06-29-2012 05:14 AM - edited 03-04-2019 04:50 PM
is this summarization of natting correct?
To give internal users internet access
ip nat inside source static local_IP global_IP
To publish internal web servers in the internet
ip nat iside source static global_IP local_IP
command is same, just changing IP location is enough?
Thanks
Solved! Go to Solution.
07-01-2012 08:33 AM
Hi,
I am trying to give you correct knowledge about NAT.
Firstly, I copy the difinition of NAT from an ASA book and reedit a little to fit with Router
If the packets arriving at the Router from a host subject to translation ingress an LAN interface with a
higher security level than the Internet interface they egress, the address translation performed is
known as inside NAT. Conversely, if packets arriving from a host subject to translation
ingress a Internet interface with a lower security level than the LAN interface they egress, the address
translation performed is known as outside NAT.
The key is that you have to determine which host is subject to translation. In the secondary scenario, Your web server is subject to translation not the Internet user from outside. That traslation often say in another way which is Public xxx server.
Hope this help!
06-29-2012 05:45 AM
Hi,
No it is incorrect.
To give internal users internet access
example: users in the 192.168.1.0/24 subnet will get tranlated to the IP of interface f0/0 which is outside address
ip nat inside source list 1 int f0/0
access-list 1 permit 192.168.1.0 0.0.0.255
To publish internal web servers in the internet
example: publish web server 192.168.1.1 on the public ip of f0/0 interface with same destination standard port of 80
ip nat inside source static tcp 192.168.1.1 80 interface f0/0 80
Regards.
Alain.
Don't forget to rate helpful posts.
06-30-2012 08:44 PM
2 scenarios.
To give internal users internet access
I can understand ip nat inside source command translates the soruce address when accessing internet. This command matches the source of the first packet of the session which goes from inside to outside.
To publish internal web servers in the internet
But here the first packet of the session in this scenario comes from outside and goes to inside. Second packet of the same session starts from inside and goes to outside, which is similar to the first packet of the first scenario, hence matches the ip nat inside source comand.
In other word, first packet of the first scenario is similar only to the second packet of the second scenario. There is no command to match the first packet which is comming from outside and goes to inside. Same command should not work in both scenarios.
I see ambiguity in the literal meaning of the command syntax. Am I missing something here or is there a issue in forming command?
Reply very highly appreciated.
07-01-2012 08:33 AM
Hi,
I am trying to give you correct knowledge about NAT.
Firstly, I copy the difinition of NAT from an ASA book and reedit a little to fit with Router
If the packets arriving at the Router from a host subject to translation ingress an LAN interface with a
higher security level than the Internet interface they egress, the address translation performed is
known as inside NAT. Conversely, if packets arriving from a host subject to translation
ingress a Internet interface with a lower security level than the LAN interface they egress, the address
translation performed is known as outside NAT.
The key is that you have to determine which host is subject to translation. In the secondary scenario, Your web server is subject to translation not the Internet user from outside. That traslation often say in another way which is Public xxx server.
Hope this help!
07-03-2012 05:42 PM
"host subject to translation ingress"
Thanks.
Thats pure knowledge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide