3 Replies Latest reply: Feb 19, 2012 8:40 AM by Dr. RDX RSS

    NAT (outside,inside)

    Dr. RDX

      I have confusion between NAT (inside,outside) and (outside,inside)


      As per my understanding (inside,outside) will translate the source ip address for data going to outside interface/internet . This is normally used when we want our internal users to access internet etc .


      (outside,inside) is called destination NAT where we have a private server having ip address and we want the outside world to access this server . In a case we have ip address of as outside we would use syntax static (outside,inside) . I have tried this but it didnt worked



      Can anyone clearify this issue of (inside,outside) and (outside,inside) .

        • 1. Re: NAT (outside,inside)

          This is one of the things I had to think about for a while. Hopefully I understand it well enough now to give you a meaningful answer.


          Before going into configuration details remember this point:


          A static source translation will translate the source IP address in one direction but will also translate the destination IP address in the opposite direction.


          This has to happen because otherwise the response traffic to a host whose source address was translated would not be "un-translated" and then forwarded on to the true IP address of the initiating host.


          So knowing this, there isn't really a concept of destination NAT (well there is but my understanding is that it used more for server load balancing than for actual destination NAT how you decribe it). As source NAT not only translates the source address in the one direction but the destination address in the opposite, the same concept is used to also peform destination NAT by properly defining the ingress and egress interfaces and the associated IP addresses.


          So lets think of a basic network with an ASA sitting between an "inside" and "outside" network. For the sake of relating it to the real world, the "outside" address connects to the internet and uses public addressing while the "inside" network is the private network and uses RFC1918 private addressing. Now, with this design lets picture a scenario where Server A on "Inside" needs to be published on the Internet.


          In such a case, Server A needs to be accessible from the internet but as it has private addressing needs a translation to be reachable on the internet.

          To be reachable on the internet, connections from the internet need to have destination NAT performed so when they contact the Server A public IP, that connection in translated on the ASA to the private IP of the Server A.

          Remembering that source NAT performs source NAT in one direction and destination NAT in the other, we can use source NAT for server A as this will mean that when server A communicates on the internet its source private IP is translated to a public IP address and when the response comes back it is destination NAT'd to "un-translate" the address again.

          Now being a static NAT, such a translation can be initiated in either direction. It doesn't need to be initiated from the inside like by Dynamic NAT. So hosts on the internet, utilising the source NAT defined for server A, can connect to the public IP address of the server A and when it goes through the ASA it will be destination translated by the same NAT statement that will also perform the source translation, or in this case "un-translation" on the response traffic to the internet hosts.


          So the following configuration will do this


          static (inside, outside) server_a_public_ip   server_a_private_ip


          So knowing this way of operation, then destination NAT as you call it can be performed by actually thinking more about the connection in the way of source NAT, because in the end, to allow bidirectional communication, any destination NAT must also be source NAT'd in the opposite direction.


          So as another example, if we wanted Server B, which has a public IP address and resides on the "outside" network to be reachable via a private IP address on the "inside" network, we can implement this is the same fashion. In this case, hosts on the inside network target a private IP address for server B and when this goes through the ASA this address is translated to the public IP of server B on the outside network. In effect, this is doing what you talked about, it is translating the destination IP. But the response traffic, like before, needs to have the source address translated on return so it can be "un-translated" when returning to the inside network. In such a case, we configure the source NAT for server B which like the source NAT for server A, performs source NAT in one direction and destination NAT in opposite direction. So it would look something like this


          static (outside,inside) server_b_private_ip   server_b_public_ip


          This would perform the destination NAT you are talking about but it is really just a static source NAT configuration.


          Remembering the standard format of the ASA NAT command as below, one can then perform the required source/destination NAT in different directions on the ASA


          static (ingress_int, egress_int) ip_on_egress_int   ip_on_ingress_int


          I hope this helps.


          • 2. Re: NAT (outside,inside)
            Kingsley - CCSP/CCIP/ CCNP/CCIE Security

            Do you have nat control enabled?



            With regards


            • 3. Re: NAT (outside,inside)
              Dr. RDX

              Kingsley : No

              SimonB : Thanks for the explanation