Nat

So i think I have an understanding of the inside local/global
Inside local --- my network
Inside Global -- outside of my network where usually PAT starts taking place. Just outside my router interface where the ISP gives me my IP address
Outside local -- what the heck?
Outside global -- Outside on the internet ?

Can someone clarify the difference between outside local and outside global.

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

gorebrush

Straight from the Cisco website: -

Inside local address—The IP address assigned to a host on the inside network. This is the address configured as a parameter of the computer OS or received via dynamic address allocation protocols such as DHCP. The address is likely not a legitimate IP address assigned by the Network Information Center (NIC) or service provider.

Inside global address—A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.

Outside local address—The IP address of an outside host as it appears to the inside network. Not necessarily a legitimate address, it is allocated from an address space routable on the inside.

Outside global address—The IP address assigned to a host on the outside network by the host owner. The address is allocated from a globally routable address or network space.

tecnodog7

George I have read that like 4 times

Can you please translate what that means in English?

The IP address of an outside host as it appears to the inside network. Not necessarily a legitimate address, it is allocated from an address space routable on the inside.

What does that mean as it appears to the inside network, not necessarily a legitimate address? What the what?

Deathmage

tecnodog7 wrote: »

George I have read that like 4 times
Can you please translate what that means in English?

The IP address of an outside host as it appears to the inside network. Not necessarily a legitimate address, it is allocated from an address space routable on the inside.

What does that mean as it appears to the inside network, not necessarily a legitimate address? What the what?

Hey Technodog,

as someone who is doing the CCNA study myself this confused me in the beginning too, but if your like me sometimes pictures help.

The best way I understand it is if say you have 3 networks connected to 3 routers that are all connected to a single router that is then connected to say a ISP router, IE Time Warner Cable business class uses a Cisco Router for Fiber so that's the example I'll use.

So say it's like this:

=============================|

> (D) R3 (network 1)

R1 (ISP) (A)

> (B) R2 (Edge Router) (C)|

> (D) R4 (network 2)

=============================|

> (D) R5 (network 3)

> Exchange Server (Port 8000)

The segment between R1 and R2 would be the Outside Global on R1 (A) and the Inside Global would be R2 (B)

The segment between R2 and (R3, R4, R5) would be Outside local on R2 (C) and Inside Local on (R3, R4, R5) (D)

Assuming I myself understand inside and outside NAT, that's pretty much what it means, also if I understand it correctly, R1 has a public facing port (ie say Outlook Webmail is say 10.10.10.60:8000 as being one of your public IP addresses, when you use that address in your web browser at say home, it would go to your R1 like below and match port 8000 to an internal port and forward it through routing and NAT to the inside destination on the correct network (1, 2, or 3), in this example the Exchange server on network 3) which is mapped to a port being used by a service/server on a Inside local network and this is how NAT knows which inside router to send the traffic.

There is obviously more to this example than just NAT but this is how I understand it, there is routing involved and other protocols.

Now I'm just using the ISP as an example there could be a full fledged network on the other side of R1, but I try not to over complicate things. lol

Hopefully that makes sense.

Here is a picture, to illustrate what I mean:

If anyone wishes to correct me on anything please do!

NAT_packet.png

tecnodog7

Thanks that makes sense but still confusing as HECK. I'll have to look at the picture a bit more and try to dissect it more.

This is why documentation and network diagram is SOOOO crucial

Deathmage

tecnodog7 wrote: »

Thanks that makes sense but still confusing as HECK. I'll have to look at the picture a bit more and try to dissect it more.

This is why documentation and network diagram is SOOOO crucial

If you want Pearson Vue has a Network Simulator that has NAT and it explains it pretty well since you see it in the simlet.

tecnodog7

I'm two days away from taking my CCENT. If GOD for bid i don't pass i'll def get the net sim. I been just using packet tracer for now.

mikeybinec

I'm hep to what you're saying in understanding some of the terms. Outside local was hard but here it is: Let's say you ping google's DNS server at 8.8.8.8.. When the echo reply comes back to you, it is translated to your inside local configuration. So outside local is the remote IP address that is represented inside your network. So if your inside network (i.e. inside local) is 10.10.10.10, when the packet comes in from the remote outside (whether it's a web page or an ICMP reply) it get's translated to 10.10.10.10 so you can read it. That is the outside local address

Does that work?

tecnodog7

Yea kinda but i don't feel like comfortable with it. Time to hit the

Heero

tecnodog7 wrote: »

Thanks that makes sense but still confusing as HECK. I'll have to look at the picture a bit more and try to dissect it more.

This is why documentation and network diagram is SOOOO crucial

The outside global/local are normally the confusing ones. You need to keep in mind that you could be NATing against the source and destination address at the same time. Normally you only NAT your inside local addresses to a publicly routeable address (inside global).

However, you can NAT against the destination address field as well. So the outside local is what PCs on your network would try to connect to. It is the IP address of the outside host as known to your internal network. Then, when it hits your firewall it could be NATed to the true public IP of the host (outside global). There aren't many scenarios to do stuff like this, but it is possible

So basically:

inside local: IP address of a host inside your network while the data packet is inside your network

inside global: IP address of a host inside your network while the data packet is outside your network

outside local: IP address of a host outside your network while the data packet is inside your network

outside global: IP address of a host outside your network while the data packet is outside your network