Solved: IP NAT inside and ip nat ouside

khaled alodat · ‎05-12-2015

Hi ,

I've searched the internet and i could not found a clear explanation on the difference between ip nat inside and out side:

IN my case out side does not mean internet or public :

what i know so far, the ip nat inside do routing first and then translation while Nat outside do translation first then routing .

can someone please provide me with an example that will cover the difference and to use ip addresses that is not directly connected to the router we placed the NAT on to demonstrate the routing behavior with the NAT.

Thanks,

Jon Marshall · ‎05-12-2015

Khaled

The problem is because you are translating the same IPs in your examples but that isn't what happens ie.

192.168.10.2 -> R1 -> (ip nat inside) R2 (ip nat outside) -> R3 -> 10.10.10.2

1) inside to outside -

ip nat inside source static 192.168.10.2 172.16.10.2

as you rightly say R3 needs to have a route for 172.16.10.2 pointing to R2.

So 192.168.10.2 sends a packet to 10.10.10.2, R2 receives the packet does a route lookup for 10.10.10.2, sees it is reachable via it's outside interface, the packet is forwarded to the outside interface and then NAT is done changing the source IP to 172.16.10.2.

When the return packet arrives back at R2 the translation is undone first ie. before routing, and then R2 does a route lookup for 192.168.10.2 and obviously knows how to get to it.

So no additional routes are needed on R2.

2) outside to inside -

ip nat outside source static 10.10.10.2 192.168.11.2

in the above we are assuming R1 has a route for 192.168.11.2 pointing to R2.

What the above says is present 10.10.10.2 to the inside network as 192.168.11.2.

So 192.168.10.2 sends a packet to 192.168.11.2. When it gets to R2 it is the destination and not the source IP that is changed.

And here is the problem.

Because routing happens before NAT from inside to outside then R2 must have a route for 192.168.11.2 pointing to the outside interface otherwise the packet is never forwarded to the outside interface and the NAT never takes place.

So when you use "ip nat outside source static ..." command there is an additional keyword you can add to the statement ie. "add-route" and this tells the router to add a route for that IP via the outside interface.

The key thing to understand is that depending on which statement you use you are translating different IPs ie. source or destination IPs in the same direction and this may be where some of the confusion has come from.

Using the "ip nat inside ..." commands are a lot more common.

Jon

View solution in original post

Jon Marshall · ‎05-12-2015

can someone please provide me with an example that will cover the difference and to use ip addresses that is not directly connected to the router we placed the NAT on to demonstrate the routing behavior with the NAT

You've just explained the difference.

Are you looking for examples of when to use one or the other ?

Jon

khaled alodat · ‎05-12-2015

Hi Jon,

I have that feeling (i know and i dont know ) at the same time.

I can't fit the entire picture in my head, let me give you an example

R1-------R2-----R3

R1 lp: 1.1.1.1 , R3 lp : 3.3.3.3

ip nat inside on R2 ______real ip : 1.1.1.1 nat ip 4.4.4.4

ping 3.3.3.3 from 1.1.1.1 , i will trace the traffic

1- source 1.1.1.1 des 3.3.3.3

2- pachet get to R2 inside interface and because its nat inside will route first (looking for route to match 3.3.3.3)

3- found the route

4- change the src and des ---> src: 4.4.4.4 des: 3.3.3.3

5- 3.3.3.3 receive and will respond back

6- src : 3.3.3.3 destination 4.4.4.4 (there is a route on R3 for 4.4.4.4)

7- R2 recieve the packet src 3.3.3.3 des 4.4.4.4 (here is my problem )

does it look for a route to 4.4.4.4 or translate first

and would i need a route to 1.1.1.1 or 4.4.4.4

This for ip nat inside what about ip nat outside ? same exapmle

1- R2 recieve src 1.1.1.1 destination 3.3.3.3

2- beacuse its nat outside will translate first so : src 4.4.4.4 dst : 3.3.3.3

3- looking for a route to 3.3.3.3 and send it to R3

4- R3 reply : src 3.3.3.3 des: 4.4.4.4

5- R2 receive the packet : route or translate first?

Thanks again,

Khaled

Jon Marshall · ‎05-12-2015

Khaled

The problem is because you are translating the same IPs in your examples but that isn't what happens ie.

192.168.10.2 -> R1 -> (ip nat inside) R2 (ip nat outside) -> R3 -> 10.10.10.2

1) inside to outside -

ip nat inside source static 192.168.10.2 172.16.10.2

as you rightly say R3 needs to have a route for 172.16.10.2 pointing to R2.

So 192.168.10.2 sends a packet to 10.10.10.2, R2 receives the packet does a route lookup for 10.10.10.2, sees it is reachable via it's outside interface, the packet is forwarded to the outside interface and then NAT is done changing the source IP to 172.16.10.2.

When the return packet arrives back at R2 the translation is undone first ie. before routing, and then R2 does a route lookup for 192.168.10.2 and obviously knows how to get to it.

So no additional routes are needed on R2.

2) outside to inside -

ip nat outside source static 10.10.10.2 192.168.11.2

in the above we are assuming R1 has a route for 192.168.11.2 pointing to R2.

What the above says is present 10.10.10.2 to the inside network as 192.168.11.2.

So 192.168.10.2 sends a packet to 192.168.11.2. When it gets to R2 it is the destination and not the source IP that is changed.

And here is the problem.

Because routing happens before NAT from inside to outside then R2 must have a route for 192.168.11.2 pointing to the outside interface otherwise the packet is never forwarded to the outside interface and the NAT never takes place.

So when you use "ip nat outside source static ..." command there is an additional keyword you can add to the statement ie. "add-route" and this tells the router to add a route for that IP via the outside interface.

The key thing to understand is that depending on which statement you use you are translating different IPs ie. source or destination IPs in the same direction and this may be where some of the confusion has come from.

Using the "ip nat inside ..." commands are a lot more common.

Jon

khaled alodat · ‎05-12-2015

thank you, this was very helpful .

khaled alodat · ‎05-12-2015

One last question, please .

real scenarion :

In one of the routers between us and a customer managed by 3ed party . there is two NAT lines

1- ip nat inside

2- ip nat outside

what is the criteria we consider before we decide to use the inside or outside ?

If you can give just examples on how we chose ? please note that its a point to pint link so its not accessing to public , is the the who initiate the traffic ?

Thanks,

Khaled

Jon Marshall · ‎05-12-2015

The criteria depends on what you want to translate and in which direction relative to the inside and outside (NAT) interfaces on your router.

That is why I gave examples of both.

It really depends on what you are translating.

Jon

khaled alodat · ‎05-13-2015

Jon,

Thank you for your help, i can say now that i know the deference .

in our network we use nat inside to translate source to the customer and we use the nat outiide to translate customers destination .

Again thank you .

Khaled