Confused with NAT inside,outside & outside,inside keywords

Unanswered Question
Feb 23rd, 2010
User Badges:

Hi, I have one Cisco ASA . IP address are->>outside ( ip address 202.86.91.98/28) & inside (ip address 172.19.3.4 /28).


I am seeing two static nat. One is static (inside,outside) which is working fine & routing to my internal host 10.50.33.43.


My concern is second nat, static (outside,inside). 206.201.76.5 is on global network. I want to know how outside,inside nat will work? Will any traffic coming from 206.201.76.5 translated as source IP as 172.19.128.18. I am really confused.


static (inside,outside) 202.86.91.125 10.50.33.43 netmask 255.255.255.255


static (outside,inside) 172.19.128.18 206.201.76.5 netmask 255.255.255.255


route outside 0.0.0.0 0.0.0.0 202.86.91.97
route inside 10.0.0.0 255.0.0.0 172.19.3.1
route inside 172.19.0.0 255.255.0.0 172.19.3.1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 02/24/2010 - 00:37
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

rupesh_kashyap wrote:


Hi, I have one Cisco ASA . IP address are->>outside ( ip address 202.86.91.98/28) & inside (ip address 172.19.3.4 /28).


I am seeing two static nat. One is static (inside,outside) which is working fine & routing to my internal host 10.50.33.43.


My concern is second nat, static (outside,inside). 206.201.76.5 is on global network. I want to know how outside,inside nat will work? Will any traffic coming from 206.201.76.5 translated as source IP as 172.19.128.18. I am really confused.


static (inside,outside) 202.86.91.125 10.50.33.43 netmask 255.255.255.255


static (outside,inside) 172.19.128.18 206.201.76.5 netmask 255.255.255.255


route outside 0.0.0.0 0.0.0.0 202.86.91.97
route inside 10.0.0.0 255.0.0.0 172.19.3.1
route inside 172.19.0.0 255.255.0.0 172.19.3.1


Rupesh


static NAT statements are bi-directional so -


static (inside,outside) 202.86.91.125 10.50.33.43 netmask 255.255.255.255


means -


1) if a packet arrives on the inside interface with a source address of 10.50.33.43 then change the source address 202.86.91.125.

2) if a packet arrives on the outside interface with a destination address of 202.86.91.125 then change the destination address to 10.50.33.43


static (outside,inside) 172.19.128.18 206.201.76.5 netmask 255.255.255.255


means -


1) if a packet arrives on the inside interface with a destination address of 172.19.128.18 change the destination address to 206.201.76.5

2) if a packet arrives on the outside interface with a source address of 206.201.76.5 then change the source address to 172.19.128.18


Notice the difference between the two.


The first is translating source addresses from the inside and destination addresses from the outside.

The second is translating destination addresses from the inside and source addresses from the outside.


Jon

Rupesh Kashyap Wed, 02/24/2010 - 00:49
User Badges:

Hi, I am not getting you properly. I have 202.201.76.x on my external interface. I have 10.50.33.x & 172.19.128.x on my interface network.

Now please explain again. Please help again.



static (inside,outside) 202.86.91.125 10.50.33.43 netmask 255.255.255.255


static (outside,inside) 172.19.128.18 202.201.76.5 netmask 255.255.255.255

Jon Marshall Wed, 02/24/2010 - 01:09
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Rupesh


I'm not sure how else to explain it. It is simply to do with whether you are translating source or destination IP addresses and on which interface.


Jon

Rupesh Kashyap Wed, 02/24/2010 - 01:37
User Badges:

Now, I got your point. Thanks man. Now I want to understand one thing. I have 202.86.91.x on outside interface on ASA. If Internet users( 206.201.76.5) hits on 202.86.91.125, then what will happen? Will 206.201.76.5 source IP will change to 172.19.128.x range for internal network?

Jon Marshall Wed, 02/24/2010 - 06:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

rupesh_kashyap wrote:


Now, I got your point. Thanks man. Now I want to understand one thing. I have 202.86.91.x on outside interface on ASA. If Internet users( 206.201.76.5) hits on 202.86.91.125, then what will happen? Will 206.201.76.5 source IP will change to 172.19.128.x range for internal network?

Rupesh


With your static statements both the source and destination of the packet will be changed ie.


src will be changed from 206.201.76.5 to 172.19.128.18

dst will be changed from 202.86.91.125 to 10.50.33.43


Jon

Rupesh Kashyap Thu, 02/25/2010 - 04:41
User Badges:

Ok, Now the problem is, I am NOT seeing any route for 172.19.128.x in inside network. Then now reply to reach to the correct router?

Any other thing tagged with NAT? I am seeing all policies are working fine, thts why I am surprised.

Actions

This Discussion