3

Although I understand how NAT is configured on Cisco, a broader question came up about the why behind it.

When configuring e.g. NAT overload, you specify a few items:

  • An access list ...

    ip access-list extended LAN_ACL permit ip 192.168.0.0 0.0.0.255 any

  • ...and a NAT configuration itself:

    ip nat inside source list LAN_ACL interface Fa0 overload

  • Besides that, you obviously need connections to the network specified:

interface Vlan1 ip address 192.168.0.1 255.255.255.0 interface Fa0 ip address 203.0.113.23 255.255.255.0

What I do not understand fully is as to why you need to further specify ip nat inside and ip nat outside on the interfaces.

The interface name is mentioned in the NAT statement and the network of the ACL must be unique on the router (VRF technology excepted). Can the system not determine which is in- and out-side by what is given?

Any insight is appreciated.

Improve this question
0

3 Answers 3

Reset to default
3

If you simply have one inside and one outside interface using inside-source NAT, then you may be correct. The problem is that you could have multiple outside and inside interfaces. The interface where the translation happens does not need to be either the outside or inside interface.

For example, you could have two routers, and routers cannot share a NAT table. Assume that on R1, you perform NAT on Loopback0. You could have FastEthernet0/0 as a WAN interface that is the outside interface, and FastEthernet0/1 as the connection to R2 that also has a WAN interface. You could configure both FastEthernet interfaces as outside interfaces, so any traffic coming back from them gets sent to Loopback0 for translation lookup. This scenario can be common for asymmetric routing.

There are also multiple versions of NAT, e.g. inside-source, inside-destination, outside-source.

Improve this answer
2

“ip nat inside” and “ip nat outside” on the interface is what triggers NAT processing.

Once NAT processing is triggered you look for your “IP nat inside source list LAN_ACL...” command to identify the access list to test to see if a NAT translation should occur.

The ACL may or may not match the packet. The source address on the ACL has nothing to do with your router interfaces. You could be NATting 10.x.x.x desktop hosts at your ISP gateway which uses internet-routable space. In fact that is a common deployment. And your example where you NAT-overload using your outside interface IP is only useful for small deployments. A large deployment would have a pool instead (a really large deployment would use an ASA...IOS doesn’t NAT scaleably...ASA’s are better at NAT than firewalling :-)

It is also helpful to not have NAT enabled on every interface. NAT uses a lot of TCAM resources and can “blow up” if combined with ACLs on the same interface. Enabling NAT interface by interface is the way things should be. Note how routing protocols are now enabled interface by interface in IPv6.

I upvoted your question because you included configurations :-)

Improve this answer
0

The ip nat inside & ip nat outside is mentioned on interfaces because the layer 3 or router don't know which interface is consider to be inside and which interface is consider to outside . Thats the reason we are telling router clearly by assigning

Int ethernet 1/1 Ip nat inside No shutdown Int ethernet 1/2 Ip nat outside No shutdown

If we mention as state above router will consider 1/1 as inside interface & 1/2 as outside interface

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.