NAT – inside global address

nat;

http://packetlife.net/blog/2010/jan/7/understanding-nat-address-types/

Let's say I have a bunch of hosts connected to a typical router (which is in fact a switch + router) that has a public global IP assigned by my ISP.

The hosts use private IPs that are non-routable addresses, and need to be translated using NAT to the public one so that it can talk with the rest of Internet.

Now, my router is connected to a network of my ISP. It has some IP address in that network, but that address is different than what my public IP address is, right? – it follows from the article linked above:

by this command:

ip nat inside source static 192.168.0.10 192.0.2.10

which assigned a public IP (in other words, inside global IP) 192.0.2.10 to the host 192.168.0.10. That's quite weird, because you usually give a public IP to all devices in your network, not to just one host.

If the inside global IP address is indeed my public IP address, can't I just change my public IP? I guess it has to be configured in the NAT of my home router. If it's not possible, is it just because the router firmware doesn't provide a way to change that IP?

Basically I've seen two ways of doing NAT:

Translating private IP of my host to the public IP of my router with a special port number (that allows the inverse translation back to my private IP to happen when the other host sends a reply).
Translating private IP of my host to a public IP that's different from the public IP of my router. The problem is – how does my NAT router know that his public address used for translation isn't already used by some other host on the Internet?

Do these two methods have different names?

Best Answer

The two kinds of NAT your question is referring to can be categorized as destination NAT, and source NAT.

Destination NAT will typically change a connection to your router from the ISP direction to a destination target that's inside your network. It's also commonly referred to as port forwarding. This lets you expose a service that would normally be inaccessible inside your private network.

Source NAT will change a connection through your router from your local network to a source target that is the router itself, allowing multiple hosts to use a single public address.

NAT can perform other translations, but few others are useful except in niche cases. Despite the phrasing in your question, a source NAT that you describe is not helpful. Using a global address that is not functional on the router will have no good effect. No other device or protocol would keep track of that, so all replies will be forwarded to the device that should have that IP, which would know nothing about your setup and promptly drop them. If you want to use a different IP, get it set up and functional on the router first.

Related Solutions

Cisco – About the inside local and outside local and inside global and outside global

Usually NAT will be used to translate between private to public IP address but this is not the only use case. You can also translate between any addresses you want such as private to private.

The terms local and global most often refer to the inside and outside of your network but this doesn't mean that it MUST be LAN and WAN although it often is.

So say that we have a webserver on our LAN with the IP 10.0.0.1. We want the webserver to be accessible from a public IP of 130.130.130.130.

ip nat inside source static 10.0.0.1 130.130.130.130

What this does is to translate all packets from 10.0.0.1 (Source IP) to a source of 130.130.130.130 when exiting on the outside interface. This command is bidirectional so all packets entering the outside interface with a destination IP of 130.130.130.130 will also get translated to 10.0.0.1.

The ip nat inside destination command translates from inside global to one or several inside locals. This is primarily used to do primitive load sharing.

ip nat inside destination list 1 pool real-hosts
ip nat pool real-hosts 10.0.0.1 10.0.0.3 prefix-length 24 type rotary
access-list 1 permit 130.130.130.130

What this does is to translate from 130.130.130.130 to 10.0.0.1, 10.0.0.2 and 10.0.0.3 in a rotary fashion. So for every incoming request to the inside global IP of 130.130.130.130 it will be translated to a different inside local address in a round robin fashion.

IP nat outside source static translates between outside global and outside local IP. One common use case would be if you have overlapping subnets. Like if you are doing a merger and both companies use the same IP subnets. So say that both company A and company B are using 10.0.0.0/24 for something. So you are working for company A and you want to translate all 10.0.0.0/24 on the outside to 192.168.0.0/24.

ip nat outside source static network 10.0.0.0 192.168.0.0 /24

Then you would have to do the same for traffic going from the inside to the outside of course.

Regarding your last question it only really makes sense to either translate the source or the destination of the packet. What you are suggesting sounds like some kind of policy routing. You can use inside and outside NAT to do everything you need.

NAT based on destination port number

From a support forum static-pat-pix

Note: You cannot use the same real or mapped address in multiple static commands between the same two interfaces. Do not use a mapped address in the static command that is also defined in a global command for the same mapped interface.

Thus it seems we have two options:

NAT on the router; not recommended as it would be difficult to get through the PIX.
Change the IP address (private) on the host, and have a PIX rule for each private IP address.

As you did not give any real IP addresses, I will create a example.

On the hosts, use 10.0.0.1-10.0.0.15/28.

On the PIX, NAT to 196.0.0.1 - 196.0.0.1

global (outside) 1 196.0.0.1-196.0.0.15 netmask 255.255.255.240
nat (inside) 1  10.0.0.0  255.255.255.240  0  0

Or you can NAT, one by one, with:

static (inside,outside) 10.0.0.1 196.0.0.1 netmask  255.255.255.255
static (inside,outside) 10.0.0.2 196.0.0.2 netmask  255.255.255.255

etc.

Now, every time you need to change your external IP address, just change the internal source IP address.

Best Answer

Related Solutions

Cisco – About the inside local and outside local and inside global and outside global

NAT based on destination port number

Related Topic