Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

What is the difference between inside and outside Nat ?

Posted on 2009-07-13
12
Medium Priority
?
917 Views
Last Modified: 2012-05-07
What is the difference between inside and outside Nat ?
when shall I use the outside nat or inside nat?
0
Comment
Question by:paintco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 23

Assisted Solution

by:that1guy15
that1guy15 earned 1500 total points
ID: 24841781
Inside nat is translating incoming traffic to your public ip address to an inside private address.

for example your public address is 65.x.x.x. all traffic for your network is pointed to that address. You would use inside nat to point specific traffic to different resources such as your email server (10.0.0.x) your web server (10.0.0.y) etc....

Ouside nat is translating all your internal (private addresses) traffic to a public ip address or group of addresses. This allows all your lan devices to not require a public address to access the web.

You can either overload an ip address by having multiple devices using the same ip address or you can setup a group of public ip addresses that your private ips can use.

0
 

Author Comment

by:paintco
ID: 24842716
so if I have two sites (Site-A, Site-B)
routing between two LANs of the two sites is ok both LANs are reachable from each other

there are two servers in each site
Site-A  server-1  10.1.1.100/24
Site-A  server-2  10.1.1.101/24
Site-B  server-1  20.1.1.100/24
Site-B  server-2  20.1.1.101/24

I want to NAT the traffic between the two sites as follow
Site-A All clients  NAT to --> 172.16.1.50
Site-B All clients NAT to --> 172.16.2.50
Site-A server-1 10.1.1.100 --> NAT to 172.16.1.100
Site-A server-2 10.1.1.101 --> NAT to 172.16.1.101
Site-B server-1 20.1.1.100 --> NAT to 172.16.2.100
Site-B server-2 120.1.1.101 -- NAT to 172.16.2.101

All workstations and servers should be reachable from each other
Site-A configuration is 
RTR-A# sh run
!
int fas 0/1 
ip add 17.0.10.1 255.255.255.0
!
int se 0/1 
ip add 172.16.1.1 255.255.255.252
!
Core-A# sh run
!
int Gig 0/1 
ip add 17.0.10.50 255.255.255.0
!
int vlan 1 
ip add 10.1.1.1 255.255.255.0
!
##################################################
Site-B configuration is 
RTR-B# sh run
!
int fas 0/1 
ip add 17.0.20.1 255.255.255.0
!
int se 0/1 
ip add 172.16.2.1 255.255.255.252
!
Core-B# sh run
!
int Gig 0/1 
ip add 17.0.20.50 255.255.255.0
!
int vlan 1 
ip add 20.1.1.1 255.255.255.0
!

Open in new window

0
 
LVL 23

Assisted Solution

by:that1guy15
that1guy15 earned 1500 total points
ID: 24843426
Could you please explain your network layout more. What routers connect to each other?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:paintco
ID: 24843644
RTR-A connected to RTR-B through PSTN using BGP routing
Site -A LAN connected to Core-A and Core-A  connected to RTR-A
Site -B LAN connected to Core-B and Core-B  connected to RTR-B
0
 
LVL 23

Assisted Solution

by:that1guy15
that1guy15 earned 1500 total points
ID: 24843705
What interfaces are connecting to what? Specifically on the RTR routers. Also is there NAT being applied anywere else in this setup?
0
 

Author Comment

by:paintco
ID: 24843954
RTR-A Fa0/1 going to Core-A
RTR-A Se 0/1 going to MPLS cloud
RTR-B Fa0/1 going to Core-B
RTR-B Se 0/1 going to MPLS cloud

no NAT applied anywhere
only I want to apply Nat on all traffic going and coming for each LAN router interface
0
 
LVL 23

Accepted Solution

by:
that1guy15 earned 1500 total points
ID: 24844075
Here is the config you will add to both routers. Let me know if you have any questions.
site-A (Configure on RTR-A)
 
access-list 10 deny host 10.1.1.100
access-list 10 deny host 10.1.1.101
access-list 10 permit 10.1.1.0 0.0.0.255
 
 
ip nat pool Site-A 172.16.1.50 172.16.1.50
ip nat inside source list 10 pool site-A overload
ip nat inside source static ip 10.1.1.100 172.16.1.100
ip nat inside source static ip 10.1.1.101 172.16.1.101
 
 
int fa0/1
ip nat inside
 
int se0/1
ip nat outside
 
 
site-B (Configure on RTR-B)
 
access-list 11 deny host 20.1.1.100
access-list 11 deny host 20.1.1.101
access-list 11 permit 20.1.1.0 0.0.0.255
 
 
ip nat pool Site-B 172.16.2.50 172.16.2.50
ip nat inside source list 11 pool site-B overload
ip nat inside source static ip 20.1.1.100 172.16.2.100
ip nat inside source static ip 20.1.1.101 172.16.2.101
 
 
int fa0/1
ip nat inside
 
int se0/1
ip nat outside

Open in new window

0
 

Author Comment

by:paintco
ID: 24844150
thanks

What will be the situation if I want to implement NAT on Core switches as followed

Site-A All clients  NAT to --> 17.0.10.50
Site-B All clients NAT to --> 17.10.20.50
Site-A server-1 10.1.1.100 --> NAT to 170.10.100
Site-A server-2 10.1.1.101 --> NAT to 17.0.10.101
Site-B server-1 20.1.1.100 --> NAT to 17.0.20.100
Site-B server-2 120.1.1.101 -- NAT to 17.0.20.101
0
 

Author Comment

by:paintco
ID: 24844204
if core platform is 6550 does it will fit and if there are around 50 server need to be nat one to one does it will be headache
0
 
LVL 23

Assisted Solution

by:that1guy15
that1guy15 earned 1500 total points
ID: 24844262
"What will be the situation if I want to implement NAT on Core switches as followed"

that should not be a problem, just move the nat config i provided to the core switches and adjust the statements with the appropriate IP addresses.

"if core platform is 6550 does it will fit and if there are around 50 server need to be nat one to one does it will be headache "

yeah it can be time consuming and a headache to get setup for all 50 but your 6550 you should be able to handle it. This is not that un-common
0
 

Author Comment

by:paintco
ID: 24844308
thanks alot
0
 
LVL 23

Expert Comment

by:that1guy15
ID: 24844345
no problem
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question