From: Marut S@MS@DCTH-BKK (S@MS@DCTH-BKK)
Date: Thu Feb 22 2007 - 01:22:37 ART
Hi all,
Could I summarize like below? Please correct if it's not
correct. :)
1. Traffic initiated from inside, Nat only source = ip nat inside source
{static|list}
2. Traffic initiated from inside, Nat only destination = ip nat outside
source static
3. Traffic initiated from outside, Nat only source = ip nat outside
source {static|list}
4. Traffic initiated from outside, Nat only destination = ip nat inside
source static , ip nat side destination list
Note : ip nat inside destination list is use for load balance and
traffic must initiated from outside only
Many thanks in advance,
Marut
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Sergey Golovanov
Sent: Thursday, 18 January, 2007 3:49 AM
To: Tao Yang;
Subject: Re: Difference between "ip nat inside destination" and "ip nat
outside source"
Tao,
there's actually a very big difference between "inside destination" and
"outside source". I'll try to be brief, not to overcomplicate my
explanation. If you want me to get into nitty-gritty details, let me
know.
INSIDE-DESTINATION
It's basically used for TCP load balancing from clients on the outside
to a virtual server on the inside. Non-tcp traffic doesn't get
translated! The important thing to remember is that it applies to
traffic initiated from the OUTSIDE to the INSIDE, and not the other way
around. Of course, the source of the return traffic from the inside to
the outside will get translated, but the initiation from outside to
inside is required to happen first, so that the dynamic NAT table entry
is created. The other key thing is that there's no "static" version of
this command, but only "list" version, hence it happens dynamically.
There actually used to be a "ip nat inside destination static" version
of this command, but it's not in newer IOSes. So here's an example.
You have ten servers on the inside with IP addresses 10.0.0.1 through
10.0.0.10. All servers have the same content, and share the same
service, for example HTTP (port 80).
Clients on the outside want to reach them as one virtual server
65.0.0.1:80.
int e0 (servers are here)
ip nat inside
int ser0 (clients are here)
ip nat ouside
!
ip nat pool VIRTUAL 10.0.0.1 10.0.0.10 prefix-length 24 type rotary
<---- The pool must be rotary!
ip nat inside destination list 1 pool VIRTUAL
!
access-list 1 permit 65.0.0.1
Multiple clients from the outside go to 65.0.0.1:80, and this traffic ip
destination will translate to 10.0.0.1:80, 10.0.0.2:80, etc...
Individual TCP port-based entries will appear in "show ip nat trans"
once traffic comes in. And obviously return traffic IP source will get
translated too. It has to match the nat table entry.
Nothing will happen if traffic is initiated from inside first. So, one
more time, traffic has to initiate from the outside. IP destination is
translated. And It doesn't work with UDP traffic.
By the way, if you want to achieve the same results for UDP traffic, you
would have to set up a bunch of "ip nat INSIDE SOURCE static UDP"
entries. You can't do it with "ip nat inside destination".
OUTSIDE-SOURCE
In this case, traffic is ALSO initiated from outside to inside, but this
time the source address is changed. For example, this would be used when
you want to make the outside network 65.0.0.0/24 look like 172.16.0.0/24
network for the inside users. Traffic comes from outside to the router,
source address is translated, and it continues to the inside. The
destination address of return traffic from the inside to the outside is
translated as well.
So, again, for "outside-source" configuration the traffic should be
initiated from outside to inside. But it's actually not required,
because with "ip nat outside source" you have both "static" and "list"
version of the command. So if you configure "ip nat outside source
static", it will also apply for traffic initiated from inside to
outside, and IP DESTINATION will be translated. If you configure "ip nat
ouside source list", the traffic would HAVE TO initiate from the outside
to inside.
COMPARISON
So the interesting similarity between "inside destination" and "outside
source" is that the traffic is initiated from OUTSIDE to INSIDE. But in
the first case IP destination is translated, and in the second case IP
source.
Did this make sense?
--------------------------------------------------------------------
Sergey Golovanov, CCIEx5 (R&S/Security/Voice/Service Provider/Storage)
"Please, don't ask me for my ccie #, there are reasons why I can't
release it"
ieMentor Instructor and Content Developer
sergey.golovanov@iementor.com
http://www.iementor.com
> -------Original Message-------
> From: Tao Yang <yangtao.mike@gmail.com>
> Subject: Difference between "ip nat inside destination" and "ip nat
outside source"
> Sent: Jan 17 '07 07:01
>
> Hi all,
>
> I am confused about the "ip nat inside destination" and "ip nat
outside
> source".
> According to my understand, "inside destination" == "outside source",
> It looks like this two command have the same function.
> Could anybody tell me the difference, or give me a example when to
use these
> two command.
>
> Thanks.
>
>
> ip nat inside destination
>
> To enable Network Address Translation (NAT) of the inside destination
> address, use the ip nat inside destination global configuration
command. To
> remove the dynamic association to a pool, use the no form of this
command.
>
> ip nat outside source
>
> To enable Network Address Translation (NAT) of the outside source
address,
> use the ip nat outside source global configuration command. To remove
the
> static entry or the dynamic association, use the no form of this
command.
>
>
This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:47 ART