Solved: ip nat inside source static network ?

cisco_lite · ‎01-19-2009

Hi,

Please let me know what does the router command in subject do. Does it do natting in both the directions regardless of the either interface being inside or outside. I couldn't find much documentation on this. However, it works in both the directions and not only on the source ip initiated from inside interface but all on desitination ip initiated from outside.

Please assist.

Jon Marshall · ‎01-19-2009

When i get a chance later on i'll set it up on a router and capture the translations so you can see how it works.

All i can say for now is that because it is a static translation it will work both ways. So taking your example above

Pro Inside global Inside local Outside local Outside global

--- 200.1.1.1 10.1.1.1 --- ---

--- 200.1.1.2 10.1.1.2 --- ---

Inside global address 200.1.1.1

Inside local address 10.1.1.1

So packet with a destination IP address of 200.1.1.1 entering on the outside interface will match this rule and therefore will be translated.

Note that inside and outside here are only meaningful in which interfaces you designate as inside and outside.

Like i say, later on i'll set this up but if you have a router you could try it yourself.

Jon

View solution in original post

Jon Marshall · ‎01-19-2009

ip nat inside source static 192.168.5.1 172.16.5.1

means that the inside source IP address of 192.168.5.1 will be translated to source IP address of 172.16.5.1 as it goes out the outside interface.

It also means that any traffic with a destination IP address of 172.16.5.1 that enters via the outside interface will be translated to the destination IP address of 192.168.5.1 as it goes out the inside interface.

So yes it is bi-directional but it is important to note that inside to outside is translation of source IP address, outside to inside is translation of destination IP address.

This is a good introductory paper on NAT -

http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html

Jon

cisco_lite · ‎01-19-2009

Thanks Jon. But i really got troubled by the explanation given in "CCNA ICND Self Study Guide by Wendell Odom" Page 289. Please note below the quote from the mentioned book. It clearly states that the NAT only takes effect on the source ip of the 'inside' segment and there is no mention of the destination ip being translated. Please clarify.

Quote

interface Ethernet0/0

ip address 10.1.1.3 255.255.255.0

ip nat inside

!

interface Serial0/0

ip address 200.1.1.251 255.255.255.0

ip nat outside

!

ip nat inside source static 10.1.1.2 200.1.1.2

ip nat inside source static 10.1.1.1 200.1.1.1

NAT# show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 200.1.1.1 10.1.1.1 --- ---

--- 200.1.1.2 10.1.1.2 --- ---

The static mappings are created using the ip nat inside source static command. The inside

keyword means that NAT translates addresses for hosts on the inside part of the network.

The source keyword means that NAT translates the source IP address of packets coming into

its inside interfaces. static means that the parameters define a static entry, which should never

be removed from the NAT table due to timeout. Because the design calls for two hosts,

10.1.1.1 and 10.1.1.2, to have Internet access, two ip nat inside commands are needed.

After creating the static NAT entries, the router needs to know which interfaces are â€œinsideâ€

and which are â€œoutside.â€ The ip nat inside and ip nat outside interface subcommands

identify each interface appropriately.

Unquote

cisco_lite · ‎01-19-2009

I found similar note in Todd Lammle's book 'CCNA IOS Commands'

Quote

Let's take a look at a simple basic static NAT configuration:

ip nat inside source static 10.1.1.1 170.46.2.2

!

interface Ethernet0

ip address 10.1.1.10 255.255.255.0

ip nat inside

!

interface Serial0

ip address 170.46.2.1 255.255.255.0

ip nat outside

!

In the preceding router output, the

ip nat inside source

command identifies which IP

addresses will be translated. In this configuration example, the ip nat inside source

command

configures a static

translation between the inside local IP address 10.1.1.1 to the outside global

IP address 170.46.2.2.

If you look further down in the configuration, you can see an

ip nat

command under each

interface. The

ip nat inside

command identifies that interface as the inside interface. The

ip nat outside

command identifies that interface as the outside interface. When you look

back at the ip nat inside source command, you see that the command is referencing the inside

interface as the source or starting point of the translation. The command could also be used

like this-ip nat outside source-which is referencing the interface you designated as the outside

interface to be the source or starting point for the translation.

Unquote

Jon Marshall · ‎01-19-2009

When i get a chance later on i'll set it up on a router and capture the translations so you can see how it works.

All i can say for now is that because it is a static translation it will work both ways. So taking your example above

Pro Inside global Inside local Outside local Outside global

--- 200.1.1.1 10.1.1.1 --- ---

--- 200.1.1.2 10.1.1.2 --- ---

Inside global address 200.1.1.1

Inside local address 10.1.1.1

So packet with a destination IP address of 200.1.1.1 entering on the outside interface will match this rule and therefore will be translated.

Note that inside and outside here are only meaningful in which interfaces you designate as inside and outside.

Like i say, later on i'll set this up but if you have a router you could try it yourself.

Jon

cisco_lite · ‎01-19-2009

Jon,

I can already see that it actually works the way you have explained. Just surprised on the scarcity of its mention in popular materials.

Thanks.