Skip navigation
Cisco Learning Home > Certifications > Routing & Switching (CCNP) > Discussions

_Communities

This Question is Not Answered 1 Correct Answer available (4 pts)
20450 Views 14 Replies Latest reply: Jan 22, 2013 4:33 AM by Navneet.Gaur RSS

Currently Being Moderated

NATING ( inside local , inside global , outside local , outside global)

Oct 25, 2010 5:56 PM

Abid 33 posts since
May 27, 2010

Good Evening Everyone

 

I was reading about the NATING while I am reading I was also doing some testing  on work lab I have a question in my mind & I would like to share with you guys in cisco design self study book 2nd edition it says

 

  • Inside local IP address : The IP address assigned to a host on the inside network. The
    address is typically an RFC 1918 (Address Allocation for Private
    Internet Space) address.
  • Inside Global IP address : A globally unique IP address (typically assigned by an ISP) that
    represents one or more inside local IP addresses to the outside
    world.

 

  • Outside Global IP address :The IP address assigned to a host on the outside network by its
    owner. The address is globally unique
  • Outside Local IP adress :The IP address of an outside host as it appears to the inside
    network. The address is typically allocated from address space
    that is routable inside

 

My question :

 

ip nat source static 192.168.1.1 192.168.117.1 

this means that ip address 192.168.117.1 is the ip address provided by the ISP right even if it is private ip address

please advise

 

When I do # sh ip nat translation

 

Pro     Inside global         Inside local       Outside local      Outside global
---      192.168.117.1        192.168.1.1              ---                     ---

 

Thanks for your time

  • Martin 13,076 posts since
    Jan 16, 2009

    Inside = my company

    Outside = your company

  • Scott Morris - CCDE/4xCCIE/2xJNCIE 8,396 posts since
    Oct 7, 2008

    All of those commands give a "before" to "after" way to read it.

     

    ip nat source static 192.168.1.1 192.168.117.1 

     

    So the address starts on the inside of your network (default) and the "before translation" address is 192.168.1.1.  The way it looks outside your network (globally) is the "after translation" address of 192.168.117.1

     

    HTH,

     

    Scott

  • Sey 1,388 posts since
    May 4, 2010

    • Inside Global IP address : A globally unique IP address (typically assigned by an ISP) that

      represents one or more inside local IP addresses to the outside
      world.

     

    ip nat source static 192.168.1.1 192.168.117.1 

    this means that ip address 192.168.117.1 is the ip address provided by the ISP right even if it is private ip address

    please advise


    192.168.117.1 doesn't have to be provided by an ISP. An inside global ip address is typically globally routable, for we usually translate private addresses to access Internet.

     

    But that's not always the case. You can NAT-translate anything to anything, like in the example shown by you.

     

    So in your case 192.168.1.1 is inside local, whereas 192.168.117.1 is inside global.

  • Martin 13,076 posts since
    Jan 16, 2009

    No, you cannot pick random ip address for outside, ISP provides Global IPs.

  • Sey 1,388 posts since
    May 4, 2010

    ISP will never give you address 192.168.x.x, nor 10.x.x.x, nor 172.16.x.x

    This is not exactly true. There are lots of ISPs who do not have enough public IP addresses for their clients, so they are NATing the latter. Moreover, some providers give two IP addresses to their clients: a private one (usually from 10.0.0.0/8), assigned by DHCP, and a public one, obtained by PPPoE, or PPTP, or L2TP, or simply a static public address(-es) routed through the private network.

  • Hi Abid,

    Yes, the ip address 192.168.117.1 is the ip address provided by the ISP even though it is in the private ip range.

    However there are two stages that are implemented over here.

     

    Stage 1.

    Your inside address (connected to your computers) is 192.168.1.x

    Address that ISP is using to identify your connected end (to the ISP) is 192.168.117.1

     

    Stage 2.

    At ISP's routers - if I may say so, this address is undergoing another network address translation before being released on the net.

    For example your ISP may be converting 192.168.117.1 further to 91.5.5.1 and 91.5.5.1 is assigned to your ISP as an unique IP address within the Internet.

    So in the internet, it may appear that the request is coming from globally unique IP of the ISP.

    For instance, at Google's server it will appear that the request originated from 91.5.5.1 and on the journey back, it will be converted to 192.168.117.1 at ISP's router and to 192.168.1.1 at your router.

    Take care.

    (I am afraid I am unable to revert the italics - so I have to type using italics)

  • Paul Stewart  -  CCIE Security, CCSI 6,971 posts since
    Jul 18, 2008

    I will have to say that you typically don't see an internal address being nat'd out to another RFC1918 (private) address.  However, circumstances may justify that if there is more nat happening elsewhere.  I wanted to also address the naming of inside local, inside global, outside local and outside global.  The wording is very confusing.

     

    Using your original example.

     

    ip nat source static 192.168.1.1 192.168.117.1

     

    The first word of interest is "source".  We are doing source IP address translation.  Since all IP addresses have source and destination addresses, this command only concerns itself with the 32 bits that are the source IP address in a packet. 

     

    The next component of interest is this so called inside local address.  This is actually the IP address of a device on the inside of the network.  This inside interface is identified with the "ip nat inside" statement.  So we need to orient our (and the router's thinking) with the flow of the packets.  This inside local address would be the source IP address in packets that will flow outbound through the nat process (packet flowing from interface tagged as 'ip nat inside' to an interface tagged as 'ip nat outside').  This address is found as the source prior to the actual NAT process.

     

    As these packets flow outbound,  this inside local source address is changed from 192.168.1.1 to 192.168.117.1.  This 192.168.117.1 is the inside global.  This is the address that would be found in the source of the OUTBOUND packet AFTER the NAT process.

     

    So if we are simply looking at outbound packets, inside local and inside global might be better understood as local source address and global source address.  However, the thing we must remember is that traffic flow is bidirectional.  So we have to keep in mind that inbound traffic follows a mirror of the translation.

     

    Now let's consider inbound traffic (traffic passing inbound would arrive at an interface tagged as 'ip nat outside' and would be passing to an interface tagged as 'ip nat inside').  A packet arriving on the outside interface with a destination address of 192.168.117.1 (the inside global address), would have the destination translated to 192.168.1.1 (the inside local address).  Therefore, we aren't just looking at the source address field.

     

    Local vs. Global

     

    Local = addresses as they would appear behind the 'nat inside' interface

    Global = addresses as they appear on the 'nat outside' interface.

     

    Inside vs. Outside (This is the confusing part)

     

    So relative to outbound flow (ip nat inside to ip nat outside)

    inside = we are looking ator manipulating source addresses in a packet

    outside = we are looking at or manipulating destination addresses in a packet

     

    Now let's look at the output from the "show ip nat trans"-

     

    Pro     Inside global         Inside local       Outside local      Outside global
    ---      192.168.117.1        192.168.1.1              ---                     ---

     

    -----[a]---nat inside---<RTR>---nat outside-[b]---

     

     

    Suppose I have a web client at 192.168.1.1 on the inside and it is talking to a www server at 199.199.199.199.

     

    I would expect to see inbound and outbound traffic.  Here is what the TCP handshake would look like at "[a]".

     

    >

    Client to server (SA,DA)

    192.168.1.1,199.199.199.199-SYN

     

    <

    Server to Client (SA,DA)

    199.199.199.199,192.168.1.1-SYN,ACK

     

    Client to server (SA,DA)

    192.168.1.1,199.199.199.199-ACK

     

    I would expect to see inbound and outbound traffic.  Here is what the TCP handshake would look like at "[b]".

     

    >

    Client to server (SA,DA)

    192.168.117.1,199.199.199.199-SYN

     

    <

    Server to Client (SA,DA)

    199.199.199.199,192.168.117.1-SYN,ACK

     

    Client to server (SA,DA)

    192.168.171.1,199.199.199.199-ACK

  • Hi Paul.

    Thank you for explaining the distinction between Local Vs Global and Inside Vs Outside.

    These are the terms that are confusing when stated as a combination.

    Your reply cleared the last bit I needed to understand about NAT.

    Navneet.

  • Kmord01 17 posts since
    Feb 18, 2010
    Currently Being Moderated
    10. Sep 8, 2011 6:15 AM (in response to Abid)
    Re: Thank you for the explanation.

    I too am struggling with this concept .I think I get Inside Local being inside network, (your local address assigned by you).But I don't understand how an IPS’ address that is assigned to you is inside global. To me, inside means inside your network, and global means outside the network (but that is just my silly logic) .But going by your statement ".Local = addresses as they would appear behind the 'nat inside' interface.Global = addresses as they appear on the 'nat outside' interface."What address is the outside local address (as that is still in your network right? is that just an address translation say on a Lan inside a network? And what is the Outside Global address? Is that the address possibly the ISP assigned address given to you translates to a more public address, (as I thought that the ISP address assigned to you was internet facing anyway).Any clarity provided to my silly logic would be greatly appreciated.

  • Currently Being Moderated
    11. Sep 8, 2011 10:19 AM (in response to Kmord01)
    Re: Thank you for the explanation.

    Hi.

     

    1. I have made an effort to explain the terms in the following document.

     

    https://learningnetwork.cisco.com/docs/DOC-12874

     

    2. Please go through it very slowly - take two days, if you may.

     

    3. If you need further explanation, please feel free to ask.

     

    Take care.

  • Rusdi 23 posts since
    Jan 31, 2012

    Hi.

     

    I have a bit confusion about this.

     

    Rack01R4#sh ip nat translation

     

    Pro Inside global      Inside local       Outside local      Outside global

     

    icmp 100.100.100.4:3   6.6.17.7:3         6.6.42.10:3        6.6.42.10:3                               

     

    icmp 100.100.100.4:9   6.6.17.7:9         100.100.200.4:9    100.100.200.4:9                    

     

    --- 100.100.100.4      6.6.17.7           ---                ---

     

    icmp 100.100.200.4:3   6.6.42.10:3        100.100.100.4:3    100.100.100.4:3

     

    icmp 100.100.200.4:9   6.6.42.10:9        6.6.17.7:9         6.6.17.7:9

     

    --- 100.100.200.4      6.6.42.10          ---                ---

     

     

    What is mean about the marked with red colour?

    Really appreciate if someone can explain..

     

    Thank's

  • pradeep 1 posts since
    Nov 9, 2012

    Hi Rusdi,

     

    these red marked numbers are random tcp port numbers. I believe nat overload is configured.

     

    thanks,

    pradeep

  • Hi.

     

    1. Port 3 implies compression

     

    2. Port 9 implies 'discard', implying that the data is discarded after being read, on reception.

     

    No reply or acknowledgment is sent by Layer 4.

     

    This is usually used for testing purposes to check if the computer at other end is functional.

     

    For instance it is used by 'Wake on LAN' packets, where the receiving computer is 'woken up'.

     

    Some games and at times viruses too use this port.

     

    Take care.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)