12-03-2015 01:20 PM - edited 03-08-2019 02:57 AM
hi,
when I ready this command "Ip nat inside destination" I understnad it means: translate the destination ip address of a packet moving from inside to outside.
but when I see the implementation in docuemnts or books, it usually used with server load balancing !!
when traffic comes to single public IP address and distributed to many servers !!
here I got confused,
can someone please clarify this ?
12-03-2015 04:01 PM
Hello,
It does not work that way. NAT is a little confusing in cisco router. IP NAT inside source and IP NAT inside destination are kind of similar but have different usage.
Both translate the source of packet when packet moving from inside to outside and translate destination of packet when packet is traveling from outside to inside.
You need to be familiar with two concepts before we go the command.
Inside local
Configured IP address assigned to a host on the inside network. Usually a private IP inside the network
Inside Global
The IP address of an inside host as it appears to the outside network. It is usually a public IP on WAN interface.
Lets take a look to IP NAT inside destination with question mark
IP NAT inside destination list MyPublicIP pool MyServers.
IP nat inside destination ?
list Specify access list describing global addresses
The global address in the command is inside global. This is the IP with which a host(or server) will be seen from outside
Ip nat inside destination list PublicIP ?
pool Name pool of local addresses
Local address is the actual IP of hosts.it is inside local.
This command translates inside global to inside local when packet comes from outside to inside and translates inside local to inside global when packet is moving from inside to outside.
Hope it helps,
Masoud
07-17-2017 12:18 PM
very well explained ..
Thanks
12-03-2015 04:15 PM
Adding to my previous comment.
Inside and outside int NAT command does not determine the direction of flow alone. because NAT is bi-directional.
Inside means insides IPs which are apeared to outside network.
Outside means outside IPs which are apeared to inside network.
1- IP nat inside source :
Changing the source when packet traveling from inside to outside and changing destination when packet is travelling from outside to inside.
2- IP nat inside destination : The same as inside source but different usage
changing destination when packet is travelling from outside to inside and changing the source when packet traveling from inside to outside and .
3- IP nat outside source
changing the source when packet traveling from outside to inside and changing destination when packet is travelling from inside to outside
4- IP nat outside destination:
It is not defined. Or I have not seen it
Hope it helps,
Masoud
12-03-2015 11:15 PM
thanks Masoud for your reply,
but see, according to your definition:
1- IP nat inside source :
Changing the source when packet traveling from inside to outside and changing destination when packet is travelling from outside to inside.
2- IP nat inside destination : The same as inside source but different usage
changing destination when packet is travelling from outside to inside and changing the source when packet traveling from inside to outside and .
as I read, this definition means exactly the same since NAT as you said is bi-directional.
let us make it simple, if we do not have feature like "IP nat inside destination", then what is the limitation with "IP nat inside source"
12-04-2015 06:52 AM
Hello,
Yoy may argue that. They are the same in terms of replacing source and destination; however, they are different in terms of usage. It is true that NAT is bi-directional, but it is session based. It is important from which side session is created. From outside or inside.
Let me give you an example.
You want to implement server loadbalancing with IP NAT source inside.
interface FastEthernet0/0
des Lan
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface FastEthernet1/0
Des WAN
ip address 1.1.1.1 255.255.255.0
ip nat outside
access-list 50 permit host 192.168.1.2
access-list 50 permit host 192.168.1.3
ip nat pool MyPublicIP 1.1.1.5 1.1.1.5 netmask 255.255.255.0
IP nat inside source list 50 pool MyPublicIP
When packet comes from inside from 192.168.1.2 or 1.3 , router replaces its source with 1.1.1.5 and when packet returns from outside, router replace its destination with 192.168.1.2
Now you argue that I can use it for loadbalancing; however it is not possible, because router only put entry in NAT table when packet comes from inside destined to outside. (initated from inside). If packet initited outside comes to inside, router does not translate its destination. So it is session based.
The only way to get around this is using static NAT. Static NAT works both ways, but you can not define pool for static NAT so it can not be used for loadbalacing.
IP NAT inside destination is also session based. Only NAT table will have entry if packet comes from outside to inside. And also more limitation. IP NAT inside destination does not work with non-TCP session. You can not loadbalance ICMP packet. (IP NAT inside source works for ICMP and UDP also)
Hope I could get my meaning across.
Masoud
11-24-2017 04:51 AM
Hello dear Masoud
Tanks a lot for your very good description of ip nat in your posts. I have a ipsec tunnel that using both ip nat inside source and destination in Cisco ASA. I would to convert those ip nat configuration from ASA to ISR 4331 router. There is no problem with ip nat inside source :), but I have some problems with ip nat inside destination. Can you please give me a sample configuration if it is possible. Just for your information: The ipsec tunnel is coms up but I can not see any entries in nat table. Many tanks in advance.
Bedst regards Shahryar
01-09-2019 02:25 PM - edited 01-09-2019 02:47 PM
in a typical home router example like below
LAN---------------------Router--------------------inet
[S192.168.1.1|D8.8.8.8] ---> [S202.40.211.211| D 8.8.8.8]
[D192.168.1.1|S8.8.8.8] <--- [D202.40.211.211| S 8.8.8.8]
inside local 192.168.1.1
outside local 8.8.8.8
inside global 202.40.211.211
outside global 8.8.8.8
in a special env which both side cant be routed, like below (it is rare in real life business)
LAN host A---------------------Router--------------------LAN host B
[S192.168.1.1|D192.168.1.2] --> [S202.40.211.211| D202.40.211.200]
[D192.168.1.1|S192.168.1.2] <-- [D202.40.211.211| S202.40.211.200]
inside local 192.168.1.1
outside local 192.168.1.2
inside global 202.40.211.211
outside global 202.40.211.200
since you understand all 4 addresses state
1- IP nat inside source :
Changing between inside local and inside global
can do static bi-direction and NAT pool for inside global when traffic init from local (outbound)
use case:
- 1:1 mapping bi-direction
- internal network access TO the Internet (office internet mapping) (outside host do not know inside local IP)
2- IP nat inside destination:
Changing between inside local and inside global
NAT with pool of inside local address when traffic init from global (inbound)
use case:
- inbound connection map inside global to multiple inside local IP (load balancer) (outside host do not know inside local IP)
3- IP nat outside source:
Changing between outside global and outside local
can do static or pool of outside local address (inbound)
use case:
- inbound connection while pretending external IP as an internal source. (inside host do not know outside global IP)
4- IP nat outside destination:
but this does not exist
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide