NSE4_FGT-6.4 Fortinet NSE 4 – FortiOS 6.4 – FortiGate Firewall V6.4 Part 12
51. Lecture-51:Policy,Source,One-To-One NAT Lab.
Another dynamic inside dynamic we have third option the second option one to one so what is one to one? Is the name suggest? Suppose if you have three internal IP you need three external IP the more you have internal IP the more you need public IP to translate them it will be so then you will say why we are using then why not go directly? The only thing is security. Otherwise if you configure private IPS, then you need a public IP to communication as well. Like normally. I give an example. Chandan if you remember, in UK and also in South Europe, in every house, suppose if four people are living in one house, all four people have their own car. But in Pakistan, in India, in the whole house, we have only one car for the whole house due to resources. So one to one is like a UK. If you are living in UK and in one house, wife has their own car, husband has their own car, son has their own car. So whenever they go to shopping, they will start their own car and they will go. They said this is one to one inside, in house, outside they have their own car.
This method is called source net one to one but in Pakistan are almost India as well we are using this one the first one interface one we have only one car and when my brother bring it back so I will take them then I will come back so the other guy will take them. So this is called one to one now this is not like the other one. Let me go to left then maybe it will work but it will work on first come, first serve the person who came first they will assign the IP. If the pool is finished nobody else can go. This is the only issue in this one. So let’s do it in the same length. We will use the same topology. This my 1916-8114 is outside and 181681 is my inside PC. One is one, two, three and four outside we have some server and internet. Let’s go to four ticket and go to again. We are doing in policy Net. So I will go to policy. Click on policy. Okay. And this time I would say I’m not using overload. So I remove overload.
But here I can create two way either click create here either come back again here IP pool. So we already created overload. Limit that one create new and this time save one to one and choose one to one again. This the range. So I say 109, 216811, 400, 192-168-1141 let me keep them. Okay. Sorry. This is 10 one. I cannot give them the and this should be 10 two. Why is I have to use this range? 192, 168 do I am using this 1192 1610. No oh yes okay I use in the other one so let me give them suppose 2020 two because 10 one I use in the overload the other one so that’s why I give me error so I say my external ranges start from 200 and finishing and 20 two let me make them 20 one so how many IP? One IP. Two two IP. Sorry. N okay, so that was overload because that’s why they gave me error. Now, 200 to 20 one is not used. The reference means the first one is used. This one is not used. That’s why let me go to IP Four policy again and this time I will say I don’t need to overload and I want to use one to one and okay, now you will feel the difference.
What is the difference between this policy now? First come, first basis. If PC one first do communications, the first IP will be assigned to PC One, which is 200 and when PC two visits, so 202201 will be assigned and that’s it. When server three try to reach it will not work until these two IP has been returned and means nobody is using them. Let’s see. So let me go to PC one they are visiting Twitter yeah, it’s working and let me go to this one. So Amazon is working to PC working and let me go to server. Let me try ping before the thing was working. It will not work here. Twitter is working, let me refresh them. It is working and Amazon is working. But server said temporary fail. It’s not temporary fail. They cannot even I can ping the IP, the outside IP it will not work. Yeah, it will start work if those two IP has been released to them. So if I go to what is 40 view all session so I have only two IP which is being used 221 one use 201, two use 200. That’s why server three cannot go because this is one to one net. The more I have the range, the more my inside PC can go outside but in this case cannot go only two IPS which is used. Yes. If I end this al session, then this PC has some chances to start work. So let me say, okay, now I terminated the session and look at it started it captured the time. So the first IP, the second IP is assigned now one three, because there were three is one three. If I show you now he gets the chance. So if it gets the chance, one three.
So session is showing me one three is used and one one so who has been not using One, two and who is one two, then their PC will not work anymore. Sorry, where is one two is PC two. So I don’t know which is PC two? I think so this one it will not work if I click on a Facebook it will not open again. Same story if I stop this pin because he is using the IP one and if I either you have to wait for washout they have some time interval. Either you can disconnect them like this way and session. Okay, now this will start. It will be released to him and his Facebook, whatever they’re existing. Look at his start. Now, Facebook before, it was just moving around. This is called one to one net. And also you can verify this one if you go to 40 gate admin one, two, three through command base, get system session list. So one dot two. They are using 20 one IP and one to one they are using 200 IP.
Again we are using source net destination there is nothing because this is not a destination net we are using and we are doing source net third method and source net and second method in dynamic net we are doing let me come back here again. So in source net we done interface then we done dynamic overload and this one is one to one. So why they are calling one to one? Because here also we are defining two IP range, right? Of two IPS I mean in Cisco you remember we call them dynamic pool yes sir yes and it was the same concept there was as well but they changed the name to one to one mean there was the concept is dynamic sorry, dynamic.
So you have pool of IPS so on first and first basis you will get the IP so it means 1000 people can go outside but at the time those people can go outside the one you have arranged suppose if you have two range, so two people can go on the same time. If you have ten IPS up range, so ten user can go on the same time. That’s the only disadvantages of this one. Otherwise, like suppose in your house you have two car. So two people at the same time can go outside. So when the car is baked, the other two people can take them to go out. So when they are coming back, so they can use them so anyway they call them one to one otherwise it’s not suit the name they change the name the naming by the way which is not good but end of the day concept are similar okay so then there is nothing to show you more just the way to do work one to one.
52. Lecture-52:Policy,Source,Fixed Port Range NAT Lab.
Source net. In dynamic net we have a third method fixed portrange. Let’s discuss port range and when I will show you fed sport range. You know in one to one we can define that much IP, more IP by the way. But in one to one we have suppose two three IPS. So those three IP can be utilized on the same time. But many PC can use those three IPS because we give them a range. There is the range first come first basis you can go and use this IP. But in fixed port range we divert the port per IP basis. The best IP can use that much port number because we have a limitation of port. Those port number which I written here. One IP can support 60 4116. Let me show you from here. Maybe you will just a bit confuse this one. This effects port range. Suppose I have internal system internal source IP. In my case I have 100 and 921-681-1213 and one four which will be translated. Suppose one IP either. More IPS range IP. So per IP I will give them specific port range. So Perip can use only those port range. If they exhaust their range then IP date IP will be used less. They can use up to that range of IPS. So this why the name is fixed port range. They will give them fixed port range.
This is your range of port per IP. You can use this one last time. The first one interface was it can use up to these IPS 60 4116. But this time they will divide them by pool. The more you pull, the less port you will be assigned. It will divide. Suppose you have two IP, it will divide from 5112. It will divide twice. Suppose if we are five people and we have something to divide so it will be divided five times. So we will get less. If we are two people and the same stuff, it will be divided. So we will get more. So this is fixed port we call it. But in fixed port you have to define your internal range IP as well. These people will go outside but the IP is similar either you can give them the range, you can give one IP as well. But port will be divided per IP. You will say why we need this one? Suppose one user is accessing the website and then accessing Twitter, Facebook, suppose and so many things using and when you come and say there is no port to allocate you, you will say why we have so many happy? You will say no, that person use everything like maybe in one house you have brother but one is eating too much and they put something and you just went to wash your hand.
When you come back, nothing is there. So you say why what I believe they say no, it’s finished. He ate everything. So you will say why you have to keep something aside for me. When you made some food, you have to make aside that this is for him, for Chandra. When he come from office, he is to eat because they will finish this dinner from him. So fixed food means no one person. If they are eating too much, they will say no, we don’t have any much. The one which they keep for your brother, what you can so fixed port will allocate per IP. So in this way one person will not capture all the port. So nothing will be lift or other IPS. So if you have an environment like this and you are worried that one person is eating too much and the other one is not so use fixed port, that’s the only thing, otherwise it’s not used in real world too much. So let me go to firewall and how we can configure fexport. So if we go to policy IP four policy allow all and go to Net.
Again this is coming under dynamic category. Close this one and when you click nothing is there. Again we have to go to IP pool. Either you can click from here create so let me show you from here because we already created two so that you can see and create new. This time I will say sport range. I give them the same name. So overload you can use again and again and you have a range of IPS so you have extra port. One to one is the only one where you can utilize only those IP, the one you have arranged. But rest of all three there is no restriction. So now flexport they say external, so I say 109, 2168-114-2519 and 1921-681-1425.
You can give them a range and you can give them a single iPad. So can we issue? Issue is here. This 119-21-6811 is my first IP and 192, 168. One three is the last 1123. I exclude this guy so he will not access anything. The port will be divided on these three guys fixed port education because I have only one IP so one IP can support how much port 60416. It will be divided three times. So one IP can use their port. So if it is finished, they have to wait, they cannot use the other guy port number and okay, now go to policy IP four policy allowed all and click on dynamic and use fixed port range. Okay. You will not see any huge difference because again more people can go on the same time because IP will be not exhausted. So if I go to session and let me generate traffic from here and let me generate again another traffic from same IP and same Twitter. So this one guy can go to Twitter, Amazon and some other thing yes, they can go, they can go to Facebook and they can visit the same time to Amazon and they can visit to Wikipedia as well. And also server can visit on the same time is Pink and R one. Let’s try r one will not work because I did not put him normally he is not taking dinner, so I exclude remnant from the dinner. So this is also very important. So if you have user, you have to include them in internal range otherwise they will not go and it will not work. Very sorry policy and object IP pool one to one sorry, not one to one, the other one fixed port so it’s going only three. So they give them the port to three only. But when my brother came in the dinner, he said no, today I will take dinner.
So they said no, normally you are not taking dinner, that’s why we exclude you less not working. So let me put them four then the port will be less now and he will start working now. But now the dinner which was ready for three person unfortunately your brother said no, I have to take now the port will be divided more, it will become less per IP this is the only difference. So this thing is clear that this range is important. The internal range and fix port and also fix port means per IP is allocated a specific range and when they exhaust their range, they will not use any more session. And how we can verify? Go to 40 view and if you check the session, everyone will be assigned 252 52 50 but this is not like an interface interface the first one you remember the first method interface one what is the difference? Here we are also using one IP. Here we are also one IP. The difference between the interface one and this one fixed port. Let me show you how many port we can use per IP. 60, 4116. And this one guy, I suppose he generates a huge traffic. Go to Facebook, Twitter.
They said they create port and all the port utilized by this guy, even though many people can use this IP to go out. But unfortunately, when the other guy tried to access so farwell, told them I’m really sorry, we don’t have much port. We have that much port which always be neutralized by one, this guy. So unfortunately, I cannot take your traffic. Even though I can take because I can convert all IP to one IP but this is meaningless, useless, because I don’t have any port which used by one IP. Then this guy will ask this firewall why? Then why I’m sitting here? If one guy is eating everything and nothing is permitted then why I’m here? So the solution is this one fix port where is what the hell is too far away? Where was this? No this one fixport now the same story to apply here on this same topology now this time we configure fetch port so sorry now we have how much we can allocate per IP again we are using only one IP 256 0416 and how many system we have inside two. It will be divided twice. Suppose I would say 30,000 per this one. So when this guy tried to go out and create too much so when it’s reached to 30,000 they will tell him stop, that’s it.
Then that guy will ask him no, there is too much, let me use that one. So this firewall will ask him why and what about that guy? What he will do if you use the other one? So in this one, the method which we apply now the firewall can ask him that you cannot use more. You exhausted your part. Now the remaining is belong to someone else. This the only advantage is a fetch port. I try to show you in real world scenario. And now the rest of thing is the same. 112-1314 every IP is translating in one IP. It came with two IP as well. Don’t be confused. The only thing the port will be more severe is if I go to IP pool fix port range. Instead of one IP, I can do 54. It’s okay. The only difference now I have more port to divide. The more the internal IP will get more session and they can create more session. Because per IPV you get those range all the time. I’m 60, 4116, that’s it. And you can verify from anywhere graphically. And also you can use. So now one two is using 251. Because we increase the IP, one is using 252, 50 and 250. If I generate more traffic, it will look at the other IP as well. It can be any IP, there is no restriction. So the three method which we done, there is no such restriction. The only restriction is this one. One to one overload has no restriction. Static net is no restriction means peripase and fixed port is no restriction. Yeah, there is a limitation. But limitation is different thing. One to one is some restriction. Only those people can go. The more you have pulled, the more people people can go. That’s the only thing in this one. Okay?
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »