NAT doesn't work. Packets goes directly to the interface

Unanswered Question
Apr 13th, 2007
User Badges:


Wery simple configuration but it doesn't work.

I've configured router 2811 to NAT packets from different hosts that arrive from interface fa 0/0.200 (subinterface for VLAN200) via static NAT

Packets arrive from fa 0/0.200 but NAT doesn't create entries for some of them.

This packets go directly by routing. I can see this packets in OUT access-list binded to the outbound interface

I think that the root of the issue is missconfiguration but couldn't find it.

Here is part of my config

---------------Static NAT---------------

ip nat inside source static tcp 3000 3000 extendable

ip nat inside source static tcp 3000 3000 extendable

ip nat inside source static tcp 3000 3000 extendable

------------------INBOUND INETRFACE-----------------

interface FastEthernet0/0.200


encapsulation dot1Q 200

ip address

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1200

ip ospf message-digest-key 200 md5 7 XXX

ip ospf network non-broadcast

no snmp trap link-status

no cdp enable


---------------OUTBOUND INETRFACE---------------

interface Vlan3


ip address X.X.X.Z

ip nat outside

ip virtual-reassembly

crypto map TO-REMOTE



ip route IPADDR 240 tag 333 name REMOTE-DEST

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
stephen.stack Sat, 04/14/2007 - 10:21
User Badges:
  • Silver, 250 points or more


Is it possible for you to show the rest of your config. If the config you have given is you complete NAT config then you are misssing a fundemental component.

The commands 'ip nat inside source static tcp ...' only allow static nat's for external hosts getting access to servers 'inside' the NAT boundary.

You will need to specify the subnet range or ranges that need to be natted.


ip nat inside sourde list 1 interface vlan 3 overload


ip access-list 1 permit

If this does not work, again provide a complete config, expected subnet to be natted and destination/outbound port.



dbellaze Sat, 04/14/2007 - 19:26
User Badges:
  • Bronze, 100 points or more

This type of configuration is typically for an outside to inside communication. For example a server internally on your network that you would like accessible by an outside network.

You'll only see your NAT work in the following two scenarios.

1) A packet arrives on the interface marked nat outside with an IP packet destined to on TCP port 3000. The router will translate the destination IP header to and destination TCP port 3000.

2) A packet arrives on the interface marked nat inside with an IP packet sourced by and source TCP port 3000. The router will translate the source IP to and source TCP port to 3000.

This same behavior applies to your other two statements as well.

What are you trying to accomplish?



This Discussion