NAT before routing??? Confused

Unanswered Question
Oct 15th, 2007
User Badges:

I have a 2800 series router running c2801-advsecurityk9-mz.124-10.bin. This is the internet facing router. We have an overload statement for internet users on the interface, and a static nat for a server on the internet. If any of the internal networks over VPN, GRE, or T1 behind this router try to connect to the internal server IP address for whatever reason the server then responds and the router sends that traffic out to the internet vs taking the routing path back to the destination host on the internal networks???? This doesn't make sense to me. What am I missing here?

Here is an example, if I try to telnet to TCP 3389 to the internal server IP address of from remote over GRE tunnel using router source IP of it puts it into the NAT table and out to the internet vs taking the path back thru the GRE tunnel to the remote network What am I missing?

r.lamesa#sho ip nat trans | inclu 3389



tcp ---


r.lamesa#sho ip route

Routing entry for

Known via "eigrp 600", distance 90, metric 235402496, type internal

Redistributing via eigrp 600

Last update from on Tunnel1, 14:41:02 ago

Routing Descriptor Blocks:

*, from, 14:41:02 ago, via Tunnel1

Route metric is 235402496, traffic share count is 1

Total delay is 9000100 microseconds, minimum bandwidth is 512 Kbit

Reliability 255/255, minimum MTU 1476 bytes

Loading 1/255, Hops 1


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Edison Ortiz Mon, 10/15/2007 - 16:26
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

It's doing what's told, you have an ip nat outside on Tunnel1. As packets exit that interface, they will be NAT'd according to the ip nat inside statement.

lamav Mon, 10/15/2007 - 17:36
User Badges:
  • Blue, 1500 points or more

Maybe I am misunderstanding what you are trying to say, since there is no accompanying diagram. But in the title of your post you mention an order of operations concern -- or so it seems like that.

When a packet is received on the INSIDE NAT interface of a router, it is routed first and then the NAT operation occurs.

On th eother hand, when a packet is received on the OUTSIDE NAT interface, it is NAT'ed first and then routed. This is why you can do a PAT overload to an OUTSIDE interface only.

Did that help you?

KAROLY KOHEGYI Mon, 11/05/2007 - 03:08
User Badges:

Hi Edison !

i made a config based on below link

i use 12.4.1 and nat was one of side only.

it is not working because the nat entry was not created in router when traffic arrived from outside. Based your response ( which wasextremely helpful ) i put the nat outside on the tunnel interface.

IT is working now.

PLease give a short description or link which shows why was wrong the example config. What is the process of order when i use crypto,nat,gre ?

Maybe was the IOS behavior changed ?

Thank in advance



This Discussion