IP NAT inside source vs IP NAT outside source

On Cisco IOS routers we can use the ip nat inside sourceand ip nat outside source commands. Most of us are familiar with the ip nat inside source command because we often use it to translate private IP addressses on our LAN to a public IP address we received from our ISP.

What about the ip nat outside source command? Does it work in the same way as ip nat inside source?

This is the difference between the two commands:

ip nat inside source:

• Translates the source IP address of packets that travel from inside to outside.
• Translates the destination IP address of packets that travel from outside to inside.

ip nat outside source:

• Translates the source IP address of packets that travel from outside to inside.
• Translates the destination IP address of packets that travel from inside to outside.

Configuration

Let’s look at these two commands in action. I use the following topology to demonstrate this:

IP routing is disabled on H1 and H2, they use R1 as their default gateway.

hostname H1 
! 
no ip routing 
! 
no ip cef 
! 
interface GigabitEthernet0/1 
 ip address 192.168.1.1 255.255.255.0 
! 
ip default-gateway 192.168.1.254 
! 
end

hostname H2 
! 
no ip routing 
! 
no ip cef 
! 
interface GigabitEthernet0/1 
 ip address 192.168.2.2 255.255.255.0 
! 
ip default-gateway 192.168.2.254 
! 
end

hostname R1 
! 
ip cef 
! 
interface GigabitEthernet0/1 
 ip address 192.168.1.254 255.255.255.0 
 ip nat inside 
 ip virtual-reassembly in 
! 
interface GigabitEthernet0/2 
 ip address 192.168.2.254 255.255.255.0 
 ip nat outside 
 ip virtual-reassembly in 
! 
end

Let’s enable NAT debugging on R1 so we can see everything in action:

R1#debug ip nat 
IP NAT debugging is on

IP NAT inside source

Let’s start with ip nat inside source, the command we are most familiar with. I’ll configure an entry that translates 192.168.1.1 to 192.168.2.200:

R1(config)#ip nat inside source static 192.168.1.1 192.168.2.200

Let’s send a ping from H1 to 192.168.2.2:

H1#ping 192.168.2.2 repeat 1 
Type escape sequence to abort. 
Sending 1, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds: 
! 
Success rate is 100 percent (1/1), round-trip min/avg/max = 4/4/4 ms

R1 produces the following debug output:

R1# 
NAT*: s=192.168.1.1->192.168.2.200, d=192.168.2.2 [3] 
NAT*: s=192.168.2.2, d=192.168.2.200->192.168.1.1 [3]

• The source IP address 192.168.1.1 is translated to 192.168.2.200 when the IP packet travels from the inside to the outside.
• The destination IP address 192.168.2.200 is translated to 192.168.1.1 when the return IP packet travels from the outside to inside.

We can also try a ping from H2. Let’s see what happens when we ping 192.168.2.200:

H2#ping 192.168.2.200 repeat 1 
Type escape sequence to abort. 
Sending 1, 100-byte ICMP Echos to 192.168.2.200, timeout is 2 seconds: 
! 
Success rate is 100 percent (1/1), round-trip min/avg/max = 5/5/5 ms

R1 produces the following debug output:

R1# 
NAT*: s=192.168.2.2, d=192.168.2.200->192.168.1.1 [8] 
NAT*: s=192.168.1.1->192.168.2.200, d=192.168.2.2 [8]

• The destination IP address is translated from 192.168.2.200 to 192.168.1.1 when the IP packet travels from the outside to the inside.
• The source IP address is translated from 192.168.1.1 to 192.168.2.200 when the return IP packet travels from the inside to the outside.

Can I ping the 192.168.1.1 IP address from H2? Let’s find out:

H2#ping 192.168.1.1 repeat 1 
Type escape sequence to abort. 
Sending 1, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: 
! 
Success rate is 100 percent (1/1), round-trip min/avg/max = 6/6/6 ms

This is what we see on R1:

R1# 
NAT*: s=192.168.1.1->192.168.2.200, d=192.168.2.2 [6]

The source IP address 192.168.1.1 is translated to 192.168.2.00 when it travels from the inside to the outside.

IP NAT outside source

Let’s find out how the ip nat outside source command works. I’ll use the following command: