Confused About NAT Commands

Unanswered Question
Jul 7th, 2007
User Badges:

Can anyone please explain the difference between the two NAT commands 'ip nat outside source' amd 'ip nat inside destination' ? As I understand it, the former command changes an outside address to a different address on the inside network to avoid confusion in the case where the inside network is using an address already allocated to some outside host, eg somebody is using Cisco's ip address on their internal network.

Is the second command 'ip nat inside destination' just another way of doing the same thing to workaround this ambiguity problem ? I know it is translating the destination address, but isn't this achieved by the first command 'ip nat outside source' ? Surely the NAT translation is a two-way process ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
dgahm Sat, 07/07/2007 - 10:27
User Badges:
  • Blue, 1500 points or more


Destination NAT is essentially server load balancing, distributing connections between multiple inside addresses.

Destination Address Rotary Translation

A dynamic form of destination translation can be configured for some outside-to-inside traffic. Once a mapping is set up, a destination address matching one of those on an access list will be replaced with an address from a rotary pool. Allocation is done in a round-robin basis, performed only when a new connection is opened from the outside to the inside. All non-TCP traffic is passed untranslated (unless other translations are in effect).

This feature was designed to provide protocol translation load distribution. It is not designed nor intended to be used as a substitute technology for Cisco's LocalDirector product. Destination address rotary translation should not be used to provide web service load balancing because, like vanilla DNS, it knows nothing about service availability. As a result, if a web server were to become offline, the destination address rotary translation feature would continue to send requests to the downed server.

Please rate helpful posts.


rossua994 Sun, 07/08/2007 - 08:58
User Badges:

Thanks for the information. I see that the command 'ip nat inside destination' is not concerned with internet addresses, but with TCP Load Balancing. I have checked the white paper you refered to, and also the document 'Cisco IOS IP Addressing Services Config Guide, Rel 12.4' (pg's 349-), but I'm not quite sure I understand what is going on here. I see that traffic from the outside destined for a virtual host on the inside is distributed on a round-robin basis amongst a pool of real hosts, but I cannot see the purpose of this. Surely each inside host is only interested in its own traffic ? Under what circumstances is this approach used ?

dgahm Sun, 07/08/2007 - 10:46
User Badges:
  • Blue, 1500 points or more

You could use this to load balance traffic to a group of servers with the same Web content. New connections would be evenly distributed to all the servers in the pool. The problem with this is that there is no intelligence that detects the readiness of a server in the pool. If one of the servers is turned off the NAT will still translate connections to that address, and those will fail. For this reason it is very rare to see destination NAT used in the real world.

Cisco sells many server load balancing products (CSS-115XX, Local Director)that do send keepalives to each server and drop them from the pool when they are not functioning. Other features like stickiness and SSL termination are also provided.

Please rate helpful posts.


rossua994 Sun, 07/08/2007 - 11:00
User Badges:

Thanks for info, this has cleared up the confusion.


This Discussion