Solved: Re: ip nat inside

pgamage · ‎06-29-2012

is this summarization of natting correct?

To give internal users internet access

ip nat inside source static local_IP global_IP

To publish internal web servers in the internet

ip nat iside source static global_IP local_IP

command is same, just changing IP location is enough?

Thanks

ctranminh · ‎07-01-2012

Hi,

I am trying to give you correct knowledge about NAT.

Firstly, I copy the difinition of NAT from an ASA book and reedit a little to fit with Router

If the packets arriving at the Router from a host subject to translation ingress an LAN interface with a

higher security level than the Internet interface they egress, the address translation performed is

known as inside NAT. Conversely, if packets arriving from a host subject to translation

ingress a Internet interface with a lower security level than the LAN interface they egress, the address

translation performed is known as outside NAT.

The key is that you have to determine which host is subject to translation. In the secondary scenario, Your web server is subject to translation not the Internet user from outside. That traslation often say in another way which is Public xxx server.

Hope this help!

View solution in original post

cadet alain · ‎06-29-2012

Hi,

No it is incorrect.

To give internal users internet access

example: users in the 192.168.1.0/24 subnet will get tranlated to the IP of interface f0/0 which is outside address

ip nat inside source list 1 int f0/0

access-list 1 permit 192.168.1.0 0.0.0.255

To publish internal web servers in the internet

example: publish web server 192.168.1.1 on the public ip of f0/0 interface with same destination standard port of 80

ip nat inside source static tcp 192.168.1.1 80 interface f0/0 80

Regards.

Alain.

Don't forget to rate helpful posts.

pgamage · ‎06-30-2012

2 scenarios.

To give internal users internet access

I can understand ip nat inside source command translates the soruce address when accessing internet. This command matches the source of the first packet of the session which goes from inside to outside.

To publish internal web servers in the internet

But here the first packet of the session in this scenario comes from outside and goes to inside. Second packet of the same session starts from inside and goes to outside, which is similar to the first packet of the first scenario, hence matches the ip nat inside source comand.

In other word, first packet of the first scenario is similar only to the second packet of the second scenario. There is no command to match the first packet which is comming from outside and goes to inside. Same command should not work in both scenarios.

I see ambiguity in the literal meaning of the command syntax. Am I missing something here or is there a issue in forming command?

Reply very highly appreciated.

ctranminh · ‎07-01-2012

Hi,

I am trying to give you correct knowledge about NAT.

Firstly, I copy the difinition of NAT from an ASA book and reedit a little to fit with Router

If the packets arriving at the Router from a host subject to translation ingress an LAN interface with a

higher security level than the Internet interface they egress, the address translation performed is

known as inside NAT. Conversely, if packets arriving from a host subject to translation

ingress a Internet interface with a lower security level than the LAN interface they egress, the address

translation performed is known as outside NAT.

The key is that you have to determine which host is subject to translation. In the secondary scenario, Your web server is subject to translation not the Internet user from outside. That traslation often say in another way which is Public xxx server.

Hope this help!

pgamage · ‎07-03-2012

"host subject to translation ingress"

Thanks.

Thats pure knowledge