Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2330
Views
26
Helpful
11
Replies

Wrong diagram inside local, outside local, inside global, outside global in NAT

Go to solution
SJ K
Level 5
Level 5

‎05-20-2015 12:13 PM - edited ‎03-08-2019 12:05 AM

Dear all,

 

I spend quite sometime cracking my head over the terms above and i realize the internet might have some wrong information (but i might be wrong too), hence please correct me if i am wrong

Please see below diagram

The "outside local" is actually a local address in the inside network of R1 that represent an outside device (Host2)

The "outside local" is not a local address in the outside network of an outside device (Host2)

 

Please let me know if i am right.

Regards,

Noob

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎05-20-2015 12:45 PM

Hi,

Think of these terms in this way:

  • Terms inside and outside determine the owner of this address, or in other words, who is being described by this adress. inside addresses describe stations on the internal (ip nat inside) side of the router, outside addresses describe stations on the external (ip nat outside) side of the router
  • Terms local and global determine who is looking, or in other words, from whose viewpoint the address is being discussed. local addresses are addresses as seen by the internal side of the router while global addresses are addresses as seen by the external side of the router.

So following these definitions, the combinations are:

  • inside local: an address of an internal host as seen by any other internal host
  • inside global: an address of an internal host as seen from outside
  • outside global: an address of an external host as seen from outside
  • outside local: an address of an external host as seen by any internal host

Would this help? Admittedly, this is a confusing topic. Feel welcome to ask further!

Best regards,
Peter

View solution in original post

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to SJ K

‎05-20-2015 02:11 PM

The document is wrong assuming they are pinging the translated IPs and not the real IPs ie. from a quick lab I did - 

before any pings -

r1#sh ip nat translations                                                      
Pro Inside global      Inside local       Outside local      Outside global    
--- ---                ---                              10.10.10.5         171.16.68.1       
--- 171.16.68.5        10.10.10.1           ---                     ---             

after ping from inside -

r1#sh ip nat translations                                                      
Pro Inside global      Inside local       Outside local      Outside global    
--- ---                ---                                   10.10.10.5          171.16.68.1       
icmp 171.16.68.5:1     10.10.10.1:1       10.10.10.5:1       171.16.68.1:1     
---     171.16.68.5        10.10.10.1           ---                       ---               

after ping from outside as well -

r1#sh ip nat translations                                                      
Pro Inside global      Inside local       Outside local      Outside global    
--- ---                ---                                   10.10.10.5          171.16.68.1       
icmp 171.16.68.5:1     10.10.10.1:1       10.10.10.5:1       171.16.68.1:1     
icmp 171.16.68.5:2     10.10.10.1:2       10.10.10.5:2       171.16.68.1:2     
---     171.16.68.5        10.10.10.1                ---                ---               

so you are right, the document should be showing translated IPs.

Sorry about that, I linked to the document for the definitions but I didn't read the whole thing.

Peter did say NAT can be a confusing subject :-)

Jon

 

View solution in original post

0 Helpful
11 Replies 11

Go to solution
SJ K
Level 5
Level 5
In response to Jon Marshall

‎05-20-2015 12:41 PM

Hi Jon,

 

Thanks for the reply and the link

q1) I have read the link which means the diagram above which I have extracted from the internet is wrong , isn't it ?

q2)

I do not understand the portion in the red square boxes; since now both inside and outside src NAT are issued, why isn't 10.10.1.4 -> 171.16.68.5:4 instead and 171.16.68.1 -> 10.10.10.5 instead ?

 

Regards,
Noob

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎05-20-2015 12:26 PM

Hi,

Have a look at this document.  It goes over the definition of inside local, outside global, etc..

Define Inside Local and Inside Global Addresses

In this configuration, when the NAT router receives a packet on its inside interface with a source address of 10.10.10.1, the source address is translated to 171.16.68.5. This also means that when the NAT router receives a packet on its outside interface with a destination address of 171.16.68.5, the destination address is translated to 10.10.10.1.

 

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/4606-8.html

HTH

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎05-20-2015 12:45 PM

Hi,

Think of these terms in this way:

  • Terms inside and outside determine the owner of this address, or in other words, who is being described by this adress. inside addresses describe stations on the internal (ip nat inside) side of the router, outside addresses describe stations on the external (ip nat outside) side of the router
  • Terms local and global determine who is looking, or in other words, from whose viewpoint the address is being discussed. local addresses are addresses as seen by the internal side of the router while global addresses are addresses as seen by the external side of the router.

So following these definitions, the combinations are:

  • inside local: an address of an internal host as seen by any other internal host
  • inside global: an address of an internal host as seen from outside
  • outside global: an address of an external host as seen from outside
  • outside local: an address of an external host as seen by any internal host

Would this help? Admittedly, this is a confusing topic. Feel welcome to ask further!

Best regards,
Peter

Go to solution
SJ K
Level 5
Level 5
In response to Peter Paluch

‎05-20-2015 01:28 PM

Hi Peter, Reza,

 

Thanks for the explanation and links given. I am clear but still can't find an explaination the diagram below

When the packet transfer is initiated from both the sides, the output of the  show ip nat translations  command is as shown here:

 

I do not understand the portion in the red square boxes; since now both inside and outside src NAT are issued, why isn't 10.10.1.4 -> 171.16.68.5:4 instead and 171.16.68.1 -> 10.10.10.5 instead ? -

 

Regards,
Noob

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to SJ K

‎05-20-2015 01:53 PM

Hi Koh,

Okay, let's see. The diagram in your original post (the one with two hosts and two routers with a red cloud in the middle) is wrong. From Host1's perspective, everything behind Router1 is outside local - it is on the outward side as seen from the inside. Host1 does not know - and does not care - if there is yet another NAT somewhere along the way. Your assessment of the situation is correct.

Regarding the show ip nat translations output, it is also confusing at best. However, there may be certain logic to it but in order to understand that, we would need first to see how exactly R1's NAT was configured. Are there any configs related to this exhibit?

Best regards,
Peter

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Peter Paluch

‎05-20-2015 02:02 PM

Hi Peter

Sorry I was posting while you were.

The configurations are in the linked document but I think the output is misleading assuming all pings are done to translated IPs and I can't see why they wouldn't be if they have gone to the trouble of setting them up.

Jon

Go to solution
SJ K
Level 5
Level 5
In response to Peter Paluch

‎05-21-2015 01:20 AM

Hi Peter,

 

Glad to see you here and thanks for confirming my assessment.

The exhibit is on the link below

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/4606-8.html#sthash.JLpLHVzr.dpuf

 

Regards,
Noob

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to SJ K

‎05-20-2015 02:11 PM

The document is wrong assuming they are pinging the translated IPs and not the real IPs ie. from a quick lab I did - 

before any pings -

r1#sh ip nat translations                                                      
Pro Inside global      Inside local       Outside local      Outside global    
--- ---                ---                              10.10.10.5         171.16.68.1       
--- 171.16.68.5        10.10.10.1           ---                     ---             

after ping from inside -

r1#sh ip nat translations                                                      
Pro Inside global      Inside local       Outside local      Outside global    
--- ---                ---                                   10.10.10.5          171.16.68.1       
icmp 171.16.68.5:1     10.10.10.1:1       10.10.10.5:1       171.16.68.1:1     
---     171.16.68.5        10.10.10.1           ---                       ---               

after ping from outside as well -

r1#sh ip nat translations                                                      
Pro Inside global      Inside local       Outside local      Outside global    
--- ---                ---                                   10.10.10.5          171.16.68.1       
icmp 171.16.68.5:1     10.10.10.1:1       10.10.10.5:1       171.16.68.1:1     
icmp 171.16.68.5:2     10.10.10.1:2       10.10.10.5:2       171.16.68.1:2     
---     171.16.68.5        10.10.10.1                ---                ---               

so you are right, the document should be showing translated IPs.

Sorry about that, I linked to the document for the definitions but I didn't read the whole thing.

Peter did say NAT can be a confusing subject :-)

Jon

 

0 Helpful

Go to solution
SJ K
Level 5
Level 5
In response to Jon Marshall

‎05-21-2015 01:17 AM

Hi Jon,

 

q1) You are right but I think they are not wrong, but just pinging to the actual IPs instead of translated IPs

(please correct me if i am wrong)

In my own definition (translated IPs = IPs that is translated by the router on my end)

So right now, translated ips (red = translated ip)

inside local to inside global (10.10.10.1 to 171.16.68.5) aka inside source static

outside local to outside global (10.10.10.5 to 171.16.68.1)  aka outside source static

========================================================================

When R1 ping to the outside global IP which is not translated (171.16.68.1), it will show

Pro Inside global      Inside local       Outside local      Outside global
---      ---                ---           10.10.10.5         171.16.68.1
icmp 10.10.10.1:4      10.10.10.1:4       10.10.10.5:4       171.16.68.1:4
icmp 171.16.68.5:39    10.10.10.1:39      171.16.68.1:39     171.16.68.1:39
---  171.16.68.5       10.10.10.1           —                 ---

When outside pinging to R1 directly using 10.10.10.1, we will get

Pro Inside global      Inside local       Outside local      Outside global
---      ---                ---           10.10.10.5         171.16.68.1
icmp 10.10.10.1:4      10.10.10.1:4       10.10.10.5:4       171.16.68.1:4
icmp 171.16.68.5:39    10.10.10.1:39      171.16.68.1:39     171.16.68.1:39
---  171.16.68.5       10.10.10.1           —                 ---

==============================================================

 

Q2) Just curious,  in actual life, there are so many NAT translations, how do we different incoming and outgoing ICMP request ? if they are all using NAT IPs (translated IP) to communicate

 

Q3) When pinging an IP from a router, are we able to force the router to send the icmp out from certain interface despite the destination IP/route is meant to exit via another interface ?  (i tried extended ping, but it is only using the IP of the designated interface, but the packet itself still exit via another interface which is stated in the route table.

 

e.g. i want a ping packet to exit out of fa0/1 instead of fa0/2. even though the route for the destination ip, is to exit via fa0/2.

 

Regards,
Noob

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to SJ K

‎05-21-2015 05:03 AM

q1) I suspected they may be pinging the real IPs but that is misleading in my opinion.

q2) you have the configuration and that tells you what you have setup.

NAT is complex but don't make it harder than it is, just look at your configuration and it will tell you what is being done.

q3) why would you want to do that ?

Routers use the routing table, that's what they do.

Jon

Customers Also Viewed These Support Documents