I'm just reading up about NAT and PAT and have reach the NAT table which shows Inside global, inside local, outside local, outside global, can anyone explain what these mean? For example if a PC is connecting to a website? I just can't grasp it
If a PC on 192.168.1.10 is connect to a website on 22.214.171.124, it's router/firewall inside IP is 192.168.1.1 and outside is 126.96.36.199
The way I read it is:
inside global - 188.8.131.52 (outside of firewall)
inside local - 192.168.1.10 (PC)
outside local - 184.108.40.206 (website's public IP)
outside global - 220.127.116.11 (website's public IP) not sure why these are always the same.
Anyway I hope you can help me.
First let me say that I agree with you it's hard to keep track with the terminology, so let's define the terminology first! Here's how I learned the difference, i just hard studied the definitions and whenever i had your problem i tried to remember the definitions - that helped me.
Inside local address: The Ip address assigned to a host on the inside network. In other words the Address behind the NAT firewall at your Local Area Network. Usually a private address (but not always).
Inside global address: This is a global address assigned to your NIC by your service provider. It's routable and in a NAT configuration the address that your LAN-address get translated into. In other words, this is Your internet address, or WAN address if you prefer.
Outside global address: This is a global routable public address meaning, this is the public address of the device you are trying to access. In other words, this is typically the address of the REMOTE location's WAN interface (or the NIC of the server you are trying to reach). This can also be NATed to their local area network into an Outside local address.
Outside local address: The Ip address assigned to a host on the inside network. In other words the Address behind the NAT firewall at the remote Local Area Network. Usually a private address (but not always).
Think about it this way as well. Whenever you want a packet to travel somewhere, it has a source address and a destination address.
Whenever you see the term Local address it means "the address assigned behind the NAT firewall".
Whenever you see the term Global address it means "the address assigned to the outside side of the NAT firewall".
Now to answer your question, looking at things from the PC's objective.
The inside local address is: 192.168.1.1
The inside global address is: 18.104.22.168
The outside global address is: 22.214.171.124
The outside local address is: 126.96.36.199
The reason the ouside global and local address is the same is because servers, typicall web servers, are not NAT:ed if they should be accessed by public users. They are assigned globally routable addresses on their NIC's and usually put in a DMZ area of the firewall so there's no need to "NAT" them.
in general, local = unroutable IP@; global = routable IP@ ; inside = within a LAN; outside = external to LAN.
an inside local address is the one which is not routable in a public domain and must be NATed before it is sent on a public network. in your example, it is the 192.168.1.10 IP@.
an inside global address is the address after NAT on the packets( 188.8.131.52 which is done by the router interfacing the public network)
the outside local and global address are both same because the website has a single public routable IP@. there is no NAT needed - both local IP@ and global IP@ are the same.
your outside local is the same as outside global because your LAN sees the public routeable IP of the web server if it had been natted with an outside NAT then it would have been different.
Thanks guys already things seem clearer! What example is there that would mean the outside local was different? If the public IP was NAT'ed to a private IP?
Hi again Gonzo,
Basically just put the web-server behind the firewall/NAT device to hide it's public ip-adress so that it would be translated into the outside local address.
Say for example that the remote firewall's WAN interface have the ip address 184.108.40.206 and the webserver behind it is on the LAN ip of 192.168.2.1 then there would have to be a NAT on the remote side to translate the outside global address of 220.127.116.11 into the outside local address of 192.168.2.1.
In that scenario the outside global address wouldn't be the same as the outside local address. However one of the "purposes" with NAT is to actually hide the LAN - addresses between the public end-points for security purposes. So you would arguable get some degree of security using NAT on both sides!
Did that make any sense?
The big reason why public servers exists with real routable addresses are becuase that some services that the servers may run are extremely hard/complicated to work with when they're behind a firewall when NAT is used. For instance the FTP-protocol is a pain in the *** . They may still be behind a firewall, but it's just easier to work with them when they're not NAT:ed.
If there is a NAT from the public IP (Outside global 18.104.22.168) to the private IP (outside local 192.168.2.1) which is hidden (doing it's job I guess) then wouldn't the outside global still be the same as the outside local?
Applogies if I am wrong
Hi again Gonzo,
Yes I agree with you. Administrating the firewall at your end would give you your inside global address, inside local address and the remote public address as global address and global local address.
Like you say, you don't know how it look like at their LAN side. But in my comment above given that you know how it looks like on both ends, that's how you would talk about it administrator to administrator.
The communication between your router and the other end-point will be between your public IP and the remote public IP. But your router knows the "NAT maps" between Your public IP and your Local IP's.
Nevertheless, the terminology is still the same - hence the confusion with NAT! The remote router translates the "outside local address" to his "outside global address" (from the remote routers point of view it's translating inside local addres into inside global address) so when the packet reaches Your router all you can see is the public ip-address in which you should send packets back to.
Great! Thanks for clearing this up, I have a feeling I will be askign a few more questions now I have found this site, sorry guys! Great for my CCNA studies though.
I know this was already answered by a couple of people, but I came across this which explains it pretty well. There are a wealth of websites around that have been extremely helpful in clearing up certain topics I had problems with.