1 2 Previous Next 17 Replies Latest reply: May 5, 2015 9:42 AM by Krishna RSS

    ip nat inside VS ip nat outside

    Krishna
      Powerful, on-demand CCNA and CCNP Routing and Switching training resources:
      Cisco Learning Network Premium

       

      Hi,

       

      Screenshot.jpeg

       

      Please refer the attached diagram. I'm configuring NAT on Router.

       

      Interface E0 is the nat inside and E1 is the nat outside ports.

       

      What difference it would make if I apply ip nat inside instead of ip nat outside and vice versa?

       

      Krishna

        • 1. Re: ip nat inside VS ip nat outside
          Vijay Swaminathan

          Krishna,

           

          Typically "ip nat inside" is configured on the interfaces in your local environment which cannot be routed to the internet(typically private rnage of IP Addresses) and  and "ip nat outside" we would configure on the interface which is connected to the internet

           

          in the above example the address on the E0 interface of the router are in the private range 10.x.x.x so it cannot be routed to the internet. if the clients have addresses in this range, then we need to translate into an address (public IP) that could be routed through the internet. so the interface that has the public IP (In this case E1) typically will have "ip nat outside " configured and any traffic from the client would have its source ip address translated from 10.x.x.x to 192.x.x.x and then goes to the internet. the ip nat inside and outside commands tells you which address have to be translsated and to which IP address it has to be is translated to . if you interchange that ,, the translation might happen but the connectivity to internet will not work.

           

          HTH

          -Vijay

          • 2. Re: ip nat inside VS ip nat outside
            Krishna

            Vijay,

             

            My question is the difference between these 2 configs:

             

            ip nat inside source static 12.1.1.1 9.9.9.1

             

                             VS

             

            ip nat outside source static 12.1.1.1 9.9.9.1

             

            Krishna

            • 3. Re: ip nat inside VS ip nat outside
              Vijay Swaminathan

              ip nat inside source static 12.1.1.1 9.9.9.1 --> this performs translation for the inbound traffic

               

               

               

              ip nat outside source static 12.1.1.1 9.9.9.1  -> Performs translation for the outbound traffic.

               

              HTH

              -Vijay

              • 4. Re: ip nat inside VS ip nat outside
                Krishna

                ip nat inside source static 12.1.1.1 9.9.9.1 --> this performs translation for the inbound traffic

                 

                Does the above command mean that the traffic should always be initiated from the 9.0.0.0 network?

                 

                 

                 

                 

                ip nat outside source static 12.1.1.1 9.9.9.1  -> Performs translation for the outbound traffic.

                 

                 

                Does the above command mean that the traffic should always be initiated from the 12.0.0.0 network?

                 

                 

                Still I'm confused about the difference btw thses 2 and when we have to apply each of these commands?

                 

                Krishna

                • 5. Re: ip nat inside VS ip nat outside
                  Jitendra

                  HI,

                   

                  We can define INSIDE statement on source ineterface  and and OUTSIDE interfece on the WAN/ INTERNET interface.

                   

                  In the above scenerio application will stop working if you do the changes.

                  We can also use the change staement with the changes on interface statment configuration vice versa.

                   

                  Regards

                  Jitendra

                  • 6. Re: ip nat inside VS ip nat outside
                    Krishna

                    Jitendra,

                     

                    Im looking for the difference between:

                     

                    ip nat inside source static 12.1.1.1 9.9.9.1

                     

                                     VS

                     

                    ip nat outside source static 12.1.1.1 9.9.9.1

                     

                    Krishna

                    • 7. Re: ip nat inside VS ip nat outside
                      Jitendra

                      ip nat inside source static 12.1.1.1 9.9.9.1 : When traffic  recieve from source (12.1.1.1 ) means interface ocnfigured with nat INSIDE transalte  with 9.9.9.1

                       

                                       VS

                       

                      ip nat outside source static 12.1.1.1 9.9.9.1: When traffic  recieve from source (12.1.1.1 ) means interface ocnfigured with nat outside transalte  with 9.9.9.1.

                      • 8. Re: ip nat inside VS ip nat outside
                        Daniel

                        Hi Krishna,

                         

                        I think you will have a great understanding of NAT and difference between outside and inside if you read this:

                         

                        http://blog.ine.com/2008/02/15/the-inside-and-outside-of-nat/

                         

                        It's a bit old, but a great source!

                         

                        There are several tutorials/sample configurations on the cisco-page as well where as one is: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml

                         

                         

                        NAT is a "complicated" process if you break it down, but listen to what Jitendra said :). With NAT you define which interfaces that should be defined as "inside" and "outside" in your configuration. Then you can choose which address translates into which address with the ip nat inside/outside translation.

                         

                        In your case it's the difference between translating 12.1.1.1 into 9.9.9.1 on the pre-defined inside or outside interface!

                         

                         

                        As a side note, you also use the ip nat command to do what most other vendors would call "port-forwarding" to internal hosts.

                         

                        HTH

                        -Daniel

                        • 9. Re: ip nat inside VS ip nat outside
                          Krishna

                          Hi Dan,

                           

                          I got the answer for my question from the link that u provided. Thanks a lot dude.

                           

                          ip nat outside source list:   

                           

                          translates the source of the IP packets that are traveling outside to inside

                          translates the destination of the IP packets that are traveling inside to outside

                           

                          ip nat inside source list:

                           

                          translates the source of IP packets that are traveling inside to outside

                          translates the destination of the IP packets that are traveling outside to inside

                           

                           

                          I think the real difference is depending on how you label the interface(inside/outside)

                           

                          Krishna

                          • 10. Re: ip nat inside VS ip nat outside
                            Daniel

                            Hi Krishna,

                             

                            Glad to hear that you found your answer.

                             

                            I know you read it but just wanted to remind you that this information text should not be ignored below that table as it confirms your "thoughts" about the difference about labeling the interfaces!

                             

                             

                            "What the above guidelines indicate is that there is more than one way to translate a packet. Depending on your specific needs, you should determine how to define the NAT interfaces (inside or outside) and what routes the routing table should contain before or after translation. Keep in mind that the portion of the packet that will be translated depends upon the direction the packet is traveling, and how you configured NAT."

                             

                            -Daniel

                            • 11. Re: ip nat inside VS ip nat outside
                              Diya

                              Hi

                               

                              I have searched alot about the exact information Krishna looked for but strangly i was  not able to find any topic about it, they mostly talk about ip nat inside, anyway, after testing, i found one difference that the ip nat inside -as usual- translate the destination address of the returning traffic, but ip nat outside doesn't translate the destination address of the returning traffic, and again this is after testing

                              • 12. Re: ip nat inside VS ip nat outside
                                Daniel

                                Hi Diya,

                                 

                                Didn't really understood what you asked but....basically you can statically like this:

                                ip nat inside source static 10.0.0.1 100.100.100.100

                                ip nat outside source static 100.100.100.100 10.0.0.1

                                 

                                The difference is which source address to translate into which address.

                                 

                                ip nat inside source static 10.0.0.1 100.100.100.100

                                 

                                It will translate packets with a source address of 10.0.0.1 received on the inside interface into 100.100.100.100 on the outside interface.

                                 

                                It will also translate packets with a destination address of 100.100.100.100 received on the outside interface into 10.0.0.1 on the inside interface.

                                 

                                ip nat outside source static 10.0.0.1 100.100.100.100

                                 

                                It will translate packets with a source address of 10.0.0.1 received on the outside interface into 100.100.100.100 on the inside interface.

                                 

                                It will also translate packets with a destination address of 100.100.100.100 received on the inside interface into 10.0.0.1 on the outside interface.

                                 

                                Is that what you meant?

                                 

                                HTH,

                                Daniel

                                • 13. Re: ip nat inside VS ip nat outside
                                  Diya

                                  Hi Daniel,

                                   

                                  Thank you for your reply,  i meant ip nat OUTSIDE's behaviour is a little bit defferent

                                   

                                   

                                  Daniel wrote:

                                   

                                  ip nat outside source static 10.0.0.1 100.100.100.100

                                   

                                  It will translate packets with a source address of 10.0.0.1 received on the outside interface into 100.100.100.100 on the inside interface.

                                   

                                  It will also translate packets with a destination address of 100.100.100.100 received on the inside interface into 10.0.0.1 on the outside interface.

                                   

                                   

                                  and that is after testing, i found it in contrast with ip nat inside, it doesn't translate the destination address, please make sure.

                                  • 14. Re: ip nat inside VS ip nat outside
                                    Daniel

                                    Hi again,

                                     

                                    How have you tested this?

                                     

                                    The NAT-function works the same with the difference of which "interface" to translate the source address from.

                                     

                                    I ask because normally you would translate "public" source addresses with the outside command, and private source addresses with the inside command. And you can do some nasty things in a lab that wouldn't be routable in "real" networks. (mainly, you wouldn't be able to ping 10.0.0.1 if it has to be routed over internet obviously....but you can simulate 10.0.0.0/8 as the internet in a lab and make it pingable)

                                     

                                    I rarely use the outside command or see it, but i've seen it come to good use with VPN-tunnels and connections to "NAT" the source address into something else that doesn't conflict with other branches....that typically happens when many people use the same networks on their LAN's.

                                    1 2 Previous Next