The TCP/IP Guide - IP NAT Bidirectional (Two-Way/Inbound) Operation

Please Whitelist This Site?

I know everyone hates ads. But please understand that I am providing premium content for free that takes hundreds of hours of time to research and write. I don't want to go to a pay-only model like some sites, but when more and more people block ads, I end up working for free. And I have a family to support, just like you. :)

If you like The TCP/IP Guide, please consider the download version. It's priced very economically and you can read all of it in a convenient format without ads.

If you want to use this site for free, I'd be grateful if you could add the site to the whitelist for Adblock. To do so, just open the Adblock menu and select "Disable on tcpipguide.com". Or go to the Tools menu and select "Adblock Plus Preferences...". Then click "Add Filter..." at the bottom, and add this string: "@@||tcpipguide.com^$document". Then just click OK.

Thanks for your understanding!

Sincerely, Charles Kozierok
Author and Publisher, The TCP/IP Guide

Once the inside global address of the device on the inside network is known by the outside device, the transaction can begin. Let's use the same example as in the previous topic, only we reverse it, so that outside device 204.51.16.12 is initiating a request (and is thus now the client) to inside device 10.0.0.207 (which is the server). Let's say that either static mapping or DNS has been used so that the outside device knows the inside global address of 10.0.0.207 is actually 194.54.21.6. Table 75 describes the transaction in detail; it is illustrated in Figure 113 as well.

**Table 75: Operation Of Bidirectional (Two-Way/Inbound) NAT**
Step #	Description	Datagram Type	Datagram Source Address	Datagram Destination Address
1	Outside Client Generates Request And Sends To NAT Router: Device 204.51.16.12 generates a request to the inside server. It uses the inside global address 194.54.21.6 as the destination. The datagram will be routed to the local router for that address, which is the NAT router that services the inside network where the server is located.	*Request* (from outside client to inside server)	204.51.16.12 (Outside Global)	194.54.21.6 (Inside Global)
2	NAT Router Translates Destination Address and Sends To Inside Server: The NAT router already has a mapping from the inside global address to the inside local address of the server. It replaces the 194.54.21.6 destination address with 10.0.0.207, and performs checksum recalculations and other work as necessary. The source address is not translated. The router then delivers the modified datagram to the inside server at 10.0.0.207.	*Request* (from outside client to inside server)	204.51.16.12 (Outside Local)	10.0.0.207 (Inside Local)

3	Inside Server Generates Response And Sends Back To NAT Router: The server at 10.0.0.207 generates a response, which it addresses to 204.51.16.12 since that was the source of the request to it. This is then routed to the server's NAT router.	*Response* (from inside server to outside client)	10.0.0.207 (Inside Local)	204.51.16.12 (Outside Local)
4	NAT Router Translates Source Address And Routes Datagram To Outside Client: The NAT router sees the private address 10.0.0.207 in the response and replaces it with 194.54.21.6. It then routes this back to the original client on the outside network.	*Response* (from inside server to outside client)	194.54.21.6 (Inside Global)	204.51.16.12 (Outside Global)

As you can see, once the outside device knows the inside device's inside global address, inbound NAT is very similar to outbound NAT. It just does the exact opposite translation. Instead of modifying the source address on the outbound request and the destination on the inbound response, the router changes the destination on the inbound request and the source on the outbound reply.