From: Sergey Golovanov (sergey.golovanov@iementor.com)
Date: Wed Jan 17 2007 - 17:48:41 ART
Tao,
there's actually a very big difference between "inside destination" and "outside source". I'll try to be brief, not to overcomplicate my explanation. If you want me to get into nitty-gritty details, let me know.
INSIDE-DESTINATION
It's basically used for TCP load balancing from clients on the outside to a virtual server on the inside. Non-tcp traffic doesn't get translated! The important thing to remember is that it applies to traffic initiated from the OUTSIDE to the INSIDE, and not the other way around. Of course, the source of the return traffic from the inside to the outside will get translated, but the initiation from outside to inside is required to happen first, so that the dynamic NAT table entry is created. The other key thing is that there's no "static" version of this command, but only "list" version, hence it happens dynamically. There actually used to be a "ip nat inside destination static" version of this command, but it's not in newer IOSes. So here's an example.
You have ten servers on the inside with IP addresses 10.0.0.1 through 10.0.0.10. All servers have the same content, and share the same service, for example HTTP (port 80).
Clients on the outside want to reach them as one virtual server 65.0.0.1:80.
int e0 (servers are here)
ip nat inside
int ser0 (clients are here)
ip nat ouside
!
ip nat pool VIRTUAL 10.0.0.1 10.0.0.10 prefix-length 24 type rotary <---- The pool must be rotary!
ip nat inside destination list 1 pool VIRTUAL
!
access-list 1 permit 65.0.0.1
Multiple clients from the outside go to 65.0.0.1:80, and this traffic ip destination will translate to 10.0.0.1:80, 10.0.0.2:80, etc... Individual TCP port-based entries will appear in "show ip nat trans" once traffic comes in. And obviously return traffic IP source will get translated too. It has to match the nat table entry.
Nothing will happen if traffic is initiated from inside first. So, one more time, traffic has to initiate from the outside. IP destination is translated. And It doesn't work with UDP traffic.
By the way, if you want to achieve the same results for UDP traffic, you would have to set up a bunch of "ip nat INSIDE SOURCE static UDP" entries. You can't do it with "ip nat inside destination".
OUTSIDE-SOURCE
In this case, traffic is ALSO initiated from outside to inside, but this time the source address is changed. For example, this would be used when you want to make the outside network 65.0.0.0/24 look like 172.16.0.0/24 network for the inside users. Traffic comes from outside to the router, source address is translated, and it continues to the inside. The destination address of return traffic from the inside to the outside is translated as well.
So, again, for "outside-source" configuration the traffic should be initiated from outside to inside. But it's actually not required, because with "ip nat outside source" you have both "static" and "list" version of the command. So if you configure "ip nat outside source static", it will also apply for traffic initiated from inside to outside, and IP DESTINATION will be translated. If you configure "ip nat ouside source list", the traffic would HAVE TO initiate from the outside to inside.
COMPARISON
So the interesting similarity between "inside destination" and "outside source" is that the traffic is initiated from OUTSIDE to INSIDE. But in the first case IP destination is translated, and in the second case IP source.
Did this make sense?
--------------------------------------------------------------------
Sergey Golovanov, CCIEx5 (R&S/Security/Voice/Service Provider/Storage)
"Please, don't ask me for my ccie #, there are reasons why I can't release it"
ieMentor Instructor and Content Developer
sergey.golovanov@iementor.com
http://www.iementor.com
> -------Original Message-------
> From: Tao Yang <yangtao.mike@gmail.com>
> Subject: Difference between "ip nat inside destination" and "ip nat outside source"
> Sent: Jan 17 '07 07:01
>
> Hi all,
>
> I am confused about the "ip nat inside destination" and "ip nat outside
> source".
> According to my understand, "inside destination" == "outside source",
> It looks like this two command have the same function.
> Could anybody tell me the difference, or give me a example when to use these
> two command.
>
> Thanks.
>
>
> ip nat inside destination
>
> To enable Network Address Translation (NAT) of the inside destination
> address, use the ip nat inside destination global configuration command. To
> remove the dynamic association to a pool, use the no form of this command.
>
> ip nat outside source
>
> To enable Network Address Translation (NAT) of the outside source address,
> use the ip nat outside source global configuration command. To remove the
> static entry or the dynamic association, use the no form of this command.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART