Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6433
Views
0
Helpful
6
Replies

Confused with NAT inside,outside & outside,inside keywords

Rupesh Kashyap
Level 1
Level 1

‎02-23-2010 08:17 PM - edited ‎03-04-2019 07:36 AM

Hi, I have one Cisco ASA . IP address are->>outside ( ip address 202.86.91.98/28) & inside (ip address 172.19.3.4 /28).

I am seeing two static nat. One is static (inside,outside) which is working fine & routing to my internal host 10.50.33.43.

My concern is second nat, static (outside,inside). 206.201.76.5 is on global network. I want to know how outside,inside nat will work? Will any traffic coming from 206.201.76.5 translated as source IP as 172.19.128.18. I am really confused.

static (inside,outside) 202.86.91.125 10.50.33.43 netmask 255.255.255.255

static (outside,inside) 172.19.128.18 206.201.76.5 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 202.86.91.97
route inside 10.0.0.0 255.0.0.0 172.19.3.1
route inside 172.19.0.0 255.255.0.0 172.19.3.1

Labels:
0 Helpful
6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

‎02-24-2010 12:37 AM 

rupesh_kashyap wrote:
Hi, I have one Cisco ASA . IP address are->>outside ( ip address 202.86.91.98/28) & inside (ip address 172.19.3.4 /28).
I am seeing two static nat. One is static (inside,outside) which is working fine & routing to my internal host 10.50.33.43.
My concern is second nat, static (outside,inside). 206.201.76.5 is on global network. I want to know how outside,inside nat will work? Will any traffic coming from 206.201.76.5 translated as source IP as 172.19.128.18. I am really confused.
static (inside,outside) 202.86.91.125 10.50.33.43 netmask 255.255.255.255
static (outside,inside) 172.19.128.18 206.201.76.5 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 202.86.91.97 
route inside 10.0.0.0 255.0.0.0 172.19.3.1 
route inside 172.19.0.0 255.255.0.0 172.19.3.1

Rupesh

static NAT statements are bi-directional so -

static (inside,outside) 202.86.91.125 10.50.33.43 netmask 255.255.255.255

means -

1) if a packet arrives on the inside interface with a source address of 10.50.33.43 then change the source address 202.86.91.125.

2) if a packet arrives on the outside interface with a destination address of 202.86.91.125 then change the destination address to 10.50.33.43

static (outside,inside) 172.19.128.18 206.201.76.5 netmask 255.255.255.255

means -

1) if a packet arrives on the inside interface with a destination address of 172.19.128.18 change the destination address to 206.201.76.5

2) if a packet arrives on the outside interface with a source address of 206.201.76.5 then change the source address to 172.19.128.18

Notice the difference between the two.

The first is translating source addresses from the inside and destination addresses from the outside.

The second is translating destination addresses from the inside and source addresses from the outside.

Jon

0 Helpful

Rupesh Kashyap
Level 1
Level 1
In response to Jon Marshall

‎02-24-2010 12:49 AM

Hi, I am not getting you properly. I have 202.201.76.x on my external interface. I have 10.50.33.x & 172.19.128.x on my interface network.

Now please explain again. Please help again.

static (inside,outside) 202.86.91.125 10.50.33.43 netmask 255.255.255.255

static (outside,inside) 172.19.128.18 202.201.76.5 netmask 255.255.255.255

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Rupesh Kashyap

‎02-24-2010 01:09 AM

Rupesh

I'm not sure how else to explain it. It is simply to do with whether you are translating source or destination IP addresses and on which interface.

Jon

0 Helpful

Rupesh Kashyap
Level 1
Level 1
In response to Jon Marshall

‎02-24-2010 01:37 AM

Now, I got your point. Thanks man. Now I want to understand one thing. I have 202.86.91.x on outside interface on ASA. If Internet users( 206.201.76.5) hits on 202.86.91.125, then what will happen? Will 206.201.76.5 source IP will change to 172.19.128.x range for internal network?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Rupesh Kashyap

‎02-24-2010 06:35 AM 

rupesh_kashyap wrote:
Now, I got your point. Thanks man. Now I want to understand one thing. I have 202.86.91.x on outside interface on ASA. If Internet users( 206.201.76.5) hits on 202.86.91.125, then what will happen? Will 206.201.76.5 source IP will change to 172.19.128.x range for internal network?

Rupesh

With your static statements both the source and destination of the packet will be changed ie.

src will be changed from 206.201.76.5 to 172.19.128.18

dst will be changed from 202.86.91.125 to 10.50.33.43

Jon

0 Helpful

Rupesh Kashyap
Level 1
Level 1
In response to Jon Marshall

‎02-25-2010 04:41 AM

Ok, Now the problem is, I am NOT seeing any route for 172.19.128.x in inside network. Then now reply to reach to the correct router?

Any other thing tagged with NAT? I am seeing all policies are working fine, thts why I am surprised.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card