Solved

What is the difference between inside and outside Nat ?

Posted on 2009-07-13
12
906 Views
Last Modified: 2012-05-07
What is the difference between inside and outside Nat ?
when shall I use the outside nat or inside nat?
0
Comment
Question by:paintco
  • 6
  • 6
12 Comments
 
LVL 23

Assisted Solution

by:that1guy15
that1guy15 earned 500 total points
ID: 24841781
Inside nat is translating incoming traffic to your public ip address to an inside private address.

for example your public address is 65.x.x.x. all traffic for your network is pointed to that address. You would use inside nat to point specific traffic to different resources such as your email server (10.0.0.x) your web server (10.0.0.y) etc....

Ouside nat is translating all your internal (private addresses) traffic to a public ip address or group of addresses. This allows all your lan devices to not require a public address to access the web.

You can either overload an ip address by having multiple devices using the same ip address or you can setup a group of public ip addresses that your private ips can use.

0
 

Author Comment

by:paintco
ID: 24842716
so if I have two sites (Site-A, Site-B)
routing between two LANs of the two sites is ok both LANs are reachable from each other

there are two servers in each site
Site-A  server-1  10.1.1.100/24
Site-A  server-2  10.1.1.101/24
Site-B  server-1  20.1.1.100/24
Site-B  server-2  20.1.1.101/24

I want to NAT the traffic between the two sites as follow
Site-A All clients  NAT to --> 172.16.1.50
Site-B All clients NAT to --> 172.16.2.50
Site-A server-1 10.1.1.100 --> NAT to 172.16.1.100
Site-A server-2 10.1.1.101 --> NAT to 172.16.1.101
Site-B server-1 20.1.1.100 --> NAT to 172.16.2.100
Site-B server-2 120.1.1.101 -- NAT to 172.16.2.101

All workstations and servers should be reachable from each other
Site-A configuration is 
RTR-A# sh run
!
int fas 0/1 
ip add 17.0.10.1 255.255.255.0
!
int se 0/1 
ip add 172.16.1.1 255.255.255.252
!
Core-A# sh run
!
int Gig 0/1 
ip add 17.0.10.50 255.255.255.0
!
int vlan 1 
ip add 10.1.1.1 255.255.255.0
!
##################################################
Site-B configuration is 
RTR-B# sh run
!
int fas 0/1 
ip add 17.0.20.1 255.255.255.0
!
int se 0/1 
ip add 172.16.2.1 255.255.255.252
!
Core-B# sh run
!
int Gig 0/1 
ip add 17.0.20.50 255.255.255.0
!
int vlan 1 
ip add 20.1.1.1 255.255.255.0
!

Open in new window

0
 
LVL 23

Assisted Solution

by:that1guy15
that1guy15 earned 500 total points
ID: 24843426
Could you please explain your network layout more. What routers connect to each other?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:paintco
ID: 24843644
RTR-A connected to RTR-B through PSTN using BGP routing
Site -A LAN connected to Core-A and Core-A  connected to RTR-A
Site -B LAN connected to Core-B and Core-B  connected to RTR-B
0
 
LVL 23

Assisted Solution

by:that1guy15
that1guy15 earned 500 total points
ID: 24843705
What interfaces are connecting to what? Specifically on the RTR routers. Also is there NAT being applied anywere else in this setup?
0
 

Author Comment

by:paintco
ID: 24843954
RTR-A Fa0/1 going to Core-A
RTR-A Se 0/1 going to MPLS cloud
RTR-B Fa0/1 going to Core-B
RTR-B Se 0/1 going to MPLS cloud

no NAT applied anywhere
only I want to apply Nat on all traffic going and coming for each LAN router interface
0
 
LVL 23

Accepted Solution

by:
that1guy15 earned 500 total points
ID: 24844075
Here is the config you will add to both routers. Let me know if you have any questions.
site-A (Configure on RTR-A)
 
access-list 10 deny host 10.1.1.100
access-list 10 deny host 10.1.1.101
access-list 10 permit 10.1.1.0 0.0.0.255
 
 
ip nat pool Site-A 172.16.1.50 172.16.1.50
ip nat inside source list 10 pool site-A overload
ip nat inside source static ip 10.1.1.100 172.16.1.100
ip nat inside source static ip 10.1.1.101 172.16.1.101
 
 
int fa0/1
ip nat inside
 
int se0/1
ip nat outside
 
 
site-B (Configure on RTR-B)
 
access-list 11 deny host 20.1.1.100
access-list 11 deny host 20.1.1.101
access-list 11 permit 20.1.1.0 0.0.0.255
 
 
ip nat pool Site-B 172.16.2.50 172.16.2.50
ip nat inside source list 11 pool site-B overload
ip nat inside source static ip 20.1.1.100 172.16.2.100
ip nat inside source static ip 20.1.1.101 172.16.2.101
 
 
int fa0/1
ip nat inside
 
int se0/1
ip nat outside

Open in new window

0
 

Author Comment

by:paintco
ID: 24844150
thanks

What will be the situation if I want to implement NAT on Core switches as followed

Site-A All clients  NAT to --> 17.0.10.50
Site-B All clients NAT to --> 17.10.20.50
Site-A server-1 10.1.1.100 --> NAT to 170.10.100
Site-A server-2 10.1.1.101 --> NAT to 17.0.10.101
Site-B server-1 20.1.1.100 --> NAT to 17.0.20.100
Site-B server-2 120.1.1.101 -- NAT to 17.0.20.101
0
 

Author Comment

by:paintco
ID: 24844204
if core platform is 6550 does it will fit and if there are around 50 server need to be nat one to one does it will be headache
0
 
LVL 23

Assisted Solution

by:that1guy15
that1guy15 earned 500 total points
ID: 24844262
"What will be the situation if I want to implement NAT on Core switches as followed"

that should not be a problem, just move the nat config i provided to the core switches and adjust the statements with the appropriate IP addresses.

"if core platform is 6550 does it will fit and if there are around 50 server need to be nat one to one does it will be headache "

yeah it can be time consuming and a headache to get setup for all 50 but your 6550 you should be able to handle it. This is not that un-common
0
 

Author Comment

by:paintco
ID: 24844308
thanks alot
0
 
LVL 23

Expert Comment

by:that1guy15
ID: 24844345
no problem
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question