Confused with NAT inside,outside & outside,inside keywords

Unanswered Question
Feb 23rd, 2010

Hi, I have one Cisco ASA . IP address are->>outside ( ip address 202.86.91.98/28) & inside (ip address 172.19.3.4 /28).

I am seeing two static nat. One is static (inside,outside) which is working fine & routing to my internal host 10.50.33.43.

My concern is second nat, static (outside,inside). 206.201.76.5 is on global network. I want to know how outside,inside nat will work? Will any traffic coming from 206.201.76.5 translated as source IP as 172.19.128.18. I am really confused.

static (inside,outside) 202.86.91.125 10.50.33.43 netmask 255.255.255.255

static (outside,inside) 172.19.128.18 206.201.76.5 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 202.86.91.97
route inside 10.0.0.0 255.0.0.0 172.19.3.1
route inside 172.19.0.0 255.255.0.0 172.19.3.1

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 02/24/2010 - 00:37

rupesh_kashyap wrote:

Hi, I have one Cisco ASA . IP address are->>outside ( ip address 202.86.91.98/28) & inside (ip address 172.19.3.4 /28).

I am seeing two static nat. One is static (inside,outside) which is working fine & routing to my internal host 10.50.33.43.

My concern is second nat, static (outside,inside). 206.201.76.5 is on global network. I want to know how outside,inside nat will work? Will any traffic coming from 206.201.76.5 translated as source IP as 172.19.128.18. I am really confused.

static (inside,outside) 202.86.91.125 10.50.33.43 netmask 255.255.255.255

static (outside,inside) 172.19.128.18 206.201.76.5 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 202.86.91.97
route inside 10.0.0.0 255.0.0.0 172.19.3.1
route inside 172.19.0.0 255.255.0.0 172.19.3.1

Rupesh

static NAT statements are bi-directional so -

static (inside,outside) 202.86.91.125 10.50.33.43 netmask 255.255.255.255

means -

1) if a packet arrives on the inside interface with a source address of 10.50.33.43 then change the source address 202.86.91.125.

2) if a packet arrives on the outside interface with a destination address of 202.86.91.125 then change the destination address to 10.50.33.43

static (outside,inside) 172.19.128.18 206.201.76.5 netmask 255.255.255.255

means -

1) if a packet arrives on the inside interface with a destination address of 172.19.128.18 change the destination address to 206.201.76.5

2) if a packet arrives on the outside interface with a source address of 206.201.76.5 then change the source address to 172.19.128.18

Notice the difference between the two.

The first is translating source addresses from the inside and destination addresses from the outside.

The second is translating destination addresses from the inside and source addresses from the outside.

Jon

Rupesh Kashyap Wed, 02/24/2010 - 00:49

Hi, I am not getting you properly. I have 202.201.76.x on my external interface. I have 10.50.33.x & 172.19.128.x on my interface network.

Now please explain again. Please help again.

static (inside,outside) 202.86.91.125 10.50.33.43 netmask 255.255.255.255

static (outside,inside) 172.19.128.18 202.201.76.5 netmask 255.255.255.255

Jon Marshall Wed, 02/24/2010 - 01:09

Rupesh

I'm not sure how else to explain it. It is simply to do with whether you are translating source or destination IP addresses and on which interface.

Jon

Rupesh Kashyap Wed, 02/24/2010 - 01:37

Now, I got your point. Thanks man. Now I want to understand one thing. I have 202.86.91.x on outside interface on ASA. If Internet users( 206.201.76.5) hits on 202.86.91.125, then what will happen? Will 206.201.76.5 source IP will change to 172.19.128.x range for internal network?

Jon Marshall Wed, 02/24/2010 - 06:35

rupesh_kashyap wrote:

Now, I got your point. Thanks man. Now I want to understand one thing. I have 202.86.91.x on outside interface on ASA. If Internet users( 206.201.76.5) hits on 202.86.91.125, then what will happen? Will 206.201.76.5 source IP will change to 172.19.128.x range for internal network?

Rupesh

With your static statements both the source and destination of the packet will be changed ie.

src will be changed from 206.201.76.5 to 172.19.128.18

dst will be changed from 202.86.91.125 to 10.50.33.43

Jon

Rupesh Kashyap Thu, 02/25/2010 - 04:41

Ok, Now the problem is, I am NOT seeing any route for 172.19.128.x in inside network. Then now reply to reach to the correct router?

Any other thing tagged with NAT? I am seeing all policies are working fine, thts why I am surprised.

Actions

This Discussion