What is NAT?
I’ve recently been looking into NAT and one area which i consistantly slip up on is the difference between Inside and Outside Global and Local, Once you dig into it it make sense but the terms aren’t immediatly intuitive.
Looking through Cisco webiste found the below “explanation”:
- Inside global: The address of the inside host as seen from the outside
- Inside local: The address of the inside host as seen from the inside
- Outside local: The address of the outside host as seen from the inside
- Outside global: The address of the outside host as seen from the outside
Yeah……. clear as mud…….. so if your still here your probably like me who saw that and ended up more confused than before, so lets break this down based on the lab i created to simulate this, firstly lets do a bit of a run down of the topology (below).
With the above I have created local LAN with 3x Machines which connect to Router 0 (via Switch) which has one Public IP Address. The Public Internet is simulated by having one DNS Server of 8.8.8.8 (replicating Googles DNS IP address) which has a simple DNS Entry for www.google.com to point to the IP Address of Web Server 52.26.45.240 which hosts an actual www page for testing.
On Router0 I have set the interface FastEthernet0/0 as the Inside of the NAT and interface FastEthernet0/1 as the outside NAT interface and then done a simple NAT Overload (Config for this and the NAT shown below).
Router0 Configuration
interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip nat inside duplex auto speed auto ! interface FastEthernet0/1 ip address 203.0.113.5 255.255.255.252 ip nat outside duplex full speed auto ! interface Vlan1 no ip address shutdown ! ip nat inside source list 1 interface FastEthernet0/1 overload ! ip route 0.0.0.0 0.0.0.0 203.0.113.6 ! access-list 1 permit 10.0.0.0 0.0.0.255 !
I have updated the topology as below to show the different parts now.
From here lets take each statement at a time and see what we think it will be:
Inside global: The address of the inside host as seen from the outside – If we think of this in terms of the traffic is coming from one of the hosts (Laptop ip address 10.0.0.99 which we will use for all examples below) and going to one of the external IP Addresses (8.8.8.8 in this example) then the address of this inside host as seen from the outside should be 203.0.113.5)
Inside local: The address of the inside host as seen from the inside – This is the IP address of the host while its still within the Inside Zone so should be the ip address 10.0.0.99.
Outside local: The address of the outside host as seen from the inside – This is a bit different now, this looks at the destination host address but from the inside, as this is going from Inside to Outside the Outside Local address will be the destination address (8.8.8.8).
Outside global: The address of the outside host as seen from the outside – This is much like the Outside Local and would again be 8.8.8.8.
NOTE: that both Outside addresses in this example are the same, this is because we are doing NAT Overload from Inside to Outside, if we were doing a Static NAT from an External / Public IP Address to Internal IP address then these two numbers would change.
Testing
Ok, so we that I have the above addresses its time to test this.
To test this from one of the local Devices on the left ( I have used Laptop as per above) open a command prompt and ping 8.8.8.8 then use web browser to navigate to the DNS Name created on local DNS Server (www.google.com as above) , this forces traffic to run across the NAT and will populate the NAT Translations info, to see this connect onto Router0 and run the below command.
Output:
Router#sh ip nat translations Pro Inside global Inside local Outside local Outside global icmp 203.0.113.5:13 10.0.0.99:13 8.8.8.8:13 8.8.8.8:13 icmp 203.0.113.5:14 10.0.0.99:14 8.8.8.8:14 8.8.8.8:14 icmp 203.0.113.5:15 10.0.0.99:15 8.8.8.8:15 8.8.8.8:15 icmp 203.0.113.5:16 10.0.0.99:16 8.8.8.8:16 8.8.8.8:16 udp 203.0.113.5:1027 10.0.0.99:1027 8.8.8.8:53 8.8.8.8:53 tcp 203.0.113.5:1025 10.0.0.99:1025 52.26.45.240:80 52.26.45.240:80
This should give you the above output (or similar) and show that the addresses earlier were correct. This is the kind of thing that is good to mess about with so if you like a second test could be to remove the NAT Configuration with the below line, then setup a static NAT from single External IP Address to one of the hosts and see how the addresses change using different types on NAT.
no ip nat inside source list 1 interface FastEthernet0/1 overload
Thanks for reading and I hope that’s gone some way to explained WTF is up with NAT IP Addresses.
