[c-nsp] why to define both inside and outside interfaces when setting up nat?
Gert Doering
gert at greenie.muc.de
Sun Aug 28 08:18:00 EDT 2011
Hi,
On Sun, Aug 28, 2011 at 03:39:54PM +0430, h bagade wrote:
> > You could have multiple inside and outside interfaces, and the router
> > needs to know when to NAT and when *not* to NAT.
>
> Yes, this is true that router should know about on which interfaces nat
> should be applied but it could be done on just inside or outside interfaces
> not both! for inside source and destination natting, nat should be checked
> on outside and for outside source, nat should be checked on inside interface
> only and not the both!
No. Widen your mind.
> > This is how IOS NAT is defined: NAT will apply when a packet traverses
> > from an "inside" to an "outside" interface - and this is cool, because it
> > gives you lots of flexibility for non-standard rules.
> >
> doesn't the IOS nat definition equal to "nat applies when a packet goes out
> of an outside interface"? because when a packet lefts an outside interface,
> it surely comes from inside interface. isn't it?
No. It could come in via another outside interface, or pass from one
inside interface to another inside interface.
In addition, you can have unlabeled interfaces, which (purposely!) do not
NAT to either inside or outside interfaces.
This is called "flexibility" - instead of forcing something of limited
imagination on you, IOS gives you full flexibility in setting up your
router exactly the way you want it.
If that's too complicated for you, get a Linksys box. Single button
"NAT on, NAT off".
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20110828/17555b32/attachment.pgp>
More information about the cisco-nsp
mailing list