Understanding NAT address types

My first networking job was as an airman in the US Air Force. Having been deepy involved with early Internet development, the US military owns significant chunks of the IPv4 address space. As such, network address translation (NAT) is often unnecessary on DoD-owned networks. While this made for convenient design, it prevented me from gaining vital real-world experience with NAT until later on in my career.

When first studying NAT, I remember being most confused by the addressing terminology. An IP address as related to NAT falls into one of four categories, as seen in the output of show ip nat translations on IOS:

  • Inside global
  • Inside local
  • Outside local
  • Outside global

None of the explanations I read in books at the time settled well in my mind, until I was able to grasp a key concept: there are two attributes of each address in play here: location and perspective.

NAT_classes_chart.png

Location is described by the first word in the tuple, either inside or outside. It refers to the "side" of the NAT boundary router in which the address logically exists. In a typical NAT deployment, inside addresses will usually (but not necessarily) be privateRFC 1918 addresses, and outside addresses will usually be globally routable (registered) IP addresses.

Perspective refers to the side of the NAT boundary from which the address is observed, either local or global. If an address is seen by an inside host, it is being observed locally. If an address is seen by an outside host, it is observed globally.

A practical example should help clarify this distinction. To begin with, consider a simple one-to-one static NAT mapping configured on R2 (no layer four port translation is involved in this example).

NAT_boundary.png

interface FastEthernet0/0
 ip address 10.0.0.1 255.255.255.252
 ip nat outside
!
interface FastEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
!
ip nat inside source static 192.168.0.10 192.0.2.10

This static mapping creates a simple NAT translation rule:

R2# show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 192.0.2.10         192.168.0.10       ---                ---

Note that only the first two address classes have entries. This is because no stateful session is being tracked, and thus there is only one address, the inside address. The entry describes both the global and local perspectives of a single inside address.

To summarize:

  • Inside global: The address of the inside host as seen from the outside
  • Inside local: The address of the inside host as seen from the inside

If we initiate a TCP session from R1 to R3, we can see that a second, temporary NAT translation is created, this time with all four classes populated with an address:

R2# show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 192.0.2.10:23      192.168.0.10:23    10.0.0.2:32978     10.0.0.2:32978
--- 192.0.2.10         192.168.0.10       ---                ---

The meanings of the first two columns are the same as with our static entry; they describe the globally- and locally-significant addresses of the inside host. The second two columns note the locally- and globally-significant addresses of the outside host. The two addresses of the outside address are identical, as global addresses are not being translated between sides of the NAT boundary.

NAT_packet.png

To review:

  • Inside global: The address of the inside host as seen from the outside
  • Inside local: The address of the inside host as seen from the inside
  • Outside local: The address of the outside host as seen from the inside
  • Outside global: The address of the outside host as seen from the outside

原帖地址:http://packetlife.net/blog/2010/jan/7/understanding-nat-address-types/