NAT. particularly ip nat inside VS ip nat outside

Please refer to the attachment.

I want PC 2's SA (192.168.1.1) to change into 192.168.0.2 transitting R1, thereby PC1 could see PC2 as his local host.

Here's my configuration

On R1:

conf t
hostname R1

int s0/0
ip address 37.0.0.1 255.255.255.252
clock rate 64000
no sh
ip nat outside
exit

int f0/0
ip address 192.168.0.254 255.255.255.0
no sh
ip nat inside
exit

ip route 0.0.0.0 0.0.0.0 37.0.0.2

On R2:

conf t
hostname R2

int s0/0
ip address 37.0.0.2 255.255.255.252
clock rate 64000
no sh
ip nat outside
exit

int f0/0
ip address 192.168.1.254 255.255.255.0
no sh
ip nat inside
exit

On R1:

ip nat outside source static 192.168.0.2 192.168.1.1

That's it.

Afterwards I start capturing. The ping sent from PC2 echoed back with "no response found". Then I changed ip nat inside to ip nat outside & vice versa on interfaces. This time I got ping back, but destination address didn't change. That is, all in vain.

There were 2 confusing parts in the configuration.

The first one is:
ip nat inside or ip nat outside. On which interface to put ip nat inside/ip nat outside.

And the second one is:
ip nat outside source static OUTSIDE_GLOBAL_IP-ADDRESS OUTSIDE_LOCAL_IP_ADDRESS
the last two parameters make me really confused.

As far as I get it, here "outside" means "transitting from outside to inside", "source" means packet's source address will change, "outside global ip address" means the address which I want to assign to packets when they transit R1_NAT. And finally "outside local ip address" means PC2's private address.

I've done some searching regarding ip nat inside/ip nat outside and have found two interesting replies:

1.

You have to configure ip nat inside on inside (LAN) interface and ip nat outside on WAN interface.

2.

ip nat inside: When transiting in->out, modify source address. When transiting out->in, modify destination address.
ip nat outside: When transiting out->in, modify source address. When transiting in->out, modify destination address.

So which statement is true? Does this command show direction or just which interface is on LAN/WAN?

Resuming my post:

1. What should I type in the last two parameters of the following command - ip nat outside source static outside_global_ip_address outside_local_ip_address.

2. what is the purpose of ip nat inside/ip nat outside, and on which interface do I have to put them.

3. how correctly to remove NAT ?

P.C. My head already throbs with NAT. The NAT which is described in CCENT is pretty easy, but ip nat OUTSIDE source static OUTSIDE_GLOBAL_IP-ADDRESS OUTSIDE_LOCAL_IP_ADDRESS & ip nat INSIDE/ip nat OUTSIDE on interfaces are sometimes driving crazy.

Thanks in advance

forum_question.JPG

Find more posts tagged with

Comments

Jon_Cisco

It looks like this might be in packet tracer.
If you watch the ping in simulation mode what does it say when it fails?

showint

In GNS3. It says timeout. But I looked inside of packet by WireShark, it said "no response found".

Jon_Cisco

So it's been over a year since I read up on this but when I skim your post I see this line which I believe is a problem.

ip nat outside source static 192.168.0.2 192.168.1.1

You are asking it to take a private IP address from the WAN and convert it to another private address. However you are skipping the 37.0.0.0 network.

If you are in GNS3 then you probably have the option to "debug ip nat" or something similar. Debug is a huge benefit of GNS3 over packet tracer.

showint

I think so, as well. But which lines would you type instead? Because I have no idea how to do it.

And on which interface should I put "ip nat inside" command? If "ip nat inside" is an accepting interface, then It has to look towards Host B, that is, int s0/0. Right ?

AwesomeGarrett

This should answer your question in 1 minute.

The Inside and Outside of NAT

Jon_Cisco

I never give actual answers because it takes the fun out of learning. So please excuse me if I am vague but people learn better when they figure it out themselves.

If I think of a single company then I think of inside as being my internal network side. Outside would be the ISP. In other words I try to visualize it from the point of the router. I expect that the non public IP is going to be considered outside in your example. Keep in mind I didn't read your config I just skimmed it for possible issues.

Good Luck you will get it with a little persistence. Once thing I learned when labbing was simplify your problem. See what works one step at a time until you see where it fails.

showint

I take your advice. Thanks, I appreciate your help.

showint

I found the answer to my question posted here in CCNP Route FLG (300-101). It might be useful for some folk, so I've decided to share this info with the forum users.

The difference between ip nat inside and ip nat outside is that ip nat inside processes packets arriving on and ip nat outside processes packets leaving from the interface.

Therefore, in such a particular case as ip nat outside source static outside_global_ip_address outside_local_ip_address ip nat inside command will look towards outside network & ip nat outside towards inside network.

So, the phrase "You have to configure ip nat inside on an inside (LAN) interface and ip nat outside on WAN interface." is not correct to some extent.