Use Local and Global NAT Terms (original) (raw)
Introduction
This document describes and clarifies the Network Address Translation (NAT) terms of inside local, inside global, outside local, and outside global.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Term Definitions
Cisco defines these terms as:
- Inside local address—The IP address assigned to a host on the inside network. This is the address configured as a parameter of the computer OS or received via dynamic address allocation protocols such as DHCP. The address is likely not a legitimate IP address assigned by the Network Information Center (NIC) or service provider.
- Inside global address—A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.
- Outside local address—The IP address of an outside host as it appears to the inside network. Not necessarily a legitimate address, it is allocated from an address space routable on the inside.
- Outside global address—The IP address assigned to a host on the outside network by the host owner. The address is allocated from a globally routable address or network space.
These definitions still leave a lot to be interpreted. For this example, this document redefines these terms by the local address definition first and then global address definition. Keep in mind that the terms inside and outside are NAT definitions. Interfaces on a NAT router are defined as inside or outside with the NAT configuration commands, ip nat inside destination and ip nat outside source. Networks to which these interfaces connect can then be thought of as inside networks or outside networks, respectively.
- Local address—A local address is any address that appears on the inside portion of the network.
- Global address—A global address is any address that appears on the outside portion of the network.
Packets sourced on the inside portion of the network have an inside local address as the source address and an outside local address as the destination address of the packet, while the packet resides on the inside portion of the network. When that same packet gets switched to the outside network, the source of the packet is now known as the inside global address and the destination of the packet is known as the outside global address.
Conversely, when a packet is sourced on the outside portion of the network, while it is on the outside network, its source address is known as the outside global address. The destination of the packet is known as the inside global address. When the same packet gets switched to the inside network, the source address is known as the outside local address and the destination of the packet is known as the inside local address.
This image provides an example.
Source Address Known as Outside Local Address
Examples
These sections examine these terms more closely and uses this topology and examples.
Topology and Examples
Define Inside Local and Inside Global Addresses
In this configuration, when the NAT router receives a packet on its inside interface with a source address of 10.10.10.1, the source address is translated to 172.16.68.5. This also means that when the NAT router receives a packet on its outside interface with a destination address of 172.16.68.5, the destination address is translated to 10.10.10.1.
ip nat inside source static 10.10.10.1 172.16.68.5
!--- Inside host is known by the outside host as 172.16.68.5.
interface s 0 ip nat inside
interface s 1 ip nat outside
You can issue the show ip nat translations command in order to verify the NAT translations in the router. In the ideal condition, the output of the show ip nat translations command is as shown here:
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global --- 172.16.68.5 10.10.10.1 — ---
When the packet moves from the inside network to the outside network, the output of the **show ip nat translations**command is as shown here:
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global icmp 172.16.68.5:15 10.10.10.1:15 172.16.68.1:15 172.16.68.1:15 --- 172.16.68.5 10.10.10.1 — ---
Note: In this output of the NAT translations, the protocol entry shows ICMP because Ping is used to validate the entries. The Outside Local and Outside Global entries can have the same IP address of the Outside host, which is 172.16.68.1.
The local addresses are addresses that appear on the inside cloud. Global addresses are addresses that appear on the outside cloud. Because of the way NAT is configured, the inside addresses are the only addresses that are translated. Therefore, the inside local address is different from the inside global address.
This is what the packets look like when they are on the inside network and on the outside network.
Packet Appearance on Inside Network and Outside Network
Define Outside Local and Outside Global Addresses
In this configuration, when the NAT router receives a packet on its outside interface with a source address of 172.16.68.1, the source address is translated to 10.10.10.5. This also means that if the NAT router receives a packet on its inside interface with a destination address of 10.10.10.5, the destination address is translated to 172.16.68.1.
ip nat outside source static 172.16.68.1 10.10.10.5
!--- Outside host is known to the inside host as 10.10.10.5.
interface s 0 ip nat inside
interface s 1 ip nat outside
In the ideal condition, the output of the show ip nat translations command is as shown here:
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global --- --- --- 10.10.10.5 172.16.68.1
When the packet moves from the outside network to the inside network, the output of the **show ip nat translations**command is as shown here:
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global --- --- --- 10.10.10.5 172.16.68.1 icmp 10.10.10.1:37 10.10.10.1:37 10.10.10.5:37 172.16.68.1:37
Note: The Inside Global and Inside Local entries can have the same IP address of the Inside host, which is 10.10.10.1.
The local addresses are addresses that appear on the inside cloud. Global addresses are addresses that appear on the outside cloud. In this example, because of the way NAT is configured, only the outside addresses get translated. Therefore, the outside local address is different from the outside global address.
This is what the packets look like when they are on the inside network and on the outside network.
Packet Appearance
Define All Local and Global Addresses
In the this configuration, when the NAT router receives a packet on its inside interface with a source address of 10.10.10.1, the source address is translated to 172.16.68.5. The interface that corresponds to IP address 10.10.10.1 is the Inside Local Address, whereas the interface that corresponds to IP address 172.16.68.5 is the Inside Global Address. When the NAT router receives a packet on its outside interface with a source address of 172.16.68.1, the source address is translated to 10.10.10.5.
This also means that when the NAT router receives a packet on its outside interface with a destination address of 172.16.68.5, the destination address is translated to 10.10.10.1. Also, when the NAT router receives a packet on its inside interface with a destination address of 10.10.10.5, the destination address is translated to 172.16.68.1.
ip nat inside source static 10.10.10.1 172.16.68.5
!--- Inside host is known to the outside host as 172.16.68.5.
ip nat outside source static 172.16.68.1 10.10.10.5
!--- Outside host is known to the inside host as 10.10.10.5.
interface s 0 ip nat inside
interface s 1 ip nat outside
In the ideal condition, the output of the show ip nat translations command is as shown here:
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global --- --- --- 10.10.10.5 172.16.68.1 172.16.68.5 10.10.10.1 — ---
The local addresses are addresses that appear on the inside cloud, and the global addresses are addresses that appear on the outside cloud. Because of how NAT is configured in this case, both the inside addresses and the outside addresses are translated. Therefore, the inside local addresses are different from the inside global addresses and the outside local addresses are different from the outside global addresses.
When the packet transfer is initiated from both the sides, the output of the show ip nat translations command is as shown here:
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global --- --- --- 10.10.10.5 172.16.68.1 icmp 10.10.10.1:4 10.10.10.1:4 10.10.10.5:4 172.16.68.1:4 icmp 172.16.68.5:39 10.10.10.1:39 172.16.68.1:39 172.16.68.1:39 --- 172.16.68.5 10.10.10.1 — ---
This is what the packets look like when they are on the inside network and on the outside network.
Packets on Inside and Outside Networks
In summary, the terms local and global are actually very straight forward when you think of them in terms of where they appear in the network. Local addresses appear on the inside portion of the network while global addresses appear on the outside portion of the network.