cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
31123
Views
75
Helpful
28
Replies

1:1 static NAT vs port forwardng.

SJ K
Level 5
Level 5

Hi all,

 

I understand NAT is taking 1 internal IP, translating it into a routable public IP to the internet when going out of the router public facing interface.

While port forwarding is more for incoming traffic, whereby access to a pubic IP's port is being forwarded to an internal IP's port.

 

However, what I do not understand is, if I have already a 1:1 mapping of internal to NAT IP, do I still need port forwarding ?

Since whatever request to the NAT IP:port just map it to the internal IP:port.

 

Please advise

 

Regards,
Noob

3 Accepted Solutions

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

Noob

 

Your understanding of the concepts is pretty much correct and we just need to clarify a few things, perhaps especially some terminology. You are correct that static NAT establishes a one to one relationship between an inside (private) address and an outside (public) address. This static NAT will allow the inside host to initiate traffic to the Internet and to receive responses and it will allow the Internet to initiate traffic to the inside host and receive responses.

 

There is also dynamic NAT which uses a pool of addresses and will dynamically choose an address to use to translate when an inside host with private address wants to access Internet resources. This allows the inside host to initiate traffic to the Internet and receive responses but it would not allow the Internet to initiate traffic to the inside host.

 

There is also PAT (Port Address Translation sometimes referred to as Overloading) which uses a single address (frequently the router outside interface address) to translate addresses of traffic for inside hosts with private addresses who want to access Internet resources and to receive responses. But it does not allow the Internet to initiate traffic to inside hosts.

 

So with static NAT the Internet can initiate traffic to the inside host and there would be no need for port forwarding in this case. But with dynamic NAT and with PAT it does not enable the Internet to initiate traffic to an inside host. So if you are doing dynamic NAT or PAT and you have a server which should be accessible from the Internet then you would need to do port forwarding. Those are the cases in which port forwarding would be used but not for static NAT.

 

HTH

 

Rick

HTH

Rick

View solution in original post

Noob

 

I appreciate your kind words about the clarity of my explanation. I do find that it happens frequently that documentation focuses very much on how to configure something but has much less to say about how to use it or about why to use it.

 

q1) Static NAT does enable Internet to initiate traffic to the inside host and does not require that the inside host do anything to start it up.

 

q2 i)  You are describing dynamic NAT with a pool that seems to have only a single address in it. With a single address it depends a bit on how you set up the NAT. Either it will translate for the first host to send traffic and then will not translate for additional hosts while the first one is active, or you enable overload and then it turns into PAT.

q2 ii) Yes. If you want the public to get to the web server at that address then you need to publish that address.

 

q3) Yes you can both static NAT and PAT on the same router at the same time.

 

HTH

 

Rick

HTH

Rick

View solution in original post

q1) no you don't as static NAT is both ways, it's just that depending on the direction either the source or destination IP is changed

q2) the commands do different things.

See this recent post for an example -

https://supportforums.cisco.com/discussion/12504951/ip-nat-inside-and-ip-nat-ouside

Jon

View solution in original post

28 Replies 28

Richard Burts
Hall of Fame
Hall of Fame

Noob

 

Your understanding of the concepts is pretty much correct and we just need to clarify a few things, perhaps especially some terminology. You are correct that static NAT establishes a one to one relationship between an inside (private) address and an outside (public) address. This static NAT will allow the inside host to initiate traffic to the Internet and to receive responses and it will allow the Internet to initiate traffic to the inside host and receive responses.

 

There is also dynamic NAT which uses a pool of addresses and will dynamically choose an address to use to translate when an inside host with private address wants to access Internet resources. This allows the inside host to initiate traffic to the Internet and receive responses but it would not allow the Internet to initiate traffic to the inside host.

 

There is also PAT (Port Address Translation sometimes referred to as Overloading) which uses a single address (frequently the router outside interface address) to translate addresses of traffic for inside hosts with private addresses who want to access Internet resources and to receive responses. But it does not allow the Internet to initiate traffic to inside hosts.

 

So with static NAT the Internet can initiate traffic to the inside host and there would be no need for port forwarding in this case. But with dynamic NAT and with PAT it does not enable the Internet to initiate traffic to an inside host. So if you are doing dynamic NAT or PAT and you have a server which should be accessible from the Internet then you would need to do port forwarding. Those are the cases in which port forwarding would be used but not for static NAT.

 

HTH

 

Rick

HTH

Rick

Hi Rick,

 

Thank you! Clear as anything. I swear i have google and read about 40 minutes and all these can't beat your straight forward explanation.  I kept wondering why they just can't tell directly that port forwarding is not required for static NAT.

 

q1) Just to double confirm rick, for static NAT, although it does allow the internet to reach the internal network, but it doesn't require the internal network to initiate any connection 1st right ?

 

q2) for Dynamic NAT, assuming that

i) 203.112.112.112 is in my NAT pool available for usage.

ii) i have publish to the public saying that 203.112.112.112 is my WEB server public IP

iii) I have port forward port 80 on 203.112.112.112 to my actual webserver 192.168.112.112

Will it cause any issue if 

a) I have another workstation in my internal network that  is currently using 203.112.112.112 from the NAT pool accessing the internet and yet concurrently

b) an external user is accessing the webserver through 203.112.112.112:80

 

q3) Lastly, can i have different NAT mode running on the same router @ the same time ?

e.g. for certain servers I will use static NAT, for certain workstations i will use PAT

 

Regards,
Noob

Noob

 

I appreciate your kind words about the clarity of my explanation. I do find that it happens frequently that documentation focuses very much on how to configure something but has much less to say about how to use it or about why to use it.

 

q1) Static NAT does enable Internet to initiate traffic to the inside host and does not require that the inside host do anything to start it up.

 

q2 i)  You are describing dynamic NAT with a pool that seems to have only a single address in it. With a single address it depends a bit on how you set up the NAT. Either it will translate for the first host to send traffic and then will not translate for additional hosts while the first one is active, or you enable overload and then it turns into PAT.

q2 ii) Yes. If you want the public to get to the web server at that address then you need to publish that address.

 

q3) Yes you can both static NAT and PAT on the same router at the same time.

 

HTH

 

Rick

HTH

Rick

Hi Rick,

 

Thank you.1st last question ->

192.168.1.0/24 is my inside local

203.110.110.0/24 is my inside global

 

I am configuring static NAT now and I have issue ip nat inside on my internal interface and ip nat outside on my external interface.

 

Right now, I am issuing

ip nat inside source static 192.168.1.3 203.110.110.3

 

q1) Do i need to issue ip nat outside source static 203.110.110.3 192.168.1.3 ?

 

 

q2) ip nat inside source static

ip nat outside source static

 

Are this 2 commands mutually exclusive ?

 

Regards,
Noob

 

q1) no you don't as static NAT is both ways, it's just that depending on the direction either the source or destination IP is changed

q2) the commands do different things.

See this recent post for an example -

https://supportforums.cisco.com/discussion/12504951/ip-nat-inside-and-ip-nat-ouside

Jon

Noob

 

q1) I agree with Jon that the configured translation works both ways and you only need the first command.

 

q2) the two commands are not mutually exclusive. They do different things and depending on what you need you may configure either one or both of them.

 

HTH

 

Rick

HTH

Rick

Hey Jon, Rick,

 

Thanks. Ahh.. I got it.. (after lying on bed, pacing up down the hall, a short nap, and few toilet breaks).

But i have to keep repeating myself this.

 

traffic going from inside to outside (outgoing) - route then translate
traffic going from outside to inside (incoming) - translate then route

ip nat inside source static - translate outgoing source, translate incoming destination
ip nat outside source static - translate outgoing destination, translate incoming source

 

Therefore, for your example in the link earlier, the destination is to 192.168.11.2 and outgoing traffic are route 1st then translate; therefore, in R2 i must have a route to 192.168.11.2 network exiting R2 or pointing to R3. Then it can get translated to 10.10.10.2 before leaving R2.

====================

OMG, i can't imagine if I have a router doing both side NAT - is that possible ?

 

q2) Can i also check the following

         a) for Dynamic NAT and PAT, how long does a NAT translation entry/mapping get kept ?
            Can we configure the timing ? or the size of the NAT table ?  Can I say that if the holding time is very small, packets might not be able to return as the mapping is lost ?

         b) For Dynamic NAT, what happen if the NAT pool is exhausted, will the packets still go through the router then using it original IPs ? If yes, does that mean we have to use ACL to block original source IP then at the exit interface  ?

       

Regards,
Noob

q1) you can use both at the same time and you can also use dynamic NAT as well.

Some NAT configurations can get quite complicated especially on firewalls.

There is an order in which they are processed so you have to be careful especially on ASA firewalls using 8.3 code or later.

q2) Can't remember the actual translation timeout as it differs for TCP or UDP but yes you can modify them.

It is very unlikely that you can reduce it to the point where it times out before the return traffic gets back to the router as the translation timeouts are in seconds and packets travel at milliseconds.

If the NAT pool is exhausted packets are usually dropped which is why it is always a good idea to use at least one IP address for overloading.

Jon

Hi Jon,

Thanks for the reply.

 

q1) Duly noted. Thanks

 

q2) Can i say that in the event that a NAT binding is on, 2 ways communication through the recorded src and destination port is always possible right ?

 

With Dynamic NAT, will the src and destination ports be taking into consideration as well when comparing a mapping/binding in the NAT table ? or as long as the IP binding/mapping exist in the NAT table, it doesn't matter if the src / dst ports are different.

Meaning if A (port 50) --> (Router/nat) --> (port 60) B, can

                  A any port) <-- (Rounter/nat)<-- (any port) B  (while the NAT binding is on)

 

q3) What if I need a connection to be on always; something like a session base kind of communication. ..e.g If I have setup SIP between client and server, the client is in the NAT environment will send keep-alive messages every maybe 150 secs and if there is a call request, the server will send the client a SIP INVITE.

In the event, if as you mentioned, the transaction timeout are in seconds. When the SIP invite comes, the binding most probably would be gone already and the external server can never reach the client within.

 

q4) is there a kind of priority base configuration, as in use these "ips" in the pool 1st for dynamic mapping 1st, if the pool is fully utilized, then use these "ips" in the another pool which is use for overloading.

 

Meaning can i setup 2 pool, 1 for dynamic mapping, and 1 for overloading. Have the internal clients/servers try out the dynamic pool 1st, if its fully utilized, then use the 2nd pool for overloading.

 

Regards,
Noob

Hi Jon,

 

Just to check in. Hope you will be able to see the questions above.

 

Thanks!

q2) PAT records the ports as well so no to your example ie. the only traffic allowed back in would be to port 50.

It would not allow any other port because that translation has not been setup.

q3) you can always set the timeout very high but if you needed a permanent translation that is what static NAT is for.

Note I don't really know anything about SIP so the above is a general answer.

q4) you can certainly create two pools but I am not sure whether clients can try one and if no IP is available it will use the other.

I think that if you setup a pool for one to one mappings then you would specific a different set of clients than the ones mapped to the dynamic overload pool.

Not an issue I have ever come across so can't say for sure to be honest.

Jon

Hi Jon,

Thanks for reverting back.

 

For q2) how about Dynamic NAT ?  Does port information need to match as well for incoming traffic to Dynamic NAT ? 

or as long as I have establish an outgoing binding to the outside network, then outside traffic can come back in to whatever ports as long as the binding is valid.

 

Regards,
Noob

Noob

 

I believe that we are getting to a point where we need to be careful about semantics and how we use the terms. As generally used NAT is translation based on IP address which translates private to public address or public to private address without consideration of port number and port numbers are not altered in a NAT translation. Also with NAT there is a one to one relationship between private address and public address. Also note that the translation can be static (the same private address always translates to the same public address) or can be dynamic (a private address might translate to different public addresses).

 

In this context the answer to q2) is Yes as long as the translation is in the table any outside device is able to send to the inside device using any port number.

 

HTH

 

Rick

HTH

Rick

Hi Rick,

 

Noted. I am really sorry as sometimes I have difficulties describing my doubts; I would like to apologize if i have indeed caused any confusion.

 

In order to clear up the doubt, I have come up with a table, it would be good if you can verify if the column on "Incoming traffic criteria"  is correct ?

(apologies if the picture appear small - pls right click to view image)

A million thanks

Regards,

Noob

 

Review Cisco Networking for a $25 gift card