Source Static & Source List

Answered Question
Oct 21st, 2007

Hi guys, I was just wondering what is the difference between the two. As far as I know, the only difference is that source list can be used to define a range of addresses (e.g an entire subnet) whereas source static will only cover the specified IP address. Is this the only difference?

The reason why I ask is because I have seen a config which uses both commands for the one IP address. Eg.

ip nat inside source list NAT interface GigabitEthernet0/1 overload

ip nat inside source static tcp 10.11.11.1 8080 interface GigabitEthernet0/1 8080

ip access-list standard NAT_LIST

permit 10.11.11.1

Why is it necessary to put the IP as part of a list and a static assignment?

Thanks.

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 9 years 3 months ago

Yes, that is correct, normally if one have spare public IP addresses if we assume this scenario one would simply write several " ip nat inside source static "local_ IP" "global_ip " addresses and create access-list permiting traffic for specific ports or have acls wide opened for any tcp/udp ports inbound.

Rgds

Jorge

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
JORGE RODRIGUEZ Sun, 10/21/2007 - 19:23

Hi Will,

As you indicated the two NAT statements have differences and specific purposes. The “The ip nat inside source list NAT interface GigabitEthernet0/1 overload “ creates dynamic NAT whereby inside source IP addresses will be translated using outside gig0/1 interface IP address. The “ Interface “ is telling router to use Gig0/1 as its global NAT address , because your access list only permits 10.11.11.1 this will translate only this host using gig0/1 address for outbound connections , if the acl was “ permit 10.11.11.0 it would permit any inside host in the 10.11.11.0 subnet for outbound connections, also it is noted your access-list name NAT_LIST does not match the name in your ip nat source list “NAT” which I tend to believe access list is not doing anything and router is processing dynamic NAT for all your inside hosts to outside .

As for the"ip nat inside source static tcp 10.11.11.1 8080 interface GigabitEthernet0/1 8080 " this is for inbound connections TCP port 8080 redirection to host 10.11.11.1 using gigabitethernet0/1 interface as the global NAT outside address to inside host 10.11.11.1. I believe the format of this NAT statement could be used when there is only one public IP address which in this case is the IP address of Gigabitethernet0/1 interface as your outside interface and you want to use this interface to redirect different TCP/UDP ports traffic to specific inside hosts using just one global NAT address. You will also need an acl permitting inbound traffic to host 10.11.11.1 from outside.

HTH

Jorge

voiper_99 Sun, 10/21/2007 - 19:37

ahh I see, just as I thought. So source list is basically NAT and source static is also NAT but with port forwarding too?

Correct Answer
JORGE RODRIGUEZ Sun, 10/21/2007 - 20:33

Yes, that is correct, normally if one have spare public IP addresses if we assume this scenario one would simply write several " ip nat inside source static "local_ IP" "global_ip " addresses and create access-list permiting traffic for specific ports or have acls wide opened for any tcp/udp ports inbound.

Rgds

Jorge

Actions

This Discussion