Static NAT and NAT order of operation

October 24, 2008 at 10:00 pm | Posted in IP Services, NAT | Leave a comment
IEWB1 v5 Task 13.21

R4 ------------ R5 ------------- SW2

The objective is to have R4 be able to telnet SW2 using, and SW2 be able to telnet R4 using

Rack1R5#sh run | in interface|nat|ip route
interface Ethernet0/0
 ip nat inside
interface Serial0/1
 ip nat outside
ip nat inside source static
ip nat outside source static
ip route Serial0/1

The first NAT statement is straigh forward. It is used so that outside world can see SW2 VL58 with the IP off is Inside Local is Inside Global

We need to translate Inside traffic. As the direction is Inside to Outside, those above IP addresses are SOURCE IP. That’s why we need “ip nat inside source static”
The second NAT statement is less usual. It is used for the second task so that SW2 can telnet R4 using is Outside Global is OUtside Local

As the direction is from Outside to Inside, those IP are Source. That’s why we need “ip nat outside source” translation.

NAT order of operation:

As traffic arrives on an outside interface, it is NAT translated, before being routed. Therefore, we do not need static route for, because traffic from outside, destined for have the destination IP translated to which is already routeable.

On the other hand, traffic arriving on an inside interface is routed, before translated.
When R5 received traffic from Local LAN heading to, it does not know that it need to route toward R4, unless we have the static route for the host route configured, which overrides the connected route for the LAN subnet

BTW, we do not need static route for on SW2, because the above route is automatically advertized into RIP by R5 and SW2 will have it installed as a RIP route. Static routes pointing to an interface (instead of a next-hop IP address) are treated as directed route by RIP.

Rack1R5#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---      
---         ---                ---
R5#debug ip nat detailed
*Apr  7 02:55:54.571: NAT: i: icmp (, 9) -> (, 9) [61]    
*Apr  7 02:55:54.571: NAT: s=>, d= [61]
*Apr  7 02:55:54.571: NAT: s=, d=> [61]
*Apr  7 02:55:54.603: NAT*: o: icmp (, 9) -> (, 9) [61]
*Apr  7 02:55:54.603: NAT*: s=>, d= [61]
*Apr  7 02:55:54.603: NAT*: s=, d=> [61]
*Apr  7 02:55:54.607: NAT: i: icmp (, 9) -> (, 9) [62]    
*Apr  7 02:55:54.607: NAT: s=>, d= [62]
*Apr  7 02:55:54.607: NAT: s=, d=> [62]
*Apr  7 02:55:54.635: NAT*: o: icmp (, 9) -> (, 9) [62]
*Apr  7 02:55:54.635: NAT*: s=>, d= [62]
*Apr  7 02:55:54.635: NAT*: s=, d=> [62]

More info on Nat order of operation

Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at
Entries and comments feeds.

%d bloggers like this: