Hello

---

@ranjipremandrewp wrote:

Suppose an IP from the internet needs to talk to the host on the inside (private IP), we typically NAT the private IP on the inside to a Public IP.

Can they still talk if we NAT the IP coming from outside (public IP address) to a private IP address

---

Yes you can but it depends on the nat boundary, if your inside network isn’t hidden and advertised than you can nat any outside address to an inside ip address as such when an inside host pings that outside static nat it will translate to it real source, also you could perform outside nat translation even if you have hidden natted work and have your internal hidden network able to ping the static outside nat addrress.(HAIRPIN NAT)

example:1 inside network advertised to outside domain
Inside domain =  192.168.1.0/24  host11 -.1 host2 .12   
outsde host  =  8.8.8.8
outside static nat statement +   ip nat outside static 8.8.8.8  192.168.1.8 add-route

Now when host 8.8.8.8 pings either host 192.168.1.11 or .12 first nat will occur which will translate 8.8.8.8<>192.168.1.8 then a route lookup will occur and packet is routed to either host

Return traffic willl perform a route lookup first than NAT will occur 192.168.1.8<>8.8.8.8 and packet sent to host 8.8.8.8

example:2 inside network is not advertised to outside domain - harpin NAT with policy based routing
Inside domain =  192.168.1.0/24  host11 -.1 host2 .12 
outside domain 10.1.12.1/24 
outsde host  =  8.8.8.8
outside static nat statement= ip nat outside static 8.8.8.8  10.1.12.12 
PBR interface = loopbackx

interface Loopbackx
ip address 169.169.169.1 255.255.255.255 < any non routable ip can be used)
ip nat inside

route-map HPin_rm permit 10
set interface loopbackx

interface x/x
description internet facing
ip address 10.1.12.1 255.255.255.0
ip nat outside

interface x/x
description lan facing
ip address 192.168.1.254 255.255.255.0
ip nat outside
ip policy route-map HPin_rm

ip access-list extended HP_nat
permit ip 192.168.1.0 0.0.0.255 host 10.1.12.88

ip access-list extended PAT
deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any

ip nat outside source static 8.8.8.8 10.1.12.88
ip nat inside source list HP_nat interface x/x <internet interface>
ip nat inside source list PAT interface x/x <internet interface>

ip route 0.0.0.0 0.0.0.0 <internet interface> <next-hop ip>

With the above any LAN traffic that matches either acl comes from the lan interface its policy routed to the loopback x interface (inside nat) where nat translation is performed towards the same physical interface (outside nat) from the IP address range defined in the acl lists, any lan to lan traffic is of course not subject to any translation, the above will allow lan hosts to reach 8.8.8.8 with it related outside static nat ip..

Lasty there is an 3rd option , NVI nat (domainless nat)
This doesnt need nat domains and works as it perfroms rib lookups before and after transaltion something not applicable in domain nat that uses the nat order of operation for insde/outside nat domains

. 

interface x/x
description internet facing
ip address 10.1.12.1 255.255.255.0
ip nat enable

interface x/x
description lan facing
ip address 192.168.1.254 255.255.255.0
ip nat enable

ip access-list extended PAT
permit ip 192.168.1.0 0.0.0.255 any

ip nat source static 8.8.8.8 10.1.12.88
ip nat source list PAT interface x/x <internet interface>

ip route 0.0.0.0 0.0.0.0 <internet interface> <next-hop ip>