Question : NAT Question - "ip nat inside source (...)"

I'm in a stage of thoroughly understanding NAT. According to what i've been reading and practicing at work, "ip nat inside source" makes the (inside) source address to be replaced with the address specified further in the command.

Now, let's imagine the scenario when I have to publish a web server behind NAT. I know this can be achieved with the command: "ip nat inside source static tcp 80 80 extendable"

My question is: How come this works? Let me explain first why I'm in doubt: usually, it is the client who makes the first "contact" with the server. So the client makes a request for port 80 (web). This packet/request comes with the remote host's ip address in the source field. So, the "localip" address wouldn't be, by no chance, one of the internal ip addresses, in the destination network (where the server is located). Providing this is true, how does the router know how to translate the packet since, the router shouldn't be able to match the packet ????

According to my understanding, this would be rather achieved by using the "ip nat inside destination (...)" command. However, this last command is mainly used when tcp services load-balance is to be achieved.

Hope my doubt is clear and someone would be able to help me out with this. I'm just curious what i'm missing here? I'm studying for the CIT exam (i've chosen this one to be the first) and I would like to have this clear.

Cheers.

Answer : NAT Question - "ip nat inside source (...)"

You write:

"ip nat inside source" replaces the local SOURCE ADDRESS. So, when the packets comes from inside the network, the source address is indeed from one of the internal hosts. However, when the packet comes from the Internet to an internal server, the packet would be sourced with the remote network ip address. Therefore, "inside source" wouldn't make much sense!!! In fact, the source address of that packet WILL NOT MATCH the nat definition since that address is not part of the internal network. See what I mean??

This is false. What happens is this:

When the packet is sourced from the inside network and destined to the outside network, the SOURCE address is translated by the NAT rule. On the other hand, when the packet is sourced from the outside network destined to the inside network, the DESTINATION address is translated by the NAT rule.

"ip nat inside source static" would match BOTH traffic from inside-to-outside and outside-to-inside, except that in the former it translates the source address, and in the latter, it translates the destination address. This behavior is necessary, or else the replies to the translated packets would never get back to the originating host!

Random Solutions

Radio voice recorder

cannot join domain - Error 1326

siptapi asterisk

Security logs & shell scripts

Configuring Dual Nics on XP Pro

SBS 2008 FTP Time Out

Problems instaling Symantec Endpoint Protection on Vista ... seems 137 and 138 are not listening

Deleted Active Directory integrated DNS comes back after restart

Folder redirection issues