Many people are confused by Cisco’s NAT/PAT naming conventions, such as “inside local”, etc. Since a picture is worth a kiloword, I thought that perhaps a few diagrams might help.
Let’s say that our host H1 has IP address 10.1.1.1/24, an RFC 1918 private address. We want to cross the Internet to access host H2, which has the public IP address 22.214.171.124, as shown in Figure 1:
Because we can’t advertise RFC 1918 addresses to the public Internet, in order to make this work we’re going to perform PAT (overloading) on R1, our edge router. Let’s assume that our internal LAN, with address space 10.1.1.0/24, is connected to R1’s Ethernet 0 interface. We’ll be overloading on Serial 0, which has the IP address 126.96.36.199, in public space. To accomplish the translation, the commands would be:
- R1(config)#access-list 1 permit 10.1.1.0 0.0.0.255
- R1(config)#ip nat inside source list 1interface serial 0 overload
- R1(config)#int e0
- R1(config-if)#ip nat inside
- R1(config-if)#int s0
- R1(config-if)#ip nat outside
Figure 2 summarizes the situation at this point:
Inside and Outside: These refer to the physical location of the device whose address is being referenced. The physical locations were unambiguously defined by configuring the appropriate router interfaces with these commands:
- ip nat inside
- ip nat outside
In our example, R1 is doing the translation, with the “inside” interface attached to our LAN, and the “outside” interface on the WAN link to our service provider.
Key point: Because of the way we have configured R1’s interfaces, “inside” is defined to mean “located on our side of R1”, and “outside” means “located on the far side of R1”.
Local and Global: These refer to the perspective (viewpoint) from which the address is being observed, not where the device is located.
Key point: In our example, “local” is defined to mean “looking at it from our side of R1”, and “global” means “looking at it from the far side of R1”.
Yeah, yeah…but what about “inside local”? The key to the jargon is to realize that it describes what we’re looking at, and from where in that order. It’s location-perspective. In other words, “inside local” means that we’re looking at the address of an “inside” device (on our side of our router), from our “local” perspective (from our side of our router). Given the two locations (inside and outside), and the two perspectives (local and global), there are four possibilities:
- Inside Local
- Inside Global
- Outside Local
- Outside Global
We’ll discuss each of these in turn. Since humans can’t actually see the packets as they traverse the media, by “looking” we mean what we would “see” if we were to install protocol analyzers “locally” and “globally”, and examine the addresses within the packets’ IP headers. Since I can’t draw a protocol analyzer, in the diagrams I’ll use an “X-ray eyeball” that’s able to see the packet headers.
Inside Local: Viewing an “inside” device from the “local” perspective, as shown in Figure 3. This is how we see the IP address of H1 from our side of R1. In our example, the “inside local” address is 10.1.1.1, which is the actual address of H1.
Inside Global: Viewing an “inside” device from the “global” perspective, as shown in Figure 4. This is how the Internet sees the IP address of H1. In our example, the “inside global” address is 188.8.131.52, the translated address of H1.
Outside Local: Viewing an “outside” device from the “local” perspective, as shown in Figure 5. This is how H1 sees the IP address of H2. In our example, the “outside local” address is 184.108.40.206, which is not being translated.
Outside Global: Viewing an “outside” device from the “global” perspective, as shown in Figure 6. This is how the Internet sees the IP address of H2. In our example, the “outside global” address is 220.127.116.11, which is H2’s actual address.
Since in our example we’re not translating the destination address on the way out (nor the source address on the way back), the “outside local” and “outside global” addresses are identical. Figure 7 shows our current situation, including the four combinations of location and perspective, along with the corresponding addresses.
Key point: It’s possible that NAT/PAT is also being done on H2’s side, but there is no way we can tell that from our side. If so, they would have their own versions of inside/ outside and local/global that have nothing whatsoever to do with ours.
No matter what terms Cisco chose to use, it would boil down to the same location-perspective issue. So it is what it is, and that’s “what we’re looking at, and from where”.
And, yes, I still often put my fingers on the diagram and talk to myself when figuring this stuff out. “Inside global…so we’re talking about the inside stuff” while my left hand is pointing to the LAN…“from the global perspective” …my right hand is pointing to the Internet, and sliding from right to left to show the direction I’m looking.
By the way, although we used PAT (overloading) in our example, the “location-perspective” terms work the same way for static and dynamic NAT.
Author: Al Friebe