Cisco has created some NAT terminology which explicitly refer to the IP addresses and/or ports involved in Network Address Translation (NAT).
While discussing the addresses involved in a NAT, using the terms like “Source” and “Destination” are common. However, using such terms can create some ambiguity.
Specifically, the terms “Source” and “Destination” can create confusion in two cases:
The first case occurs when considering the response traffic — what was the Source in the initial traffic is now the Destination in the response traffic.
The second case occurs when considering the direction of traffic: inbound or outbound. Traffic that is inbound might need its Destination translated, but the response (outbound) traffic will need its Source untranslated. Or potentially the exact opposite.
Given the above, using a statement like “we will NAT the source” can result in uncertainty. Was it the source of the outbound traffic? Or the source of the inbound traffic?
Cisco Terminology
Cisco has designated some NAT terminology which explicitly reference a set of addresses with absolute certainty and no ambiguity, that apply to all traffic directions.
- Inside Local
- Inside Global
- Outside Local
- Outside Global
These four terms consist of two pairs of two words: Inside vs Outside, and Local vs Global. Each pair of words refer to unique elements and are best defined in contrast to one another:
- Inside vs Outside refer to the physical location of the real owner of the address in question
- Local vs Global refer to perspective you are viewing the address from, in relationship to the NAT device
These two sets of two terms combine into four possible designations to refer to the the addresses involved in a network address translation with absolute certainty. The easiest way to explain each of these is to look at an example.
Below is an illustration of a Static NAT, with each IP address involved in the NAT labeled as one of the terms above.
The attributes 10.1.1.11:3333
refers to a host on the Inside network, and is what that host appears as when viewed from the Local perspective. Hence, this is the Inside Local address.
10.1.1.11:3333
will be translated to 73.8.2.11:3333
, which still refers to a host that exists on the Inside network, but this time is what that host appears as when viewed from the Global perspective. Hence, this is the Inside Global address.
The attributes 82.6.4.2:80
refers to a host on the Outside network, and is what that host appears as when viewed from the Local perspective. Hence, this is the Outside Local address.
82.6.4.2:80
will be translated to 82.6.4.2:80
, which still refers to a host that exists on the Outside network, but this time is what that host appears as when viewed from the Global perspective. Hence, this is the Outside Global address.
The astute among you will notice that the Outside Local attributes are identical to the Outside Global attributes. This is true only because in the particular NAT example above, we did not translate the Outside host’s address.
Generally, this will be the case – typically only the Inside host’s attributes will be translated. But if this were an example of a Twice NAT, then the Outside Local would be translated into a different Outside Global.
The main benefit to using the terms above is they allow you to succinctly and explicitly refer to a set of attributes without having to specify the direction of the traffic or who initiated the traffic.
For example, which is easier to say?
10.1.1.11:3333
is the pre-translation source of the outbound traffic initiated by the Inside host, which will have its source translated to 73.8.2.11:3333
after it crosses the router, which will subsequently become the destination on the inbound response traffic send from the Outside host.
–or–
10.1.1.11:3333
is the Inside Local address, 73.8.2.11:3333
is the Inside Global address.
Summary
To summarize, we discussed the following four terms that can be used to explicitly refer to a set of packet attributes that are involved in any Network Address Translation:
- Inside Local – a host that physically exists on the Inside network, as seen from the perspective of the Inside network
- Inside Global – a host that physically exists on the Inside network, as seen from the perspective of the Outside network
- Outside Local – a host that physically exists on the Outside network, as seen from the perspective of the Inside network
- Outside Global – a host that physically exists on the Outside network, as seen from the perspective of the Outside network
After self study, this part of NAT really concerned me and I was utterly confused. This simple article had my ahh-haa moment that I really needed. Thank you very much Ed.
Glad it helped, Matthew =). These terms confused me as well when I was first learning.
Your explanation is really good. Keep it up, I would like to ask one thing that which software do you use to create these gif animation.. I really like these. Can you let me know about the tool name?
Hi Dinesh. Glad you enjoyed the explanation. I use PowerPoint for the animations, recorded to MP4, then converted to GIF. =)
This must be the best explanation on the Internet of the confusing terms used by Cisco. Thank you!
I also find it easier to think about these terms in following way:
Local == Private
Global == Public
Inside == Your network/devices
Outside == Not your network/devices
Thanks Alex ;).
The only thing I’d point out about your interpretation of the terms, is remember for NAT the translations don’t have to be Private to Public. They can be Private to Private, or Public to Public as well.
Cheers!
can someone guide me regarding the IP address at different points, when there are two NATs =, one at our side and one at the servers side on the internet.Thank you