Calling all NAT experts help I have no clue

itdaddy

Okay. I have done Public interfaces on a vpn router with IP NAT OUTSIDE but never the reverse.

I see on this job I am at where they did this.'

Public facing interfaces get IP NAT INSIDE
Private facing interfaces get IP NAT OUTSIDE

it works but weird to me

what is the difference. I don't really know here..thanks.

joetest

I guess technically it's just a direction..

from 1 side to the other side - which way they "turn" shouldn't really matter as long as you config your interfaces the same way.

I remember reading this old article once:
http://blog.ine.com/2008/02/15/the-inside-and-outside-of-nat/
Perhaps it'll help you

To add a bit: from inside to outside; packet gets routed than translated and from outside to inside it's reversed..

Fitzi

Thanks to Joetest for that link! I didn't know/realise that the evaluation for NAT was different depending on what the interface type is set to eg: which interface the inside or outside NAT command is applied to.

You mentioned this was a VPN, without knowing your environment and after reading the above link, unless this was a corner case I could only assume that this was implemented to have the ability to inject a specific route to forward traffic prior to the translation being applied and traffic being forwarded into the environment.

Is there a NAT pool assigned to the inside interface, eg: there is not only 1 IP assigned to the inside interface right?

The only reason I could think of why you would want to do this, potentially, would be to give the ability to null route a particular IP before it is translated (eg: blackhole specific IP at your edge) or to inject a host route to send traffic through an IDS or some sort of filtering device prior to entering the environment. Although you would think that in a situation where you are using this to filter traffic you would have the device inline all the time.