From: Tao Yang (yangtao.mike@gmail.com)
Date: Wed Jan 17 2007 - 23:39:30 ART
Your explanation is very clear and useful.
Thank your very much.
On 1/18/07, Sergey Golovanov <sergey.golovanov@iementor.com> wrote:
>
> Tao,
>
> there's actually a very big difference between "inside destination" and
> "outside source". I'll try to be brief, not to overcomplicate my
> explanation. If you want me to get into nitty-gritty details, let me know.
>
> INSIDE-DESTINATION
>
> It's basically used for TCP load balancing from clients on the outside to
> a virtual server on the inside. Non-tcp traffic doesn't get translated! The
> important thing to remember is that it applies to traffic initiated from the
> OUTSIDE to the INSIDE, and not the other way around. Of course, the source
> of the return traffic from the inside to the outside will get translated,
> but the initiation from outside to inside is required to happen first, so
> that the dynamic NAT table entry is created. The other key thing is that
> there's no "static" version of this command, but only "list" version, hence
> it happens dynamically. There actually used to be a "ip nat inside
> destination static" version of this command, but it's not in newer IOSes. So
> here's an example.
>
> You have ten servers on the inside with IP addresses 10.0.0.1 through
> 10.0.0.10. All servers have the same content, and share the same service,
> for example HTTP (port 80).
> Clients on the outside want to reach them as one virtual server
> 65.0.0.1:80.
>
> int e0 (servers are here)
> ip nat inside
> int ser0 (clients are here)
> ip nat ouside
> !
> ip nat pool VIRTUAL 10.0.0.1 10.0.0.10 prefix-length 24 type rotary <----
> The pool must be rotary!
> ip nat inside destination list 1 pool VIRTUAL
> !
> access-list 1 permit 65.0.0.1
>
> Multiple clients from the outside go to 65.0.0.1:80, and this traffic ip
> destination will translate to 10.0.0.1:80, 10.0.0.2:80, etc... Individual
> TCP port-based entries will appear in "show ip nat trans" once traffic comes
> in. And obviously return traffic IP source will get translated too. It has
> to match the nat table entry.
>
> Nothing will happen if traffic is initiated from inside first. So, one
> more time, traffic has to initiate from the outside. IP destination is
> translated. And It doesn't work with UDP traffic.
>
> By the way, if you want to achieve the same results for UDP traffic, you
> would have to set up a bunch of "ip nat INSIDE SOURCE static UDP" entries.
> You can't do it with "ip nat inside destination".
>
> OUTSIDE-SOURCE
>
> In this case, traffic is ALSO initiated from outside to inside, but this
> time the source address is changed. For example, this would be used when you
> want to make the outside network 65.0.0.0/24 look like 172.16.0.0/24network for the inside users. Traffic comes from outside to the router,
> source address is translated, and it continues to the inside. The
> destination address of return traffic from the inside to the outside is
> translated as well.
>
> So, again, for "outside-source" configuration the traffic should be
> initiated from outside to inside. But it's actually not required, because
> with "ip nat outside source" you have both "static" and "list" version of
> the command. So if you configure "ip nat outside source static", it will
> also apply for traffic initiated from inside to outside, and IP DESTINATION
> will be translated. If you configure "ip nat ouside source list", the
> traffic would HAVE TO initiate from the outside to inside.
>
> COMPARISON
>
> So the interesting similarity between "inside destination" and "outside
> source" is that the traffic is initiated from OUTSIDE to INSIDE. But in the
> first case IP destination is translated, and in the second case IP source.
>
> Did this make sense?
>
> --------------------------------------------------------------------
> Sergey Golovanov, CCIEx5 (R&S/Security/Voice/Service Provider/Storage)
> "Please, don't ask me for my ccie #, there are reasons why I can't release
> it"
> ieMentor Instructor and Content Developer
> sergey.golovanov@iementor.com
> http://www.iementor.com
>
>
> > -------Original Message-------
> > From: Tao Yang <yangtao.mike@gmail.com>
> > Subject: Difference between "ip nat inside destination" and "ip
> nat outside source"
> > Sent: Jan 17 '07 07:01
> >
> > Hi all,
> >
> > I am confused about the "ip nat inside destination" and "ip nat outside
> > source".
> > According to my understand, "inside destination" == "outside source",
> > It looks like this two command have the same function.
> > Could anybody tell me the difference, or give me a example when to use
> these
> > two command.
> >
> > Thanks.
> >
> >
> > ip nat inside destination
> >
> > To enable Network Address Translation (NAT) of the inside destination
> > address, use the ip nat inside destination global configuration
> command. To
> > remove the dynamic association to a pool, use the no form of this
> command.
> >
> > ip nat outside source
> >
> > To enable Network Address Translation (NAT) of the outside source
> address,
> > use the ip nat outside source global configuration command. To remove
> the
> > static entry or the dynamic association, use the no form of this
> command.
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART