post

Cisco NAT Terminology


Cisco has created some NAT terminology which explicitly refer to the IP addresses and/or ports involved in Network Address Translation (NAT).

While discussing the addresses involved in a NAT, using the terms like “Source” and “Destination” are common. However, using such terms can create some ambiguity.

Specifically, the terms “Source” and “Destination” can create confusion in two cases:

The first case occurs when considering the response traffic — what was the Source in the initial traffic is now the Destination in the response traffic.

The second case occurs when considering the direction of traffic: inbound or outbound. Traffic that is inbound might need its Destination translated, but the response (outbound) traffic will need its Source untranslated. Or potentially the exact opposite.

Given the above, using a statement like “we will NAT the source” can result in uncertainty. Was it the source of the outbound traffic? Or the source of the inbound traffic?

 

Cisco Terminology

Cisco has designated some NAT terminology which explicitly reference a set of addresses with absolute certainty and no ambiguity, that apply to all traffic directions.

  • Inside Local
  • Inside Global
  • Outside Local
  • Outside Global

These four terms consist of two pairs of two words: Inside vs Outside, and Local vs Global. Each pair of words refer to unique elements and are best defined in contrast to one another:

  • Inside vs Outside refer to the physical location of the real owner of the address in question
  • Local vs Global refer to perspective you are viewing the address from, in relationship to the NAT device

These two sets of two terms combine into four possible designations to refer to the the addresses involved in a network address translation with absolute certainty. The easiest way to explain each of these is to look at an example.

Below is an illustration of a Static NAT, with each IP address involved in the NAT labeled as one of the terms above.

Cisco NAT Terminology - Inside Local, Inside Global, Outside Local, Outside Global

The attributes 10.1.1.11:3333 refers to a host on the Inside network, and is what that host appears as when viewed from the Local perspective. Hence, this is the Inside Local address.

10.1.1.11:3333 will be translated to 73.8.2.11:3333, which still refers to a host that exists on the Inside network, but this time is what that host appears as when viewed from the Global perspective. Hence, this is the Inside Global address.

The attributes 82.6.4.2:80 refers to a host on the Outside network, and is what that host appears as when viewed from the Local perspective. Hence, this is the Outside Local address.

82.6.4.2:80 will be translated to 82.6.4.2:80, which still refers to a host that exists on the Outside network, but this time is what that host appears as when viewed from the Global perspective. Hence, this is the Outside Global address.

The astute among you will notice that the Outside Local attributes are identical to the Outside Global attributes. This is true only because in the particular NAT example above, we did not translate the Outside host’s address.

Generally, this will be the case – typically only the Inside host’s attributes will be translated. But if this were an example of a Twice NAT, then the Outside Local would be translated into a different Outside Global.

The main benefit to using the terms above is they allow you to succinctly and explicitly refer to a set of attributes without having to specify the direction of the traffic or who initiated the traffic.

For example, which is easier to say?

10.1.1.11:3333 is the pre-translation source of the outbound traffic initiated by the Inside host, which will have its source translated to 73.8.2.11:3333 after it crosses the router, which will subsequently become the destination on the inbound response traffic send from the Outside host.

–or–

10.1.1.11:3333 is the Inside Local address, 73.8.2.11:3333 is the Inside Global address.

 

Summary

To summarize, we discussed the following four terms that can be used to explicitly refer to a set of packet attributes that are involved in any Network Address Translation:

  • Inside Local – a host that physically exists on the Inside network, as seen from the perspective of the Inside network
  • Inside Global – a host that physically exists on the Inside network, as seen from the perspective of the Outside network
  • Outside Local – a host that physically exists on the Outside network, as seen from the perspective of the Inside network
  • Outside Global – a host that physically exists on the Outside network, as seen from the perspective of the Outside network

 

 


Speak Your Mind

*