Skip navigation
Cisco Learning Home > Certifications > Routing & Switching (CCNA) > Discussions

_Communities

936 Views 10 Replies Latest reply: May 5, 2012 5:25 AM by Pramod RSS

Currently Being Moderated

Stuggling with the NAT table

Mar 7, 2012 12:41 AM

Gonzo 291 posts since
Oct 10, 2008

Hi all,

 

I'm just reading up about NAT and PAT and have reach the NAT table which shows Inside global, inside local, outside local, outside global, can anyone explain what these mean?  For example if a PC is connecting to a website?  I just can't grasp it

 

If a PC on 192.168.1.10 is connect to a website on 128.1.1.1, it's router/firewall inside IP is 192.168.1.1 and outside is 80.1.1.1

 

The way I read it is:

 

inside global - 80.1.1.1 (outside of firewall)

inside local - 192.168.1.10 (PC)

outside local - 128.1.1.1 (website's public IP)

outside global - 128.1.1.1 (website's public IP)  not sure why these are always the same.

 

Anyway I hope you can help me.

 

Thanks

  • Daniel 197 posts since
    Jul 21, 2011
    Currently Being Moderated
    1. Mar 7, 2012 2:06 AM (in response to Gonzo)
    Re: Stuggling with the NAT table

    Hi Gonzo,

     

    First let me say that I agree with you it's hard to keep track with the terminology, so let's define the terminology first! Here's how I learned the difference, i just hard studied the definitions and whenever i had your problem i tried to remember the definitions - that helped me.

     

     

    Inside local address: The Ip address assigned to a host on the inside network. In other words the Address behind the NAT firewall at your Local Area Network. Usually a private address (but not always).

     

    Inside global address: This is a global address assigned to your NIC by your service provider. It's routable and in a NAT configuration the address that your LAN-address get translated into. In other words, this is Your internet address, or WAN address if you prefer.

     

    Outside global address: This is a global routable public address meaning, this is the public address of the device you are trying to access. In other words, this is typically the address of the REMOTE location's WAN interface (or the NIC of the server you are trying to reach). This can also be NATed to their local area network into an Outside local address.

     

    Outside local address: The Ip address assigned to a host on the inside network. In other words the Address behind the NAT firewall at the remote Local Area Network. Usually a private address (but not always).

     

    Think about it this way as well. Whenever you want a packet to travel somewhere, it has a source address and a destination address.

     

    Whenever you see the term Local address it means "the address assigned behind the NAT firewall".

     

     

    Whenever you see the term Global address it means "the address assigned to the outside side of the NAT firewall".

     

     

    Now to answer your question, looking at things from the PC's objective.

    The inside local address is: 192.168.1.1

    The inside global address is: 80.1.1.1

    The outside global address is: 128.1.1.1

    The outside local address is: 128.1.1.1

     

    The reason the ouside global and local address is the same is because servers, typicall web servers, are not NAT:ed if they should be accessed by public users. They are assigned globally routable addresses on their NIC's and usually put in a DMZ area of the firewall so there's no need to "NAT" them.

     

    -Daniel.

  • brinda 5 posts since
    Oct 31, 2010
    Currently Being Moderated
    2. Mar 7, 2012 2:11 AM (in response to Gonzo)
    Re: Stuggling with the NAT table

    hi Gonzo,

     

    in general, local = unroutable IP@; global = routable IP@ ; inside = within a LAN; outside = external to LAN.

     

    an inside local address is the one which is not routable in a public domain and must be NATed before it is sent on a public network. in your example, it is the 192.168.1.10 IP@.

     

    an inside global address is the address after NAT on the packets( 80.1.1.1 which is done by the router interfacing the public network)

     

    the outside local and global address are both same because the website has a single public routable IP@. there is no NAT needed - both local IP@ and global IP@ are the same.

     

    HTH

    brinda.

  • cadetalain 2,642 posts since
    Sep 18, 2008
    Currently Being Moderated
    3. Mar 7, 2012 2:21 AM (in response to brinda)
    Re: Stuggling with the NAT table

    Hi,

    your outside local is the same as outside global because your LAN sees the public routeable IP of the web server if it had been natted with an outside NAT then it would have been different.

     

    Regards.

     

    Alain

  • Daniel 197 posts since
    Jul 21, 2011
    Currently Being Moderated
    5. Mar 7, 2012 5:35 AM (in response to Gonzo)
    Re: Stuggling with the NAT table

    Hi again Gonzo,

     

    Basically just put the web-server behind the firewall/NAT device to hide it's public ip-adress so that it would be translated into the outside local address.

     

    Say for example that the remote firewall's WAN interface have the ip address 128.1.1.1 and the webserver behind it is on the LAN ip of 192.168.2.1 then there would have to be a NAT on the remote side to translate the outside global address of 128.1.1.1 into the outside local address of 192.168.2.1.

     

    In that scenario the outside global address wouldn't be the same as the outside local address. However one of the "purposes" with NAT is to actually hide the LAN - addresses between the public end-points for security purposes. So you would arguable get some degree of security using NAT on both sides!

     

     

    Did that make any sense?

     

     

    The big reason why public servers exists with real routable addresses are becuase that some services that the servers may run are extremely hard/complicated to work with when they're behind a firewall when NAT is used. For instance the FTP-protocol is a pain in the *** . They may still be behind a firewall, but it's just easier to work with them when they're not NAT:ed.

  • Daniel 197 posts since
    Jul 21, 2011
    Currently Being Moderated
    7. Mar 7, 2012 5:54 AM (in response to Gonzo)
    Re: Stuggling with the NAT table

    Hi again Gonzo,

     

    Yes I agree with you. Administrating the firewall at your end would give you your inside global address, inside local address and the remote public address as global address and global local address.

     

    why?

     

    Like you say, you don't know how it look like at their LAN side. But in my comment above given that you know how it looks like on both ends, that's how you would talk about it administrator to administrator.

     

    The communication between your router and the other end-point will be between your public IP and the remote public IP. But your router knows the "NAT maps" between Your public IP and your Local IP's.

     

    Nevertheless, the terminology is still the same - hence the confusion with NAT! The remote router translates the "outside local address" to his "outside global address" (from the remote routers point of view it's translating inside local addres into inside global address) so when the packet reaches Your router all you can see is the public ip-address in which you should send packets back to.

  • John 108 posts since
    Jan 28, 2010
    Currently Being Moderated
    9. Mar 14, 2012 3:42 AM (in response to Gonzo)
    Re: Stuggling with the NAT table

    I know this was already answered by a couple of people, but I came across this which explains it pretty well.   There are a wealth of websites around that have been extremely helpful in clearing up certain topics I had problems with. 

     

    http://www.routeralley.com/ra/docs/nat.pdf

  • Pramod 10 posts since
    May 2, 2011
    Currently Being Moderated
    10. May 5, 2012 5:25 AM (in response to Daniel)
    Re: Stuggling with the NAT table

    Cheers Daniel....clear n concise explanation.... thanks a lot

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)