Nat inside and NAT outside

Unanswered Question
Mar 21st, 2009

In CCNA books the classical NAT inside is presented, where a router translates the internal private IP addresses to the public IP address(es) given by the ISP.

Could you give me a real case when NAT outside is to be used?

And is NAT outside used separately from NAT inside or it is always used together with NAT inside, being a kind of port forwarding ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
lamav Sat, 03/21/2009 - 16:49

Hi:

Without a NAT "inside" interface and a NAT "outside" interface defined on the same device, the NAT rule will never be executed.

There is an order of operations when a packet arrives at the "inside" interface and another one when it arrives at the "outside" interface.

So, to answer your question, "NAT outside" is always used. The difference is that sometimes many source IP addresses and their corresponding application ports are NAT'ed to the outside interface address given from the ISP. So, its a many-to-one NAT overload or PAT.

Otherwise, there is a one-to-one NAT translation, either dynamically or statically.

HTH

Victor

badalam_nt Sun, 03/22/2009 - 14:25

Maybe I was not clear.

Of course under interface configuration you have to declare one as "ip nat inside" and another one as "ip nat outside".

But I'm not referring to them.

I was referring to the INSIDE from the commands:

ip nat inside source static IP1 IP2

ip nat inside source list 1 pool poolname

ip nat inside source list 1 pool poolname overload

vs the equivalent commands with OUTSIDE.

badalam_nt Mon, 03/23/2009 - 07:50

Thanks, but actually this does not answer to my question. I know how to configure NAT outside.

I've just had the chance to meet a CCIE guy in-person who answered to my question. Here's the answer I got from him:

"The only case I know about needing NAT outside, which anyway happens rarely, is when 2 companies that are merging are using the same subnets:

Ex: 10.1.1.0/24 in each of the 2 companies (and he draw a picture on the whiteboard).

In this case the router connecting the 2 companies' networks must be configured with NAT outside (and as well NAT inside for bidirectional communication)."

Jon Marshall Mon, 03/23/2009 - 08:01

Petru

Actually it's more common than that. It can and is used anytime the source addresses in packets coming into your network are already in use within your network. And the flip side of this is it happens if the destination addresses your internal clients need to get to are already in use in your network.

This may be because of a merge but it may also be because of a 3rd party partner that has the same IP addresses as you have and they cannot do NAT at their end.

In addition it is not always used in conjunction with "ip nat inside.." although it would be in the example given by your CCIE. It may be that you only need to NAT the incoming packets source addresses and not your internal clients.

If you are setting up VPN's etc. with 3rd parties on a router this type of thing happens more often than you would think.

Jon

lamav Mon, 03/23/2009 - 08:13

Petru:

Your question boils down to the reason why you would ever configure NAT, period. NAT inside, NAT outisde, NAT King Cole...any NAT...

The reason is that the source IP address of a packet that is destined for a certain network is unacceptable. Maybe the destination network is using the same address range; maybe the packet is heading to the Internet and has to get rid of its private address; etc.

All the IP NAT OUTSIDE command means is that the traffic is being sourced from a network that sits beyond your NAT Outside interface.

badalam_nt Mon, 03/23/2009 - 09:27

Not really. I know when it is needed to use NAT inside, but never saw explained nor had any idea about the cases when NAT outside is meaningful and really needed. So my question is not general to NAT, but it is particular to NAT outside.

badalam_nt Mon, 03/23/2009 - 09:13

As I jumped in the discussion while it was already ongoing I missed the full picture.

Thanks to what you mentioned, I told this to CCIE guy and actually he confirmed me that I was not there while he explained that for the case when there's an IP overlapping on the 2 sides it is needed NAT outside. And just gave a real example relevant for the company that he was giving a training (where a merger happened not long time ago).

So the conclusion would be that NAT outside is needed when there's an overlapping of IP addresses on the 2 sides (source and destination subnets).

Actions

This Discussion