[c-nsp] why to define both inside and outside interfaces when setting up nat?

h bagade bagadeh at gmail.com
Sun Aug 28 07:09:54 EDT 2011 

On Sun, Aug 28, 2011 at 2:24 PM, Gert Doering <gert at greenie.muc.de> wrote:

> Hi,
>
> On Sun, Aug 28, 2011 at 01:38:53PM +0430, h bagade wrote:
> > I'm wondering why we should define both inside and outside interfaces to
> get
> > nat worked when we just only want to run inside source natting? In the
> case
> > of inside source nat, only outside interface is important for natting;
> the
> > packets are natted on their way outside so there is no need to specify
> > inside interfaces. Is there a specific reason that both inside and
> outside
> > interfaces should be specified?
>
> You could have multiple inside and outside interfaces, and the router
> needs to know when to NAT and when *not* to NAT.
>

Yes, this is true that router should know about on which interfaces nat
should be applied but it could be done on just inside or outside interfaces
not both! for inside source and destination natting, nat should be checked
on outside and for outside source, nat should be checked on inside interface
only and not the both!

>
> > in this example, packets from inside network with source addresses of
> > 11.11.11.0 are natted to the range (172.16.10.1-172.16.10.63) when
> exiting
> > GigabitEthernet0/1 which is outside interface. why should
> GigabitEthernet0/0
> > should be specified as inside interface to make the nat do its work?
>
> This is how IOS NAT is defined: NAT will apply when a packet traverses
> from an "inside" to an "outside" interface - and this is cool, because it
> gives you lots of flexibility for non-standard rules.
>
> doesn't the IOS nat definition equal to "nat applies when a packet goes out
of an outside interface"? because when a packet lefts an outside interface,
it surely comes from inside interface. isn't it?

Unfortunately, lots of people have complained that this is too complicated
> (after all, their $30-only-a-single-WAN-Interface router at home can do
> it with a single click) so now we have the abomination of NVIs...
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                           //
> www.muc.de/~gert/ <http://www.muc.de/%7Egert/>
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
>

More information about the cisco-nsp mailing list