Can a 1811 NAT as 2 networks have same IP range

Aug 3rd, 2007


Our office in the US connects to us in the UK via Cisco 1811. One of our networks that needs to connect to them is however they have this range on one of their networks too. The Cisco 1811's IP is Can we somehow make all our traffic from and other subnets NAT to so the US only see all our traffic from that range?

Jon Marshall Fri, 08/03/2007 - 12:17


access-list 101 permit "uk office net" "subnet mask"

ip nat pool UKpool

ip nat inside source list 101 pool UKpool

Note that this will work for all subnets you access in the UK other than

If you need to access that subnet there is quite a bit more configuration.



whiteford Fri, 08/03/2007 - 12:30

What subnet do you mean? Basically anything on our network in th UK, for example we are on,, etc we go through Fast Ethernet 1 port on the 1811 for just need to connect to their range. They would like to just see out traffic from (NAT) if possible. That way none of our networks will be on similar subnet IP ranges just which we both don't have.

Jon Marshall Fri, 08/03/2007 - 13:01


access-list 101 permit any

ip nat pool UKpool

ip nat inside source list 101 pool UKpool

You will need to add to the 1811 inside interface

ip nat inside

and to the 1811 outside interface ie. the one that leads to the US office

ip nat outside



whiteford Fri, 08/03/2007 - 22:31

Let me get this straight in my head - sort of new to me.

1.) Anything we route to will NAT to a pool of IP's between and

2.) That way they will only need to add roules for the range and not the 100's of subnets we use? Is this because the FE1 inside port doesn't care what ranges are being sent to it?

3.) Can we permit more ranges to get to in the US rather than just

3.) They need to add the IP NAT inside and IP NAT outside, how do we do this, they have 2 firewalls connected for redundancy to ports FE2 and FE3?

I hope you can answer these questions, I will then talk to our US team. The only other idea I had was put our own firewall like a pix 515 or router between our LAN and their 1811 so we have some control.

Jon Marshall Fri, 08/03/2007 - 23:45


1) No. What the config i supplied does is to NAT your source IP addresses (whatever they are) to a pool of addresses -> 254 when those source addresses want to connect to in the US.

I though this is what you wanted. Let me know if i have misunderstood.

2) You only need to route to 192.168.17.x from the US. They will not see any of your other subnets.

3) Yes, just add them into the access-list.

4) Okay not sure.

I think it would help if you could explain the exact topology between the UK office and the US office.

I though the issue was

You have a number of subnets in the UK. You want to connect to the network in the US. You want to hide all your IP addresses behind a NAT pool. You want to take care of all the NAT at your end ie. the UK.

Please correct me if i have misunderstood.


whiteford Sat, 08/04/2007 - 03:52

Sorry my explainations are not so good.

Basically the US what to make things simple on the 18110 as networks either side use the same range. They would like to see everything come from which is the range or VLAN on the 1811.

The inside port is fast ethernet 1 which is our LAN, then 2 ports which are fast ethernet 2 and 3 plug into 2 firewall which have network cards with 2 ports, one for the inside which plugs into the 1811 and the other ports go onto the internet with public addresses, hope this helps

whiteford Sat, 08/04/2007 - 06:50

If the US team don't want to change anything on their router, could I use my spare 1841 router? One port could be the inside and our LAN and the outside could be their 1811. Our 1841 would be Could we then NAT all traffic on the LAN port to be on an IP pool age and route to Then all the US will see is traffic from If so would would my config be?


