IP NAT inside source vs IP NAT outside source

(Rene Molenaar) #1

This topic is to discuss the following lesson:

(Mohammad Hasanuz Zaman) #2

Hi Rene,

Thanks for your great lesson .I have a question regarding …

What is the used case of IP NAT OUTSIDE SOURCE Normally We don’t use the command. Need to know production network scenario .Many Thanks


(Lazaros Agapides) #3

Hello Mohammad

This is an excellent question. Take a look at this post:

This post may refer to a similar configuration using an ASA, but the concept is the same. This gives you a practical example where you would want to translate the outside address.

I hope this has been helpful!


(devaprem R) #4

Hi Rene

For NAT is it reuired for Router to have route for the NAtted IP

If i doing inside NAT -> on my R1 do my R1 required to have route for ?

how will it handle the response traffic for -> , will it check rout table first or NAT first ?

(Lazaros Agapides) #5

Hello Devaprem

If you have a NAT translation between two addresses configured on a router, you don’t require any of those addresses to have a routing table entry in that specific router. These addresses are considered directly connected because they are associated with specific interfaces. For this reason, you don’t have to explicitly configure them for routing. However, other routers on the outside must have some routing information to be able to reach the IP address but this is independent of NAT.

In general, when a packet arrives on an interface from outside to inside, it will translate NAT first and then route. More information about the order of operations in routers can be found at the following Cisco documentation.

I hope this has been helpful!


(devaprem R) #6

Thank you Laz , it clearly explains

1 Like
(Chris N) #7

Does the same apply to “destination”?

I have just done an INE task with the following line:

ip nat inside destination list LOAD_BALANCE pool ROTARY

But on this task, traffic arriving on the outside interface (not inside) is destination NATed to the pool on the inside, which seems to be inverse of the “source” command. There is also the IP ALIAS command but I believe this is just to respond to ARPs for

conf t

interface e1/1.45
interface e1/1.58
ip nat outside
interface Tunnel0
ip nat inside
ip nat pool ROTARY prefix-length 24 type rotary
ip access-list extended LOAD_BALANCE
permit tcp any host eq telnet
ip nat inside destination list LOAD_BALANCE pool ROTARY
ip alias 23


(Lazaros Agapides) #8

Hello Chris

If we look at the description of the ip nat inside source command and modify it to conform to the ip nat inside destination command, we can see the following:

ip nat inside destination will:

  • translate the destination IP address of packets that travel from inside to outside
  • translate the source IP address of packets that travel from outside to inside

This is not the inverse of the source command, but it simply changes the address upon which translation is applied, specifically, the destination and not the source address of the packets.

I hope this has been helpful!


(Chris N) #9

Hi Laz

I guess I was referring more to the syntax of the command.

ip nat inside source static/list [specify inside IPs] [specify outside IPs]

ip nat inside dest static/list [specify outside ip] pool [specify inside IPs]

Do you see what I mean? It does seem to be reversed for the “destination” command.

(Lazaros Agapides) #10

Hello Chris

When you input the following with the context sensitive help you get:

IP nat inside destination ?
 list  Specify access list describing global addresses

The global address is the inside global. This is the address that a host on the outside will see when communicating with the inside host. This means that it is the outside IP(s) that must be specified first.

I hope this has been helpful!