suppose,d to IP should do IP means six zero four one six multiplied by two if it is three IP so three.
So, you have more choices, more people to connect to this that we call them dynamic source named World. Another one is dynamic source, one to one, we are still in this alternate, maybe you say no, I only two people. And do people want to go outside? So, far they propose you can use one to one. One to one near. Suppose, if you have to insert Internet IP, you need to public like these. If you have three people and you have to appease outside so it will not work, one system will not work, just like a mapping stating my opinion, Cisco.
So, this type of method, we call them one to one mapping. Then there is source Netflix for Prange. You can fix the board numbers with five specific IP there, this IP be good alone up to that much board number if one IP increase these four. No, we will not give them any more connection.
So, we can use for that purpose export range and the last method for this source, maybe we can use for block allocation, you can allocate the old block block that suppose you have block size of 128 and you multiply them, multiply somewhere because they have a huge farm, one such type of thing. This one supposed total, you’ll give them blood, says 128.
So, this the support, you know, their support can up to when I begin support six zero four one six, so multiplied by one point to a third means says is for someone to. And producer, you can see the blog producer and how much they can support to pull U.S. aid.
So, you multiply by this one and the word this one by one, twenty eight by a single one IP range, which I told you so for someone to be able to gain from here and then boom for.
So, this is your maximum size. When we do technical, I will show you what to wear at work. Then we have a new concept, which is called Central Ned. And stood inside the policy, all these things you can do inside the policy, you can do it centrally from centralized location instead of going into policy and doing it again and again and every policy.
So, if you have 100 policy 100 times, you have to repeat the concept.
So, there is a new way, which we call it central. Snod Central means central and it’s means secure network address translation.
So, in Central, all the control will be with arsenate centrally, you can configure the policy there and it will shift from top to bottom like a policy rules and just created ones. It will be checked from top to bottom, like a policy. And the head is coming. It will check all the to rule. When it is checked, it will go there. And just the good way to do it. But St. Bernard is disabled by default, you held to enable it. We knew about the seating system seating and here you can enable central aid, which I assure you last time it was not a table.
So, this is another way to configure made and the same way we can configure destination narratives with one destination, it is different. Now the user will come from Mozartian, will exist our inside in front.
So, this type of thing, we call them destination. Now, the destination will be either the destination port will be either in the destination will be changed.
So, now from users from the public network, they will hurt our insert server and maybe in our insert so far destination for the is using the concept of what it will be, what IP is, nothing, just the concept of destination net.
So, when we come to work toward an end to what Ferdinand does, nothing but a virtual andres’s so mean the people are hurting from old search.
So, they will assign IP from this pool, from this world tonight. These. And how many of can can figure out what I did not mention? One by one and Ford 40, which I told you here, this one. This one destination that we can configure, what will it be, which means one to one, what will it be with services means before number twenty three twenty two point two to twenty five, these phone number and board forwarding to forward from one to another. Okay, so you can configure destination it three different way.
So, if a user came from there, they will get the same from this one yesterday, IP to convert them and they will give the packet and the package will be translated again and will return. But you can give them by specific source like a download. And maybe he heard from Oldster 23, but it will be translated to are for forwarding to 23 23. Maybe either they can access your services 22 22, but instead it will be translated for 14 to 22.
So, this type of thing regarding what your IP with forwarding. Okay, so these are the critical thing of Nate.