Note: I have search committee obligations and can't come to lab today Brief history: IPv4 came out in 1981 We had plenty of addresses then It was classful By 1993, we needed CIDR Goals from Wikipedia for this NAT has helped keep us going Let's turn on NAT: (I'll remove this when I've tested this process...) In the public interface: ip nat outside In the private interface: ip nat inside access-list 1 permit ip nat inside source list 1 interface overload Assuming that worked: NAT allows use of local IPs on computers with Internet access Used all over the place We've got it here I have it at home You don't need NAT if you have enough IP addresses! Example: When I worked at WWU Another example: When I worked at WSU Opinion: NAT is NOT a security measure Just a security blanket A firewall is a security measure Your router should pass on only the traffic you want it to Regardless of NAT or no NAT If you don't want access to a machine from outside, block it NAT or not If you want access to a machine from outside, enable it NAT or not This explanation is pretty good: https://weberblog.net/why-nat-has-nothing-to-do-with-security/ My summary: NAT is a weird hack we've gotten really used to IPv6 avoids the need for NAT Imagine this subdivision: First 48 bits: Identify an Internet-facing network Next 16 bits: Identify a subnet in that network Last 64 bits: Identify a host inside that subnet In that schema, the MAC is shorter than the host part Imagine that the MAC forms part of the host ID Addressing a packet from that network: Source address: 48-bit NID, 16-bit subnet id, 64 bit host id Destination address: Exactly the same This method would work for servers, desktop PCs, phones, whatever One plan for all Firewall could implement different access control Servers: Allow designated ports Desktops: No incoming except to port 22 and 3389 and only if the user asks Mobile: No incoming connections This is pretty much the policy WSU had (with IPv4), WWU was more open How's the firewall do that? "Outgoing" connection: TCP originates from inside "Incoming" connection: TCP originates from outside Outgoing: Port on the inside is high-numbered Inside established a TCP session first Incoming: Port on the inside is low-numbered Inside did not previously establish a TCP session UDP: Still have high-numbered source port Still have previous outgoing traffic Firewall knows when to expect a response Note about the host portion: It's often called the "Interface ID" in IPv6 IPv4 allowed multiple addresses per network card Not used much IPv6 does too Used more often Each one is an "interface" So a host might have multiple "interfaces" Note about the network portion: 2001 is the global routing prefix FE80 is link-local, more useful than with IPv4 Subnet mask: In the example above: \48 network, \64 subnet Don't write 255.255.255.255.255.255.255.255.0.0.0.0.0.0.0.0 Too much counting Eliminates motivation for splitting hairs with subnet mask You still can Does the CCNA? Book suggests multiples of 4