Skip to main content

NAT inconsistency in Cisco material

More
15 years 11 months ago #28773 by SteveP
I understand the basics of NAT but I've come across an inconsistency in the official material and I'd like to resolve it.

If I'm sitting at a PC in an organisation, the IP address of my PC may be 192.168.123.123 and this is the Inside Local address. The NAT router of the organisation translates this to a registered address, which might be 83.56.23.94 and this is the Inside Global address.

If I access a site, let's say www.firewall.cx , this is converted to an IP address by DNS and sends data from my web browser to, for instance, 74.200.84.4. If there's NAT at the far end (the Outside network), this address will be translated to a private address, say 172.20.4.56 and this is the physical server with which I am communicating, but this address is irrelevant to me.

The inconsistency:

Some of the material refers to 74.200.84.4 as the Outside Global address and 172.20.4.56 as the Outside Local address whilst other material refers to 74.200.84.4 as the Outside Local address and 172.20.4.56 as the Outside Global address. Which is correct?

As a novice, it would be logical if a Local address is that by which a host on a LAN refers to another host on the same LAN whilst a Global address is that by which a host refers to another host on a different LAN under the control of a different organisation. I don't know if this is correct though!
More
15 years 10 months ago #29012 by SteveP
Bump

I suppose that I waffled on a bit - so here it is in a nutshell:

If I'm on the Inside network and send traffic to a host on the Outside network and both networks have NAT routers at the edge of their respective networks, does my traffic to them have:

Inside Local
Inside Global
Outside Global
Outside Local

<OR>

Inside Local
Inside Global
Outside Local
Outside Global

IP addresses as it passes from me to them? Some of the official Cisco material says that the first is correct, whilst some says the latter.
More
15 years 10 months ago #29020 by S0lo
For your www.firewall.cx example, 74.200.84.4 is both the Outside local and the Outside global address. Yes, this might sound odd at the beginning but this is what I just got out from the CCNA academy material.

Inside and Outside refer to the physical location of the host/server.

Local means the IP address as it is seen by the inside network. Global means the IP address as it is seen by the outside/INTERNET (but not necessarily inside the outside network).

The private address 172.20.4.56 (of example www.firewall.cx ) has no naming!!. Unless you look at the www.firewall.cx LAN as your inside LAN.

Thats as far as I understand it. A quick look here might help: www.cisco.com/en/US/tech/tk648/tk361/tec...186a0080094837.shtml

www.cisco.com/en/US/tech/tk648/tk361/tec...186a0080094831.shtml

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
15 years 10 months ago #29025 by SteveP
Thanks S0lo - your comment "Nothing is as easy as it looks" is so true ... but very frustrating. I just wonder if things are made so complicated (and illogical) just to trip us all up!
More
15 years 10 months ago #29027 by S0lo
O that comment :). Some times frustrating indeed!!. This one might be a little more optimistic:

"Everything should be as simple as possible, but no simpler", Albert Einstein.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
15 years 10 months ago #29035 by Smurf
I remember when i did my courses, it confussed the hell out of me then and it still does :)

The link that S0lo has posted is quite good, from what i understand is;

Local - Real/Private (pre natt'd address)
Global - Nat'd/PublicIP (post natt'd address)

Inside - is as the traffic leaves (i.e. source/destination as traffic goes out)
Outside - is as the traffic arrives (i.e. source/destination as traffic is coming in)

But now i have just read it its confussed me again, argh.....

lol

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.145 seconds