Adding to my previous comment

mohammed hashim · ‎12-03-2015

hi,

when I ready this command "Ip nat inside destination" I understnad it means: translate the destination ip address of a packet moving from inside to outside.

but when I see the implementation in docuemnts or books, it usually used with server load balancing !!

when traffic comes to single public IP address and distributed to many servers !!

here I got confused,

can someone please clarify this ?

Masoud Pourshabanian · ‎12-03-2015

Hello,

It does not work that way. NAT is a little confusing in cisco router. IP NAT inside source and IP NAT inside destination are kind of similar but have different usage.

Both translate the source of packet when packet moving from inside to outside and translate destination of packet when packet is traveling from outside to inside.

You need to be familiar with two concepts before we go the command.

Inside local

Configured IP address assigned to a host on the inside network. Usually a private IP inside the network

Inside Global

The IP address of an inside host as it appears to the outside network. It is usually a public IP on WAN interface.

Lets take a look to IP NAT inside destination with question mark

IP NAT inside destination list MyPublicIP pool MyServers.

IP nat inside destination ?
list Specify access list describing global addresses

The global address in the command is inside global. This is the IP with which a host(or server) will be seen from outside

Ip nat inside destination list PublicIP ?
pool Name pool of local addresses

Local address is the actual IP of hosts.it is inside local.

This command translates inside global to inside local when packet comes from outside to inside and translates inside local to inside global when packet is moving from inside to outside.

Hope it helps,

Masoud

Abid Abdul Latif · ‎07-17-2017

very well explained ..

Thanks

Masoud Pourshabanian · ‎12-03-2015

Adding to my previous comment.

Inside and outside int NAT command does not determine the direction of flow alone. because NAT is bi-directional.

Inside means insides IPs which are apeared to outside network.

Outside means outside IPs which are apeared to inside network.

1- IP nat inside source :

Changing the source when packet traveling from inside to outside and changing destination when packet is travelling from outside to inside.

2- IP nat inside destination : The same as inside source but different usage

changing destination when packet is travelling from outside to inside and changing the source when packet traveling from inside to outside and .

3- IP nat outside source

changing the source when packet traveling from outside to inside and changing destination when packet is travelling from inside to outside

4- IP nat outside destination:

It is not defined. Or I have not seen it

Hope it helps,

Masoud

mohammed hashim · ‎12-03-2015

thanks Masoud for your reply,

but see, according to your definition:

1- IP nat inside source :

Changing the source when packet traveling from inside to outside and changing destination when packet is travelling from outside to inside.

2- IP nat inside destination : The same as inside source but different usage

changing destination when packet is travelling from outside to inside and changing the source when packet traveling from inside to outside and .

as I read, this definition means exactly the same since NAT as you said is bi-directional.

let us make it simple, if we do not have feature like "IP nat inside destination", then what is the limitation with "IP nat inside source"

Masoud Pourshabanian · ‎12-04-2015

Hello,

Yoy may argue that. They are the same in terms of replacing source and destination; however, they are different in terms of usage. It is true that NAT is bi-directional, but it is session based. It is important from which side session is created. From outside or inside.

Let me give you an example.

You want to implement server loadbalancing with IP NAT source inside.

interface FastEthernet0/0

des Lan
ip address 192.168.1.1 255.255.255.0
ip nat inside

interface FastEthernet1/0

Des WAN
ip address 1.1.1.1 255.255.255.0
ip nat outside

access-list 50 permit host 192.168.1.2

access-list 50 permit host 192.168.1.3

ip nat pool MyPublicIP 1.1.1.5 1.1.1.5 netmask 255.255.255.0

IP nat inside source list 50 pool MyPublicIP

When packet comes from inside from 192.168.1.2 or 1.3 , router replaces its source with 1.1.1.5 and when packet returns from outside, router replace its destination with 192.168.1.2

Now you argue that I can use it for loadbalancing; however it is not possible, because router only put entry in NAT table when packet comes from inside destined to outside. (initated from inside). If packet initited outside comes to inside, router does not translate its destination. So it is session based.

The only way to get around this is using static NAT. Static NAT works both ways, but you can not define pool for static NAT so it can not be used for loadbalacing.

IP NAT inside destination is also session based. Only NAT table will have entry if packet comes from outside to inside. And also more limitation. IP NAT inside destination does not work with non-TCP session. You can not loadbalance ICMP packet. (IP NAT inside source works for ICMP and UDP also)

Hope I could get my meaning across.

Masoud

sfanayei · ‎11-24-2017

Hello dear Masoud

Tanks a lot for your very good description of ip nat in your posts. I have a ipsec tunnel that using both ip nat inside source and destination in Cisco ASA. I would to convert those ip nat configuration from ASA to ISR 4331 router. There is no problem with ip nat inside source :), but I have some problems with ip nat inside destination. Can you please give me a sample configuration if it is possible. Just for your information: The ipsec tunnel is coms up but I can not see any entries in nat table. Many tanks in advance.

Bedst regards Shahryar

perkin · ‎01-09-2019

in a typical home router example like below

LAN---------------------Router--------------------inet

[S192.168.1.1|D8.8.8.8] ---> [S202.40.211.211| D 8.8.8.8]

[D192.168.1.1|S8.8.8.8] <--- [D202.40.211.211| S 8.8.8.8]

inside local 192.168.1.1

outside local 8.8.8.8

inside global 202.40.211.211

outside global 8.8.8.8

in a special env which both side cant be routed, like below (it is rare in real life business)

LAN host A---------------------Router--------------------LAN host B

[S192.168.1.1|D192.168.1.2] --> [S202.40.211.211| D202.40.211.200]

[D192.168.1.1|S192.168.1.2] <-- [D202.40.211.211| S202.40.211.200]

inside local 192.168.1.1

outside local 192.168.1.2

inside global 202.40.211.211

outside global 202.40.211.200

since you understand all 4 addresses state

1- IP nat inside source :

Changing between inside local and inside global

can do static bi-direction and NAT pool for inside global when traffic init from local (outbound)

use case:

- 1:1 mapping bi-direction

- internal network access TO the Internet (office internet mapping) (outside host do not know inside local IP)

2- IP nat inside destination:

Changing between inside local and inside global

NAT with pool of inside local address when traffic init from global (inbound)

use case:

- inbound connection map inside global to multiple inside local IP (load balancer) (outside host do not know inside local IP)

3- IP nat outside source:

Changing between outside global and outside local

can do static or pool of outside local address (inbound)

use case:

- inbound connection while pretending external IP as an internal source. (inside host do not know outside global IP)

4- IP nat outside destination:

but this does not exist

"Ip nat inside destination" use case