Skip to content
Practical TLS - October Sale
October is my birthday month, which makes for a good excuse to discount my most popular course: Practical TLS.

Use code OctBDAY2024b to get the course for $58 (originally $297).

Purchase here. Or, for more info on the top rated course on TLS, click here.

Code expires Oct 14, 2024.

Cisco NAT Terminology

    Cisco NAT Terminology

    Cisco has created some NAT terminology which explicitly refer to the IP addresses and/or ports involved in Network Address Translation (NAT).

    While discussing the addresses involved in a NAT, using the terms like “Source” and “Destination” are common. However, using such terms can create some ambiguity.

    Specifically, the terms “Source” and “Destination” can create confusion in two cases:

    The first case occurs when considering the response traffic — what was the Source in the initial traffic is now the Destination in the response traffic.

    The second case occurs when considering the direction of traffic: inbound or outbound. Traffic that is inbound might need its Destination translated, but the response (outbound) traffic will need its Source untranslated. Or potentially the exact opposite.

    Given the above, using a statement like “we will NAT the source” can result in uncertainty. Was it the source of the outbound traffic? Or the source of the inbound traffic?

     

    Cisco Terminology

    Cisco has designated some NAT terminology which explicitly reference a set of addresses with absolute certainty and no ambiguity, that apply to all traffic directions.

    • Inside Local
    • Inside Global
    • Outside Local
    • Outside Global

    These four terms consist of two pairs of two words: Inside vs Outside, and Local vs Global. Each pair of words refer to unique elements and are best defined in contrast to one another:

    • Inside vs Outside refer to the physical location of the real owner of the address in question
    • Local vs Global refer to perspective you are viewing the address from, in relationship to the NAT device

    These two sets of two terms combine into four possible designations to refer to the the addresses involved in a network address translation with absolute certainty. The easiest way to explain each of these is to look at an example.

    Below is an illustration of a Static NAT, with each IP address involved in the NAT labeled as one of the terms above.

    Cisco NAT Terminology - Inside Local, Inside Global, Outside Local, Outside Global

    The attributes 10.1.1.11:3333 refers to a host on the Inside network, and is what that host appears as when viewed from the Local perspective. Hence, this is the Inside Local address.

    10.1.1.11:3333 will be translated to 73.8.2.11:3333, which still refers to a host that exists on the Inside network, but this time is what that host appears as when viewed from the Global perspective. Hence, this is the Inside Global address.

    The attributes 82.6.4.2:80 refers to a host on the Outside network, and is what that host appears as when viewed from the Local perspective. Hence, this is the Outside Local address.

    82.6.4.2:80 will be translated to 82.6.4.2:80, which still refers to a host that exists on the Outside network, but this time is what that host appears as when viewed from the Global perspective. Hence, this is the Outside Global address.

    The astute among you will notice that the Outside Local attributes are identical to the Outside Global attributes. This is true only because in the particular NAT example above, we did not translate the Outside host’s address.

    Generally, this will be the case – typically only the Inside host’s attributes will be translated. But if this were an example of a Twice NAT, then the Outside Local would be translated into a different Outside Global.

    The main benefit to using the terms above is they allow you to succinctly and explicitly refer to a set of attributes without having to specify the direction of the traffic or who initiated the traffic.

    For example, which is easier to say?

    10.1.1.11:3333 is the pre-translation source of the outbound traffic initiated by the Inside host, which will have its source translated to 73.8.2.11:3333 after it crosses the router, which will subsequently become the destination on the inbound response traffic send from the Outside host.

    –or–

    10.1.1.11:3333 is the Inside Local address, 73.8.2.11:3333 is the Inside Global address.

     

    Summary

    To summarize, we discussed the following four terms that can be used to explicitly refer to a set of packet attributes that are involved in any Network Address Translation:

    • Inside Local – a host that physically exists on the Inside network, as seen from the perspective of the Inside network
    • Inside Global – a host that physically exists on the Inside network, as seen from the perspective of the Outside network
    • Outside Local – a host that physically exists on the Outside network, as seen from the perspective of the Inside network
    • Outside Global – a host that physically exists on the Outside network, as seen from the perspective of the Outside network
    If you prefer a video walkthrough for these terms, check out this Youtube video.
    3.6 5 votes
    Article Rating
    Subscribe
    Notify of

    7 Comments
    Oldest
    Newest Most Voted
    Inline Feedbacks
    View all comments

    After self study, this part of NAT really concerned me and I was utterly confused. This simple article had my ahh-haa moment that I really needed. Thank you very much Ed.

    Your explanation is really good. Keep it up, I would like to ask one thing that which software do you use to create these gif animation.. I really like these. Can you let me know about the tool name?

    This must be the best explanation on the Internet of the confusing terms used by Cisco. Thank you!

    I also find it easier to think about these terms in following way:
    Local == Private
    Global == Public
    Inside == Your network/devices
    Outside == Not your network/devices

    can someone guide me regarding the IP address at different points, when there are two NATs =, one at our side and one at the servers side on the internet.Thank you