Solved: Help with PAT - inside vs outside and port-forwarding

jacobholmjensen · ‎10-05-2022

hi all,

I currently have a setup made, where I have NAT translated to the WAN-site. I want to be able to access the web-server on the LAN-site externally, and I have it configured correctly - I think. However, I'm still confused as to how it works, and even why it should work.

On my NAT-router, I have:

ip nat inside source list 10 interface GigabitEthernet0/0/2 overload

with a corresponding access-list with the desired internal networks to be NAT'ed.

I also needed

ip nat inside source static tcp 10.30.0.2 80 50.0.0.9 80

on the router for the portforwarding of port 80 to work. However, why would it not be

ip nat outside

if it's the outside address (50.0.0.9) that needs to be translated into a specific IP-address? Or is it as simple as "50.0.0.9 is our inside global, so we need to use ip nat inside"??

I know the answer is somewhere, but the answers I found seems a bit too complicated, and I'm having a hard time getting my head around it. I hope some of you can dumb it down for me

Here is my setup:

I can't attach my .pkt-file, so please let me know if you need any additional information.

MHM Cisco World · ‎10-05-2022

from Inside->Outside


ip nat inside NATing the source 
ip nat outside NATing the destination

from Outside->Inside


ip nat inside NATing the destination 
ip nat outside NAting the source

View solution in original post

MHM Cisco World · ‎10-05-2022

this not work
you need static NAT

jacobholmjensen · ‎10-05-2022

Hi MHM, thank you for your response

I know I need a static NAT. However, I'm asking why it wouldn't be a

ip nat outside static

since it's an outside address I need to NAT to an internal static address

MHM Cisco World · ‎10-05-2022

from Inside->Outside


ip nat inside NATing the source 
ip nat outside NATing the destination

from Outside->Inside


ip nat inside NATing the destination 
ip nat outside NAting the source

jacobholmjensen · ‎10-06-2022

Short and precise, thank you so much MHM!

paul driver · ‎10-05-2022

Hello

@jacobholmjensen wrote:
ip nat inside source list 10 interface GigabitEthernet0/0/2 overload
with a corresponding access-list with the desired internal networks to be NAT'ed.

This is for dynamic port address translation calling upon an access-list to tell the rtr what address range to translate, any static host within this range may/may not need to be included, if its decided that a static host doesn’t need to be translated for any additional port ranges other than its static port then it can be excluded from the nat acl

@jacobholmjensen wrote:

so needed
ip nat inside source static tcp 10.30.0.2 80 50.0.0.9 80
on the router for the portforwarding of port 80 to work. However, why would it not be
 ip nat outside
if it's the outside address (50.0.0.9)

This is a static pat statement translating a specific internal host and port to a specific inside global address which is normally a publicly/external routable ip address.

Externally when you state that specific public/external ip address and port, the receiving rtr will perform a lookup and translate the packet into its related internal host address and port

A rtr with

Ip nat outside

statement the rtr performs an translation so as/when the outside host is connecting to the nat rtr its ip address will be translated into a internal ip address, so internally that public ip can be reached via its internal translated address via other internal hosts

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

jacobholmjensen · ‎10-06-2022

I must admit, I had to read your reply a few times before it made sense, but I think I finally got my head to understand it.

Thanks a bunch for your reply, Paul - it really helped clear things up