background image
NAT Configurations 345
The following conditions dictate the use of NAT translation:
·
Only on interfaces that are declared inside or outside can packets be translated.
·
Only traffic from an outside to an inside (or vice versa) is translated.
·
Packets received on an outside interface destined for an outside interface are not
translated.
·
Packets received on an inside interface destined for an inside interface are not translated.
The definition of inside and outside can be arbitrary. Declaring the S0 interface to be an inside
interface with the E0 being the outside interface can be done. The ip nat inside command is
simply changed to ip nat outside. The question then would be, why? The answer is that
maintaining the concept of inside and outside as it is used with the address definitions lends
itself to using the correct declarations of inside and outside.
A key concept to keep in mind is that only traffic from an inside to an outside (or vice versa) is
translated. A packet that is inbound to an inside interface and that has as a routed destination an
outside interface is a candidate for translation. The command ip nat inside source list 1 pool
simple-nat-pool
then states that if the source address is on list 1, the declared pool should be
used. The selection of inside versus outside and source versus destination is up to the
administrator. The following examples use inside and outside in relation to the owned network,
which is the preferred methodology.
Static NAT Configuration
It is possible, and sometimes desirable, to configure NAT statically. A classic example of this
configuration would be a resource on the inside of a network that must be accessed from the
outside world at a specific location. In this situation, the advertised location of the resource is
propagated to the world through DNS, and the inside resource must always carry in the outside
world the same translated address and always be reachable at the same Inside Global address.
Static translation is done using the following command:
ip nat inside source static 10.0.0.1 108.77.2.1
This command says the following:
ip nat, if the packet is inbound to a NAT inside interface destined for a NAT outside
interface, always (statically) changes the address 10.0.0.1 to the address 108.77.2.1.
If a group of requestors is being translated using a pool and one of the internal devices is
a resource (10.0.0.1), the configuration from Example 11-1 is changed to that shown in
Example 11-2.