Understanding Static NAT (Summary from Cisco)
Static NAT
- Local address—A local address is any address that appears on the inside portion of the network.
- Global address—A global address is any address that appears on the outside portion of the network.
********************************************************************************************************************
- Inside local address—The IP address assigned to a host on the inside network. The address is likely not a legitimate IP address assigned by the Network Information Center (NIC) or service provider.
- Inside global address—A legitimate IP address assigned by the NIC or service provider that represents (is mapped to) one or more inside local IP addresses to the outside world.
- Outside local address—The IP address of an outside host as it appears to the inside network. Not necessarily a legitimate address, it is allocated from an address space routable on the inside.
- Outside global address—The IP address assigned to a host on the outside network by the host owner. The address is allocated from a globally routable address or network space.
********************************************************************************************************************
- Most computers on the stub domain communicate with each other using the inside local addresses.
- Some computers on the stub domain communicate a lot outside the network. These computers have inside global addresses which means that they do not require translation..
- Using an inside global address, the router sends the packet on to its destination.
- A computer on the public network sends a packet to the private network. The source address on the packet is an outside global address. The destination address is an inside global address.
- When the packet arrives on the outside network, the NAT router looks at the address translation table and determines that the destination address is in there, mapped to a computer on the stub domain.
- The outside local addresses are used to translate the unique IP addresses, known as outside global addresses, of devices on the public network.
Define Inside Local and Inside Global Addresses
When the NAT router receives a packet on its inside interface with a
source address of 10.10.10.1, the source address is translated to
171.16.68.5. This also means that when the NAT router receives a packet
on its outside interface with a destination address of 171.16.68.5, the
destination address is translated to 10.10.10.1.
ip nat inside source static 10.10.10.1 171.16.68.5
!--- Inside host is known by the outside host as 171.16.68.5
interface s 0
ip nat inside
interface s 1
ip nat outside
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 171.16.68.5 10.10.10.1 — ---
********************************************************************************************************************
Define Outside Local and Outside Global Addresses
In this configuration, when the NAT router receives a packet on its outside interface with a source address of 171.16.68.1, the source address is translated to 10.10.10.5. This also means that if the NAT router receives a packet on its inside interface with a destination address of 10.10.10.5, the destination address is translated to 171.16.68.1.
ip nat outside source static 171.16.68.1 10.10.10.5!--- Outside host is known to the inside host as 10.10.10.5.interface s 0 ip nat inside interface s 1 ip nat outside
Router#show ip nat translations Pro Inside global Inside local Outside local Outside global
--- --- --- 10.10.10.5 171.16.68.1
********************************************************************************************************************
Define All Local and Global Addresses
In the this configuration, when the NAT router receives a packet on its inside interface with a source address of 10.10.10.1, the source address is translated to 171.16.68.5. The interface corresponding to IP address 10.10.10.1 is the Inside Local Address, whereas the interface corresponding to IP address 171.16.68.5 is the Inside Global Address. When the NAT router receives a packet on its outside interface with a source address of 171.16.68.1, the source address is translated to 10.10.10.5.
This also means that when the NAT router receives a packet on its outside interface with a destination address of 171.16.68.5, the destination address is translated to 10.10.10.1. Also, when the NAT router receives a packet on its inside interface with a destination address of 10.10.10.5, the destination address is translated to 171.16.68.1.
ip nat inside source static 10.10.10.1 171.16.68.5 !--- Inside host is known to the outside host as 171.16.68.5. ip nat outside source static 171.16.68.1 10.10.10.5 !--- Outside host is known to the inside host as 10.10.10.5. interface s 0 ip nat inside interface s 1 ip nat outside
Router#show ip nat translations Pro Inside global Inside local Outside local Outside global --- --- --- 10.10.10.5 171.16.68.1
171.16.68.5 10.10.10.1 — ---
*************************************************************
The above is information form Cisco and a little bit confusing, however easy way for me to remember is:
ip nat inside source static a.a.a.a b.b.b.b
- a.a.a.a -> b.b.b.b.b source address translation for packet arriving at the inside interface
- b.b.b.b -> a.a.a.a destination address translation for packets arriving at the outside interface
ip nat outside source static c.c.c.c d.d.d.d
- c.c.c.c -> d.d.d.d source address translation for packets arriving at the outside interface
- d.d.d.d -> c.c.c.c destination address translation for packets arriving at the inside interface
So following the logic, the below practically results the same:
ip nat inside source static x.x.x.x y.y.y.y
equals to
ip nat outside source static y.y.y.y x.x.x.x
