IP NAT inside source vs IP NAT outside source

This topic is to discuss the following lesson:

Hi Rene,

Thanks for your great lesson .I have a question regarding …

What is the used case of IP NAT OUTSIDE SOURCE Normally We don’t use the command. Need to know production network scenario .Many Thanks

BR//ZAMAN

Hello Mohammad

This is an excellent question. Take a look at this post:


This post may refer to a similar configuration using an ASA, but the concept is the same. This gives you a practical example where you would want to translate the outside address.

I hope this has been helpful!

Laz

Hi Rene

For NAT is it reuired for Router to have route for the NAtted IP

If i doing inside NAT 10.10.10.10 -> 20.20.20.20 on my R1 do my R1 required to have route for 20.20.20.20 ?

how will it handle the response traffic for 10.10.10.10 -> 20.20.20.2 , will it check rout table first or NAT first ?

Hello Devaprem

If you have a NAT translation between two addresses configured on a router, you don’t require any of those addresses to have a routing table entry in that specific router. These addresses are considered directly connected because they are associated with specific interfaces. For this reason, you don’t have to explicitly configure them for routing. However, other routers on the outside must have some routing information to be able to reach the 20.20.20.20 IP address but this is independent of NAT.

In general, when a packet arrives on an interface from outside to inside, it will translate NAT first and then route. More information about the order of operations in routers can be found at the following Cisco documentation.


I hope this has been helpful!

Laz

Thank you Laz , it clearly explains

1 Like

Does the same apply to “destination”?

I have just done an INE task with the following line:

ip nat inside destination list LOAD_BALANCE pool ROTARY

But on this task, traffic arriving on the outside interface (not inside) is destination NATed to the pool on the inside, which seems to be inverse of the “source” command. There is also the IP ALIAS command but I believe this is just to respond to ARPs for 155.1.58.55.

conf t

interface e1/1.45
shutdown
!
interface e1/1.58
ip nat outside
!
interface Tunnel0
ip nat inside
!
ip nat pool ROTARY prefix-length 24 type rotary
address 155.1.0.1 155.1.0.1
address 155.1.0.2 155.1.0.2
address 155.1.0.3 155.1.0.3
!
ip access-list extended LOAD_BALANCE
permit tcp any host 155.1.58.55 eq telnet
!
ip nat inside destination list LOAD_BALANCE pool ROTARY
!
ip alias 155.1.58.55 23

end

Hello Chris

If we look at the description of the ip nat inside source command and modify it to conform to the ip nat inside destination command, we can see the following:

ip nat inside destination will:

  • translate the destination IP address of packets that travel from inside to outside
  • translate the source IP address of packets that travel from outside to inside

This is not the inverse of the source command, but it simply changes the address upon which translation is applied, specifically, the destination and not the source address of the packets.

I hope this has been helpful!

Laz

Hi Laz

I guess I was referring more to the syntax of the command.

ip nat inside source static/list [specify inside IPs] [specify outside IPs]

ip nat inside dest static/list [specify outside ip] pool [specify inside IPs]

Do you see what I mean? It does seem to be reversed for the “destination” command.

Hello Chris

When you input the following with the context sensitive help you get:

IP nat inside destination ?
 list  Specify access list describing global addresses

The global address is the inside global. This is the address that a host on the outside will see when communicating with the inside host. This means that it is the outside IP(s) that must be specified first.

I hope this has been helpful!

Laz