NAT Inside Global address

badalam_nt · ‎02-22-2009

What is recommended way to define the Inside Global IP address inside a router?

1) to be the same as the IP address defined on that router's interface?

2) to be different from the IP address defined on that router's interface, but still in the same subnet as the IP address defined on that router's interface?

3) to be different from the IP address defined on that router's interface, and even more to be from a different subnet compared to subnet where the IP address defined on that router's interface belongs to?

I saw on some books written by Todd Lammle all these 3 possibilities. I even tried them and all were working correctly.

So I just miss the pros and cons of each of these 3 possibilities.

naveen_b81 · ‎02-23-2009

Please find my understandings below.

1) If the IP is same, your use will be limited as the port numbers get mapped to a different IP addresses, hence you will not be able to publish two appliations with same port numbers.

2) The recommended method as no requirement of extra routing policices on other devices.

3) In this menthod you will need to ensure that there is proper routing policies on the other devices to route the traffic to the router on which NAT is being done.

Jon Marshall · ‎02-23-2009

Petru

It pretty much depends on availability of global addresses. If you have spare ones then i would use those first.

Whether the spare address is the interface address, out of the same subnet or a different subnet again is usually dictated by availability of addresses eg.

1) You have no spare addresses - use the interface address with port mapping

2) You have spare addresses in the same subnet - use those

3) You have run out of addresses and you already use the interface address or PAT does not work with the application. You then obtain some more IP's (usually from your ISP). As long as that new IP's are routed by the ISP to the outside interface of your router you can then use those in the same way as you original addresses.

As you say, all will work although you generally get more flexibility with options 2 & 3.

Jon

badalam_nt · ‎02-23-2009

Thanks Jon.

I could see a slight decrease of the number of possible NAT translation entries when using the same IP@ as defined on the router's interface, because the router will eat up some of the possible combinations IP@:port for communication with the other routers (supposing the router is using a routing protocol).

If no routing protocol is used then it will be the same as using a different IP address.

Please correct me if I'm wrong.

Also what is the best practice if I get several IP addresses from the ISP?

To allocate one of them to the router's interface and use the remaining ones for NAT (with/without overload) ?

Or to allocate one of them to the router's interface and use ALL of them for NAT, including the IP@ allocated to router's interface?

Jon Marshall · ‎02-23-2009

Petru

Actually with a lot of IGP's eg. OSPF/EIGRP they don't use TCP/UDP port numbers so they wouldn't actually eat up ports as such. But yes you could lose a few depending on what was using the interface address eg. tacacs+, snmp etc.

Not sure there is a best practice. What i have always done is

1) to translate inside clients to a public IP when accessing the Internet then i use the interface address because you may as well. Obviously if there are more internal clients active than available port numbers with one IP address then you would need to add another.

2) I then use spare addresses to present internal servers that require access from the Internet. If you don't have enough IP addresses for all servers then you would need to use port mapping.

3) i always try and keep one IP address spare at the very least because every now and then you come across an application that will work NAT but not port mapping.

Jon