NAT: Difference between IP NAT INSIDE SOURCE & IP NAT SOURCE LIST

Answered Question
Aug 19th, 2008
User Badges:
  • Bronze, 100 points or more

Hi!


I am confuse when to use these two commands


ip nat inside source

and

ip nat source list


When i use IP NAT INSIDE SOURCE users can access the internet but when i used the IP NAT SOURCE LIST no translation happen.


Also, after enabling IP NAT INSIDE SOURCE command telnet access to outside interface is not accessible.


Thanks in advance for your help.

Correct Answer by Richard Burts about 8 years 8 months ago

Rejohn


And here is an explanation of the new command:

ip nat source


To enable Network Address Translation (NAT) on a virtual interface without inside or outside specification, use the ip nat source command in global configuration mode.


Here is a link with more detail for anyone who was more info:

http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_nat.html#wp1012829


So use ip nat inside source for normal (physical) interfaces and use ip nat source for virtual interfaces.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marwan ALshawi Tue, 08/19/2008 - 22:16
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

with IP nat inside source list u need to difine an ACL defining the traffic to be considered as a nat source for examplelet say ur inside local lan is 192.168.1.0/24


do:


access-list 100 permit ip 192.168.1.0 0.0.0.255 any


this way u can use source list like


ip nat inside source list 100 [and ur other config..]


with list u might exclude some IPs or network

for example if u want host 192.168.1.1 to not be nated this way will not use internet do


access-list 100 deny ip host 192.168.1.1 any

access-list 100 permit ip 192.168.1.0 0.0.0.255 any


then apply it to ur nating statement with source list


please, if helpful Rate

Rejohn Ronald Cuares Tue, 08/19/2008 - 22:20
User Badges:
  • Bronze, 100 points or more

Hi Marwanshawi.


thank you for your fast response. How about the IP NAT SOURCE LIST command? what is the difference between the two?

Marwan ALshawi Tue, 08/19/2008 - 22:29
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

the above description all about IP source list

as i mention

ip nat source list then put the ACL based on the descretions i have given to u

which gives u more control and let u selct exactly what to nat and what not

also helpful in VPN IPsec because sometimes u need some kind of traffic to be exmpted from the nat


the one with list nat the source without spesific details like with lits one and ACL


have a look at the following link will help u alot


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml


good luck



please, if helpful Rate

ohassairi Wed, 08/20/2008 - 00:25
User Badges:
  • Silver, 250 points or more

as i know "ip nat source" does not exist.

what plateform and ios are you using?

lamav Wed, 08/20/2008 - 00:45
User Badges:
  • Blue, 1500 points or more

The choice you're giving is wrong. Assuming the traffic that must be NATed is coming from behind the "inside" NAT interface, the choices you have are:


ip nat inside source list


OR


ip nat inside source static


The list option is exactly as Marwan described.


The static option is used when you want to statically define which source host addresses must be NATed.


Example:


ip nat inside source static 10.l0.10.50 172.16.2.1


HTH


Victor

Rejohn Ronald Cuares Wed, 08/20/2008 - 01:20
User Badges:
  • Bronze, 100 points or more

lamav,


im asking when to use


IP NAT INSIDE SOURCE LIST

and

IP NAT SOURCE LIST


I am using Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T

3, RELEASE SOFTWARE (fc1).

lamav Wed, 08/20/2008 - 07:51
User Badges:
  • Blue, 1500 points or more

Go into config mode, type "ip nat" and then a "?" and show us the choices that you have.


Victor

Richard Burts Wed, 08/20/2008 - 08:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Victor


Here it is:

lab2(config)#ip nat ?

Stateful Stateful NAT configuration commands

create Create flow entries

inside Inside address translation

log NAT Logging

outside Outside address translation

pool Define pool of addresses

service Special translation for application using non-standard port

source Source address translation

translation NAT translation entry configuration


lab2(config)#ip nat source ?

list Specify access list describing local addresses

route-map Specify route-map

static Specify static local->global mapping


lab2(config)#ip nat source


HTH


Rick

Correct Answer
Richard Burts Wed, 08/20/2008 - 08:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Rejohn


And here is an explanation of the new command:

ip nat source


To enable Network Address Translation (NAT) on a virtual interface without inside or outside specification, use the ip nat source command in global configuration mode.


Here is a link with more detail for anyone who was more info:

http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_nat.html#wp1012829


So use ip nat inside source for normal (physical) interfaces and use ip nat source for virtual interfaces.


HTH


Rick

Richard Burts Wed, 08/20/2008 - 09:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Rejohn


I am glad that my response did resolve your question. Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that there was a response which did resolve the question.


The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.


HTH


Rick

lamav Wed, 08/20/2008 - 10:11
User Badges:
  • Blue, 1500 points or more

rick:


Cowabunga, dude!


LOL


I tried replicating that in my lab on a 7206 -- no dice.


Thanks


victor

Richard Burts Wed, 08/20/2008 - 10:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Victor


I believe that it is version dependent. According to the documentation this command was introduced in 12.3(14)T. Looks like your 7206 is earlier that than and my router is later than that.


HTH


Rick

Actions

This Discussion