u are telling me something that I already did reed and understand, but my question was why can't u use ip nat outside destination, becouse I find it far more easy to understand. Is there some explanation? Is security issue?
I find it more rational to think like that:
all packets that comes to router with source IP/port and destination IP/port to be redirected to another host(internal host in my case) indifferent of the direction of the packet (inside-to-outside or outside-to-inside).
Things which might sound logical to you are perhaps not logical to others. The objective which you have mentioned can be achieved through other means in Cisco NAT. Most of us, including me would not think of it the way you have mentioned. I think it sort of varies from person to person.
As far as ip nat outside destination command is concerned, no such command is supported by the IOS simply because there are ways to achieve the same thing without that command.
u are not so categorical. I need a more firm answer. NAT is very important to understand. I have read so much docs of cisco nat, but I did not find this explanation. I know I ask too much, unless u are working at cisco, but I find NAT on cisco very hard, complicated to understand.
I know terms can be confusing but they refer to which source address we are talking about. A source address in one side is the destination address in the other side and vice-versa so with one command we cover both ways of traffic.
- Case 1: Outside Global addresses are known by the inside world (Outside Global = Outside Local)
We need to translate the source IP address of any packets coming from the inside and destination IP address of any packets coming from the Outside
1a: Session initiated from the Inside only:
you need the ip nat inside source command. PAT is allowed (N to 1 rule) because the initiation is always from the inside to the outside. NAT table keeps track of each entry so the router is able to translate the destination @ of the packet received on the outside interface
1b: Session initiated from the Outside or the Inside:
you need the ip nat inside source static command. The entry created by the previous command are all dynamic. So we need a permanent entry in this case with a 1:1 rule. Otherwise the router will not be able to match any dynamic NAT entry (session is not initiated from the inside)
That's why you need to use ip nat inside source static tcp IP_LAN 22 IP_WAN 22 to redirect traffic destinated to port 22 to a specific inside host.
- Case 2: Outside Global addresses are not known by the inside world (Outside Global @ are different from Outside local @)
In this case, it means we need translation rules between the Outside Global addresses and the Outside Local addresses.
We need to translate any destination IP addresses for packets coming from the inside and source IP addresses of any packets coming from the Outside.
Use rules explained in Case 1 if the Inside IP addresses are still not known by the Outside world.
2a: Session initiated from the Inside or Outside:
You need the ip nat outside source static command. You need a permanent NAT entry because you want to reach a specific host in the Outside. You can't use a pool in this case.
You need the ip nat outside command. You can use a pool in this case because the initiation is coming from the Outside so the router can create a NAT entry which match the real Outside Global @ to any Outside Local @.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...