NAT and PAT – Part 4 (A New Perspective)

Many people are confused by Cisco’s NAT/PAT naming conventions, such as “inside local”, etc. Since a picture is worth a kiloword, I thought that perhaps a few diagrams might help.

Let’s say that our host H1 has IP address, an RFC 1918 private address. We want to cross the Internet to access host H2, which has the public IP address, as shown in Figure 1:


Because we can’t advertise RFC 1918 addresses to the public Internet, in order to make this work we’re going to perform PAT (overloading) on R1, our edge router. Let’s assume that our internal LAN, with address space, is connected to R1’s Ethernet 0 interface. We’ll be overloading on Serial 0, which has the IP address, in public space. To accomplish the translation, the commands would be:

  • R1(config)#access-list 1 permit
  • R1(config)#ip nat inside source list 1interface serial 0 overload
  • R1(config)#int e0
  • R1(config-if)#ip nat inside
  • R1(config-if)#int s0
  • R1(config-if)#ip nat outside

Figure 2 summarizes the situation at this point:


Inside and Outside: These refer to the physical location of the device whose address is being referenced. The physical locations were unambiguously defined by configuring the appropriate router interfaces with these commands:

  • ip nat inside
  • ip nat outside

In our example, R1 is doing the translation, with the “inside” interface attached to our LAN, and the “outside” interface on the WAN link to our service provider.

Key point: Because of the way we have configured R1’s interfaces, “inside” is defined to mean “located on our side of R1”, and “outside” means “located on the far side of R1”.

Local and Global: These refer to the perspective (viewpoint) from which the address is being observed, not where the device is located.

Key point: In our example, “local” is defined to mean “looking at it from our side of R1”, and “global” means “looking at it from the far side of R1”.

Yeah, yeah…but what about “inside local”? The key to the jargon is to realize that it describes what we’re looking at, and from where in that order. It’s location-perspective. In other words, “inside local” means that we’re looking at the address of an “inside” device (on our side of our router), from our “local” perspective (from our side of our router). Given the two locations (inside and outside), and the two perspectives (local and global), there are four possibilities:

  • Inside Local
  • Inside Global
  • Outside Local
  • Outside Global

We’ll discuss each of these in turn. Since humans can’t actually see the packets as they traverse the media, by “looking” we mean what we would “see” if we were to install protocol analyzers “locally” and “globally”, and examine the addresses within the packets’ IP headers. Since I can’t draw a protocol analyzer, in the diagrams I’ll use an “X-ray eyeball” that’s able to see the packet headers.

Inside Local: Viewing an “inside” device from the “local” perspective, as shown in Figure 3. This is how we see the IP address of H1 from our side of R1. In our example, the “inside local” address is, which is the actual address of H1.


Inside Global: Viewing an “inside” device from the “global” perspective, as shown in Figure 4. This is how the Internet sees the IP address of H1. In our example, the “inside global” address is, the translated address of H1.


Outside Local: Viewing an “outside” device from the “local” perspective, as shown in Figure 5. This is how H1 sees the IP address of H2. In our example, the “outside local” address is, which is not being translated.


Outside Global: Viewing an “outside” device from the “global” perspective, as shown in Figure 6. This is how the Internet sees the IP address of H2. In our example, the “outside global” address is, which is H2’s actual address.


Since in our example we’re not translating the destination address on the way out (nor the source address on the way back), the “outside local” and “outside global” addresses are identical. Figure 7 shows our current situation, including the four combinations of location and perspective, along with the corresponding addresses.


Key point: It’s possible that NAT/PAT is also being done on H2’s side, but there is no way we can tell that from our side. If so, they would have their own versions of inside/ outside and local/global that have nothing whatsoever to do with ours.

No matter what terms Cisco chose to use, it would boil down to the same location-perspective issue.  So it is what it is, and that’s “what we’re looking at, and from where.

And, yes, I still often put my fingers on the diagram and talk to myself when figuring this stuff out. “Inside global…so we’re talking about the inside stuff” while my left hand is pointing to the LAN…“from the global perspective” …my right hand is pointing to the Internet, and sliding from right to left to show the direction I’m looking.

By the way, although we used PAT (overloading) in our example, the “location-perspective” terms work the same way for static and dynamic NAT.

Author: Al Friebe

In this article

Join the Conversation


  1. Ryan Reply

    Thank you for this explanation. I have read countless articles as well as published books and have closed the page more confused. Your description of the NAT process really makes sense!

    Thank you!

  2. Ken Reply

    This is a great explanation compared to others.
    One thing in the final image, the IG arrow is pointing back to the host and not the router. That may confuse some.