In a standard Static PAT configuration, where one IP:Port combination is always mapped to another IP:Port combination, there are three possible combinations of inside/outside/source/destination that can be configured.
For example, this is a configuration example:
ip nat inside source static tcp 10.0.20.13 8080 2.2.2.33 80
^^^^^^^^^^^^^
In layman's terms, this configuration allows any Outside host to initiate a TCP connection to the IP 2.2.2.33 over port 80. When this packet hits the router, the destination IP Address and Port (2.2.2.33:80) gets translated to 10.0.20.13:8080.
The reverse would also happen, if the inside host 10.0.20.13 sends a TCP packet with a source port of 8080, as this packet crosses the router, the source IP and Port (10.0.20.13:8080) gets translated to 2.2.2.33:80. (this would typically be a response packet, rather than one initiated from the Inside host)
Here are all the three configuration options for the marked portion above:
Router(config)#ip nat inside ?
destination Destination address translation
source Source address translation
Router(config)#ip nat outside ?
source Source address translation
In effect, you could configure:
- ip nat inside source static tcp {IP} {Port} {IP} {Port}
- ip nat inside destination static tcp {IP} {Port} {IP} {Port}
- ip nat outside source static tcp {IP} {Port} {IP} {Port}
How are these options different and when would one use each of the three options? Please use layman's terms like I did above to describe how each would manipulate packets that were coming through the device.
Also, can anyone tell me why there is no outside destination option?
Best Answer
Think about this very carefully.
Inside source means that you want to translate the source address from traffic originating inside your network. This is the typical "home networking" arrangement which allows you to use private addresses on the public Internet. Of course, this is not the only use for this version.
Inside destination means that you want traffic originating from an outside address to a particular destination transport protocol and port to go to a particular inside address. This is what home users do to allow something like a web server with a private address to be accessed from the public Internet. Of course, this is not the only use for this version.
Outside source translates traffic originating from outside to look like it originated from an inside address. It can useful in cases where companies with overlapping IP address ranges merge and need to start connecting the networks. You can translate the source addresses of traffic originating from the outside, which would normally have outside source addresses which conflict with inside addresses, to source addresses addresses in an available inside address range.
Outside destination doesn't really make a lot of sense since it is the inverse of port forwarding. This would limit any traffic originating from the inside, destined to a particular outside transport protocol and port, to a single outside address.