Solved

What is the difference between inside and outside Nat ?

Posted on 2009-07-13
12
895 Views
Last Modified: 2012-05-07
What is the difference between inside and outside Nat ?
when shall I use the outside nat or inside nat?
0
Comment
Question by:paintco
  • 6
  • 6
12 Comments
 
LVL 23

Assisted Solution

by:that1guy15
that1guy15 earned 500 total points
ID: 24841781
Inside nat is translating incoming traffic to your public ip address to an inside private address.

for example your public address is 65.x.x.x. all traffic for your network is pointed to that address. You would use inside nat to point specific traffic to different resources such as your email server (10.0.0.x) your web server (10.0.0.y) etc....

Ouside nat is translating all your internal (private addresses) traffic to a public ip address or group of addresses. This allows all your lan devices to not require a public address to access the web.

You can either overload an ip address by having multiple devices using the same ip address or you can setup a group of public ip addresses that your private ips can use.

0
 

Author Comment

by:paintco
ID: 24842716
so if I have two sites (Site-A, Site-B)
routing between two LANs of the two sites is ok both LANs are reachable from each other

there are two servers in each site
Site-A  server-1  10.1.1.100/24
Site-A  server-2  10.1.1.101/24
Site-B  server-1  20.1.1.100/24
Site-B  server-2  20.1.1.101/24

I want to NAT the traffic between the two sites as follow
Site-A All clients  NAT to --> 172.16.1.50
Site-B All clients NAT to --> 172.16.2.50
Site-A server-1 10.1.1.100 --> NAT to 172.16.1.100
Site-A server-2 10.1.1.101 --> NAT to 172.16.1.101
Site-B server-1 20.1.1.100 --> NAT to 172.16.2.100
Site-B server-2 120.1.1.101 -- NAT to 172.16.2.101

All workstations and servers should be reachable from each other
Site-A configuration is 

RTR-A# sh run

!

int fas 0/1 

ip add 17.0.10.1 255.255.255.0

!

int se 0/1 

ip add 172.16.1.1 255.255.255.252

!

Core-A# sh run

!

int Gig 0/1 

ip add 17.0.10.50 255.255.255.0

!

int vlan 1 

ip add 10.1.1.1 255.255.255.0

!

##################################################

Site-B configuration is 

RTR-B# sh run

!

int fas 0/1 

ip add 17.0.20.1 255.255.255.0

!

int se 0/1 

ip add 172.16.2.1 255.255.255.252

!

Core-B# sh run

!

int Gig 0/1 

ip add 17.0.20.50 255.255.255.0

!

int vlan 1 

ip add 20.1.1.1 255.255.255.0

!

Open in new window

0
 
LVL 23

Assisted Solution

by:that1guy15
that1guy15 earned 500 total points
ID: 24843426
Could you please explain your network layout more. What routers connect to each other?
0
 

Author Comment

by:paintco
ID: 24843644
RTR-A connected to RTR-B through PSTN using BGP routing
Site -A LAN connected to Core-A and Core-A  connected to RTR-A
Site -B LAN connected to Core-B and Core-B  connected to RTR-B
0
 
LVL 23

Assisted Solution

by:that1guy15
that1guy15 earned 500 total points
ID: 24843705
What interfaces are connecting to what? Specifically on the RTR routers. Also is there NAT being applied anywere else in this setup?
0
 

Author Comment

by:paintco
ID: 24843954
RTR-A Fa0/1 going to Core-A
RTR-A Se 0/1 going to MPLS cloud
RTR-B Fa0/1 going to Core-B
RTR-B Se 0/1 going to MPLS cloud

no NAT applied anywhere
only I want to apply Nat on all traffic going and coming for each LAN router interface
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 23

Accepted Solution

by:
that1guy15 earned 500 total points
ID: 24844075
Here is the config you will add to both routers. Let me know if you have any questions.
site-A (Configure on RTR-A)
 

access-list 10 deny host 10.1.1.100

access-list 10 deny host 10.1.1.101

access-list 10 permit 10.1.1.0 0.0.0.255
 
 

ip nat pool Site-A 172.16.1.50 172.16.1.50

ip nat inside source list 10 pool site-A overload

ip nat inside source static ip 10.1.1.100 172.16.1.100

ip nat inside source static ip 10.1.1.101 172.16.1.101
 
 

int fa0/1

ip nat inside
 

int se0/1

ip nat outside
 
 

site-B (Configure on RTR-B)
 

access-list 11 deny host 20.1.1.100

access-list 11 deny host 20.1.1.101

access-list 11 permit 20.1.1.0 0.0.0.255
 
 

ip nat pool Site-B 172.16.2.50 172.16.2.50

ip nat inside source list 11 pool site-B overload

ip nat inside source static ip 20.1.1.100 172.16.2.100

ip nat inside source static ip 20.1.1.101 172.16.2.101
 
 

int fa0/1

ip nat inside
 

int se0/1

ip nat outside

Open in new window

0
 

Author Comment

by:paintco
ID: 24844150
thanks

What will be the situation if I want to implement NAT on Core switches as followed

Site-A All clients  NAT to --> 17.0.10.50
Site-B All clients NAT to --> 17.10.20.50
Site-A server-1 10.1.1.100 --> NAT to 170.10.100
Site-A server-2 10.1.1.101 --> NAT to 17.0.10.101
Site-B server-1 20.1.1.100 --> NAT to 17.0.20.100
Site-B server-2 120.1.1.101 -- NAT to 17.0.20.101
0
 

Author Comment

by:paintco
ID: 24844204
if core platform is 6550 does it will fit and if there are around 50 server need to be nat one to one does it will be headache
0
 
LVL 23

Assisted Solution

by:that1guy15
that1guy15 earned 500 total points
ID: 24844262
"What will be the situation if I want to implement NAT on Core switches as followed"

that should not be a problem, just move the nat config i provided to the core switches and adjust the statements with the appropriate IP addresses.

"if core platform is 6550 does it will fit and if there are around 50 server need to be nat one to one does it will be headache "

yeah it can be time consuming and a headache to get setup for all 50 but your 6550 you should be able to handle it. This is not that un-common
0
 

Author Comment

by:paintco
ID: 24844308
thanks alot
0
 
LVL 23

Expert Comment

by:that1guy15
ID: 24844345
no problem
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now