Solved

What is the difference between inside and outside Nat ?

Posted on 2009-07-13
12
908 Views
Last Modified: 2012-05-07
What is the difference between inside and outside Nat ?
when shall I use the outside nat or inside nat?
0
Comment
Question by:paintco
  • 6
  • 6
12 Comments
 
LVL 23

Assisted Solution

by:that1guy15
that1guy15 earned 500 total points
ID: 24841781
Inside nat is translating incoming traffic to your public ip address to an inside private address.

for example your public address is 65.x.x.x. all traffic for your network is pointed to that address. You would use inside nat to point specific traffic to different resources such as your email server (10.0.0.x) your web server (10.0.0.y) etc....

Ouside nat is translating all your internal (private addresses) traffic to a public ip address or group of addresses. This allows all your lan devices to not require a public address to access the web.

You can either overload an ip address by having multiple devices using the same ip address or you can setup a group of public ip addresses that your private ips can use.

0
 

Author Comment

by:paintco
ID: 24842716
so if I have two sites (Site-A, Site-B)
routing between two LANs of the two sites is ok both LANs are reachable from each other

there are two servers in each site
Site-A  server-1  10.1.1.100/24
Site-A  server-2  10.1.1.101/24
Site-B  server-1  20.1.1.100/24
Site-B  server-2  20.1.1.101/24

I want to NAT the traffic between the two sites as follow
Site-A All clients  NAT to --> 172.16.1.50
Site-B All clients NAT to --> 172.16.2.50
Site-A server-1 10.1.1.100 --> NAT to 172.16.1.100
Site-A server-2 10.1.1.101 --> NAT to 172.16.1.101
Site-B server-1 20.1.1.100 --> NAT to 172.16.2.100
Site-B server-2 120.1.1.101 -- NAT to 172.16.2.101

All workstations and servers should be reachable from each other
Site-A configuration is 
RTR-A# sh run
!
int fas 0/1 
ip add 17.0.10.1 255.255.255.0
!
int se 0/1 
ip add 172.16.1.1 255.255.255.252
!
Core-A# sh run
!
int Gig 0/1 
ip add 17.0.10.50 255.255.255.0
!
int vlan 1 
ip add 10.1.1.1 255.255.255.0
!
##################################################
Site-B configuration is 
RTR-B# sh run
!
int fas 0/1 
ip add 17.0.20.1 255.255.255.0
!
int se 0/1 
ip add 172.16.2.1 255.255.255.252
!
Core-B# sh run
!
int Gig 0/1 
ip add 17.0.20.50 255.255.255.0
!
int vlan 1 
ip add 20.1.1.1 255.255.255.0
!

Open in new window

0
 
LVL 23

Assisted Solution

by:that1guy15
that1guy15 earned 500 total points
ID: 24843426
Could you please explain your network layout more. What routers connect to each other?
0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 

Author Comment

by:paintco
ID: 24843644
RTR-A connected to RTR-B through PSTN using BGP routing
Site -A LAN connected to Core-A and Core-A  connected to RTR-A
Site -B LAN connected to Core-B and Core-B  connected to RTR-B
0
 
LVL 23

Assisted Solution

by:that1guy15
that1guy15 earned 500 total points
ID: 24843705
What interfaces are connecting to what? Specifically on the RTR routers. Also is there NAT being applied anywere else in this setup?
0
 

Author Comment

by:paintco
ID: 24843954
RTR-A Fa0/1 going to Core-A
RTR-A Se 0/1 going to MPLS cloud
RTR-B Fa0/1 going to Core-B
RTR-B Se 0/1 going to MPLS cloud

no NAT applied anywhere
only I want to apply Nat on all traffic going and coming for each LAN router interface
0
 
LVL 23

Accepted Solution

by:
that1guy15 earned 500 total points
ID: 24844075
Here is the config you will add to both routers. Let me know if you have any questions.
site-A (Configure on RTR-A)
 
access-list 10 deny host 10.1.1.100
access-list 10 deny host 10.1.1.101
access-list 10 permit 10.1.1.0 0.0.0.255
 
 
ip nat pool Site-A 172.16.1.50 172.16.1.50
ip nat inside source list 10 pool site-A overload
ip nat inside source static ip 10.1.1.100 172.16.1.100
ip nat inside source static ip 10.1.1.101 172.16.1.101
 
 
int fa0/1
ip nat inside
 
int se0/1
ip nat outside
 
 
site-B (Configure on RTR-B)
 
access-list 11 deny host 20.1.1.100
access-list 11 deny host 20.1.1.101
access-list 11 permit 20.1.1.0 0.0.0.255
 
 
ip nat pool Site-B 172.16.2.50 172.16.2.50
ip nat inside source list 11 pool site-B overload
ip nat inside source static ip 20.1.1.100 172.16.2.100
ip nat inside source static ip 20.1.1.101 172.16.2.101
 
 
int fa0/1
ip nat inside
 
int se0/1
ip nat outside

Open in new window

0
 

Author Comment

by:paintco
ID: 24844150
thanks

What will be the situation if I want to implement NAT on Core switches as followed

Site-A All clients  NAT to --> 17.0.10.50
Site-B All clients NAT to --> 17.10.20.50
Site-A server-1 10.1.1.100 --> NAT to 170.10.100
Site-A server-2 10.1.1.101 --> NAT to 17.0.10.101
Site-B server-1 20.1.1.100 --> NAT to 17.0.20.100
Site-B server-2 120.1.1.101 -- NAT to 17.0.20.101
0
 

Author Comment

by:paintco
ID: 24844204
if core platform is 6550 does it will fit and if there are around 50 server need to be nat one to one does it will be headache
0
 
LVL 23

Assisted Solution

by:that1guy15
that1guy15 earned 500 total points
ID: 24844262
"What will be the situation if I want to implement NAT on Core switches as followed"

that should not be a problem, just move the nat config i provided to the core switches and adjust the statements with the appropriate IP addresses.

"if core platform is 6550 does it will fit and if there are around 50 server need to be nat one to one does it will be headache "

yeah it can be time consuming and a headache to get setup for all 50 but your 6550 you should be able to handle it. This is not that un-common
0
 

Author Comment

by:paintco
ID: 24844308
thanks alot
0
 
LVL 23

Expert Comment

by:that1guy15
ID: 24844345
no problem
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Limit traffic to specific Cisco port? 12 68
Cisco 800 router unable to connect through TPG network 12 35
Disabling SNMP Write-Access on Switches 6 54
Auto Qos question 1 27
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question