From: haducbinh (haducbinh@gmail.com)
Date: Thu Jan 18 2007 - 04:34:24 ART
Excellent explanation! :)
Could you please give me into nitty-gritty details, Sergey?
HaDucBinh
Email: haducbinh@vnpro.org
Y/M: haducbinh
Phone: +84 908 191 322
---------------------------------------------------------------------------
Vietnamese Professionals (VnPro)
Cisco Authorised Training
149/1D Ung Van Khiem St - Ward 25 - Binh Thanh Dist - HCMC
Tel: (08) 5124257 - (08) 5125314 Fax: (08) 5124314
Website: http://vnpro.vn Support Forum: http://vnpro.org
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Sergey Golovanov
Sent: Thursday, January 18, 2007 3:49 AM
To: Tao Yang; ccielab@groupstudy.com
Subject: Re: Difference between "ip nat inside destination" and "ip nat
outside source"
Tao,
there's actually a very big difference between "inside destination" and
"outside source". I'll try to be brief, not to overcomplicate my
explanation. If you want me to get into nitty-gritty details, let me know.
INSIDE-DESTINATION
It's basically used for TCP load balancing from clients on the outside to a
virtual server on the inside. Non-tcp traffic doesn't get translated! The
important thing to remember is that it applies to traffic initiated from the
OUTSIDE to the INSIDE, and not the other way around. Of course, the source
of the return traffic from the inside to the outside will get translated,
but the initiation from outside to inside is required to happen first, so
that the dynamic NAT table entry is created. The other key thing is that
there's no "static" version of this command, but only "list" version, hence
it happens dynamically. There actually used to be a "ip nat inside
destination static" version of this command, but it's not in newer IOSes. So
here's an example.
You have ten servers on the inside with IP addresses 10.0.0.1 through
10.0.0.10. All servers have the same content, and share the same service,
for example HTTP (port 80).
Clients on the outside want to reach them as one virtual server 65.0.0.1:80.
int e0 (servers are here)
ip nat inside
int ser0 (clients are here)
ip nat ouside
!
ip nat pool VIRTUAL 10.0.0.1 10.0.0.10 prefix-length 24 type rotary <----
The pool must be rotary!
ip nat inside destination list 1 pool VIRTUAL
!
access-list 1 permit 65.0.0.1
Multiple clients from the outside go to 65.0.0.1:80, and this traffic ip
destination will translate to 10.0.0.1:80, 10.0.0.2:80, etc... Individual
TCP port-based entries will appear in "show ip nat trans" once traffic comes
in. And obviously return traffic IP source will get translated too. It has
to match the nat table entry.
Nothing will happen if traffic is initiated from inside first. So, one more
time, traffic has to initiate from the outside. IP destination is
translated. And It doesn't work with UDP traffic.
By the way, if you want to achieve the same results for UDP traffic, you
would have to set up a bunch of "ip nat INSIDE SOURCE static UDP" entries.
You can't do it with "ip nat inside destination".
OUTSIDE-SOURCE
In this case, traffic is ALSO initiated from outside to inside, but this
time the source address is changed. For example, this would be used when you
want to make the outside network 65.0.0.0/24 look like 172.16.0.0/24 network
for the inside users. Traffic comes from outside to the router, source
address is translated, and it continues to the inside. The destination
address of return traffic from the inside to the outside is translated as
well.
So, again, for "outside-source" configuration the traffic should be
initiated from outside to inside. But it's actually not required, because
with "ip nat outside source" you have both "static" and "list" version of
the command. So if you configure "ip nat outside source static", it will
also apply for traffic initiated from inside to outside, and IP DESTINATION
will be translated. If you configure "ip nat ouside source list", the
traffic would HAVE TO initiate from the outside to inside.
COMPARISON
So the interesting similarity between "inside destination" and "outside
source" is that the traffic is initiated from OUTSIDE to INSIDE. But in the
first case IP destination is translated, and in the second case IP source.
Did this make sense?
--------------------------------------------------------------------
Sergey Golovanov, CCIEx5 (R&S/Security/Voice/Service Provider/Storage)
"Please, don't ask me for my ccie #, there are reasons why I can't release
it"
ieMentor Instructor and Content Developer
sergey.golovanov@iementor.com
http://www.iementor.com
> -------Original Message-------
> From: Tao Yang <yangtao.mike@gmail.com>
> Subject: Difference between "ip nat inside destination" and "ip nat
outside source"
> Sent: Jan 17 '07 07:01
>
> Hi all,
>
> I am confused about the "ip nat inside destination" and "ip nat outside
> source".
> According to my understand, "inside destination" == "outside source",
> It looks like this two command have the same function.
> Could anybody tell me the difference, or give me a example when to use
these
> two command.
>
> Thanks.
>
>
> ip nat inside destination
>
> To enable Network Address Translation (NAT) of the inside destination
> address, use the ip nat inside destination global configuration command.
To
> remove the dynamic association to a pool, use the no form of this
command.
>
> ip nat outside source
>
> To enable Network Address Translation (NAT) of the outside source
address,
> use the ip nat outside source global configuration command. To remove the
> static entry or the dynamic association, use the no form of this command.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART