NAT

Daniel333

Alright, I am somewhat confused here. Although I have read about NAT, this is my first day playing with it. Mind you, I am not at home on my routers, I am running the Boston Sim questions that come with the Cisco book at a local cafe.

Basically comes down to my problem, of not knowing when to use ip nat inside and ip nat outside. I have seen several questions in the material that have switched the S0/0 and FA0/0 from either inside or outside and it does not seem to matter. Is this so?


for example,

HostA --- RouterA --- RouterB --- HostB

"You have been asked to setup RouterA so that any packets that orginate from the subnet off of the LAN interface of RouterA are translated from a pool of IP addresses (10.1.1.100 through 10.1.1.200 /24). Use access list 10 to define the range of addresses to be translated and the name mypool to create the pool. The pre-configured enable password is set to "cisco"."

In this answer, if shows routerA's S0/0 as the outside. which makes so sense to me. Unless you are thining of everything from outside of S0/0 as being outside my area of control maybe.


But on another question (same toplology) I have routerA's S0/0 being set up as the inside. Is there something I missing in the working of these questions? This is a lot clearer to me, as I understand that you woulod want to translate a lan to the rest of a network.

"You have been asked to setup RouterA so that any packets that originate from the subnet off of the LAN interface of RouterB (192.168.1.0 /24) are translated from a pool of IP addresses (172.16.1.100 through 172.16.1.200 /24). Use access list 10 to define the range of addresses to be translated and the name thepool to create the pool. The pre-configured enable password is set to "cisco"."


I suppose this would be clearer, if I was connecting to an ISP or something

HOSTA --- RouterA --- ISP

I would know RouterA's S0/0 would be the outside, as it's connecting to the ISP and FA0/0 would be the inside, right?

I am finding the cisco book to really not be clear on any of this. And th Sybex book is only a couple paragraphs which never even goes into the CLI on the subjet.

thanks..wow that was a long post

Paul#4

You use ip nat inside on the source interface...

You use ip nat outside on the destination interface...

Webmaster

I think what confuses many people with this is that both 'inside' and 'outside' can exist on both sides of the router. (I didn't say that would clear up the confusion ).

It depends whether you are referring to 'inside local' or 'inside global' or 'outside local' or 'outside global'. To solve the confusion, first forget about inside and outside for a sec, and then note that the internal side is the 'local' side and the external side is the 'global' side.

Inside and outside refers to the side the global or local address represents. For example, 'inside global' represents the internal hosts on the global side.

www.cisco.com/warp/public/556/8.html

Check out the 6th diagram on the following page, which is probably one of the best and most clear overviews of NAT:
www.cisco.com/warp/public/556/nat-cisco.shtml

Paul#4

Its simple...

Usually with NAT you are translating a source address...

The interface with the source addresses you want to translate will get the command

ip nat inside


The interface which the traffic will depart(exit or leave) will get the command

ip nat outside


Both interfaces need the command, but the the translation is being done before it gets to the outside interface...

redgoblin

It's a little tricky getting your head around the terminology involved with NAT to begin with, but its simple once you do.

Basically you have a single IP address which needs to be represented both within 'local' private networks and 'global' public networks. So say a host on your local LAN (IP 192.168.1.100) wanted to access a public web server (IP 87.41.5.56). The inside 'local' address of 192.168.1.100 would get translated by the router into the inside 'global' address of say 200.2.22.64 (although logically speaking, 192.168.1.100 and 200.2.22.64 represent the same address but from different points of view ie. local and global). In this case, the web server would be both the outside local and outside global addresses.

Now, on the router we have the local network attached to the FastEthernet interface and the global network attached to the Serial interface. Since we are translating from the inside local 192.168.1.100 (FastEthernet interface) to the inside global 200.2.22.64 (Serial interface) it follows logically that we should set the FastEthernet interface to 'ip nat inside' and the Serial interface to 'ip nat outside' since we are translating from the inside address to the outside address.

Daniel333

thanks, that cleared thigns right up.

I came home and ran a few of these through my actual router and some worked, and some didn't. Based on what you guys said, i found the questions/answer to be wrong. everything for static nat is going well. As to many to one NAT.... that is another post.

r_durant

Daniel333 wrote:

Mind you, I am not at home on my routers, I am running the Boston Sim questions that come with the Cisco book at a local cafe.

I'm impressed...I'm still not over you doing these labs in a local cafe

Daniel333

Ha, don't have much of a choice. I only get home once or twice a week (which is where my routers are). So I have to rely on the Cisco software and the boston sim otherwise. A lot of times they don't work though. But it can still be helpful at times.

r_durant

Sounds good, your dedication to the objective is inspiring...

Daniel333

Hey, I don't want to be working a help desk for ever!

iproute

Daniel333 wrote:

Ha, don't have much of a choice. I only get home once or twice a week (which is where my routers are). So I have to rely on the Cisco software and the boston sim otherwise. A lot of times they don't work though. But it can still be helpful at times.

You could enable SSH on your setup at home then do port forwarding with your cable/dsl router to provide yourself access to your setup when not at home.