IP NAT inside source vs IP NAT outside source

On Cisco IOS routers we can use the ip nat inside sourceand ip nat outside source commands. Most of us are familiar with the ip nat inside source command because we often use it to translate private IP addressses on our LAN to a public IP address we received from our ISP.

What about the ip nat outside source command? Does it work in the same way as ip nat inside source?

This is the difference between the two commands:

ip nat inside source:

  • Translates the source IP address of packets that travel from inside to outside.
  • Translates the destination IP address of packets that travel from outside to inside.

ip nat outside source:

  • Translates the source IP address of packets that travel from outside to inside.
  • Translates the destination IP address of packets that travel from inside to outside.

Configuration

Let’s look at these two commands in action. I use the following topology to demonstrate this:

R1 H1 H2 Nat Inside Outside Source Topology

IP routing is disabled on H1 and H2, they use R1 as their default gateway.



Configurations


Want to take a look for yourself? Here you will find the startup configuration of each device.

H1

hostname H1 
! 
no ip routing 
! 
no ip cef 
! 
interface GigabitEthernet0/1 
 ip address 192.168.1.1 255.255.255.0 
! 
ip default-gateway 192.168.1.254 
! 
end

H2

hostname H2 
! 
no ip routing 
! 
no ip cef 
! 
interface GigabitEthernet0/1 
 ip address 192.168.2.2 255.255.255.0 
! 
ip default-gateway 192.168.2.254 
! 
end

R1

hostname R1 
! 
ip cef 
! 
interface GigabitEthernet0/1 
 ip address 192.168.1.254 255.255.255.0 
 ip nat inside 
 ip virtual-reassembly in 
! 
interface GigabitEthernet0/2 
 ip address 192.168.2.254 255.255.255.0 
 ip nat outside 
 ip virtual-reassembly in 
! 
end

Let’s enable NAT debugging on R1 so we can see everything in action:

R1#debug ip nat 
IP NAT debugging is on

IP NAT inside source

Let’s start with ip nat inside source, the command we are most familiar with. I’ll configure an entry that translates 192.168.1.1 to 192.168.2.200:

R1(config)#ip nat inside source static 192.168.1.1 192.168.2.200

Let’s send a ping from H1 to 192.168.2.2:

H1#ping 192.168.2.2 repeat 1 
Type escape sequence to abort. 
Sending 1, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds: 
! 
Success rate is 100 percent (1/1), round-trip min/avg/max = 4/4/4 ms

R1 produces the following debug output:

R1# 
NAT*: s=192.168.1.1->192.168.2.200, d=192.168.2.2 [3] 
NAT*: s=192.168.2.2, d=192.168.2.200->192.168.1.1 [3]
  • The source IP address 192.168.1.1 is translated to 192.168.2.200 when the IP packet travels from the inside to the outside.
  • The destination IP address 192.168.2.200 is translated to 192.168.1.1 when the return IP packet travels from the outside to inside.

We can also try a ping from H2. Let’s see what happens when we ping 192.168.2.200:

H2#ping 192.168.2.200 repeat 1 
Type escape sequence to abort. 
Sending 1, 100-byte ICMP Echos to 192.168.2.200, timeout is 2 seconds: 
! 
Success rate is 100 percent (1/1), round-trip min/avg/max = 5/5/5 ms

R1 produces the following debug output:

R1# 
NAT*: s=192.168.2.2, d=192.168.2.200->192.168.1.1 [8] 
NAT*: s=192.168.1.1->192.168.2.200, d=192.168.2.2 [8]
  • The destination IP address is translated from 192.168.2.200 to 192.168.1.1 when the IP packet travels from the outside to the inside.
  • The source IP address is translated from 192.168.1.1 to 192.168.2.200 when the return IP packet travels from the inside to the outside.

Can I ping the 192.168.1.1 IP address from H2? Let’s find out:

H2#ping 192.168.1.1 repeat 1 
Type escape sequence to abort. 
Sending 1, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: 
! 
Success rate is 100 percent (1/1), round-trip min/avg/max = 6/6/6 ms

This is what we see on R1:

R1# 
NAT*: s=192.168.1.1->192.168.2.200, d=192.168.2.2 [6]

The source IP address 192.168.1.1 is translated to 192.168.2.00 when it travels from the inside to the outside.

IP NAT outside source

Let’s find out how the ip nat outside source command works. I’ll use the following command:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, become a member now!

  • Learn CCNA, CCNP and CCIE R&S. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 798 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
2456 Sign Ups in the last 30 days
satisfaction-guaranteed
  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Tags:


Forum Replies

  1. Hi Rene,

    Thanks for your great lesson .I have a question regarding …

    What is the used case of IP NAT OUTSIDE SOURCE Normally We don’t use the command. Need to know production network scenario .Many Thanks

    BR//ZAMAN

  2. Hello Mohammad

    This is an excellent question. Take a look at this post:

    ... Continue reading in our forum

  3. Hi Rene

    For NAT is it reuired for Router to have route for the NAtted IP

    If i doing inside NAT 10.10.10.10 → 20.20.20.20 on my R1 do my R1 required to have route for 20.20.20.20 ?

    how will it handle the response traffic for 10.10.10.10 → 20.20.20.2 , will it check rout table first or NAT first ?

  4. Hello Devaprem

    If you have a NAT translation between two addresses configured on a router, you don’t require any of those addresses to have a routing table entry in that specific router. These addresses are considered directly connected because they are associated with specific interfaces. For this reason, you don’t have to explicitly configure them for routing. However, other routers on the outside must have some routing information to be able to reach the 20.20.20.20 IP address but this is independent of NAT.

    In general, when a packet arrives on an interfa

    ... Continue reading in our forum

  5. Thank you Laz , it clearly explains

28 more replies! Ask a question or join the discussion by visiting our Community Forum