cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
468
Views
5
Helpful
4
Replies

Source Static & Source List

voiper_99
Level 1
Level 1

Hi guys, I was just wondering what is the difference between the two. As far as I know, the only difference is that source list can be used to define a range of addresses (e.g an entire subnet) whereas source static will only cover the specified IP address. Is this the only difference?

The reason why I ask is because I have seen a config which uses both commands for the one IP address. Eg.

ip nat inside source list NAT interface GigabitEthernet0/1 overload

ip nat inside source static tcp 10.11.11.1 8080 interface GigabitEthernet0/1 8080

ip access-list standard NAT_LIST

permit 10.11.11.1

Why is it necessary to put the IP as part of a list and a static assignment?

Thanks.

1 Accepted Solution

Accepted Solutions

Yes, that is correct, normally if one have spare public IP addresses if we assume this scenario one would simply write several " ip nat inside source static "local_ IP" "global_ip " addresses and create access-list permiting traffic for specific ports or have acls wide opened for any tcp/udp ports inbound.

Rgds

Jorge

Jorge Rodriguez

View solution in original post

4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

Hi Will,

As you indicated the two NAT statements have differences and specific purposes. The “The ip nat inside source list NAT interface GigabitEthernet0/1 overload “ creates dynamic NAT whereby inside source IP addresses will be translated using outside gig0/1 interface IP address. The “ Interface “ is telling router to use Gig0/1 as its global NAT address , because your access list only permits 10.11.11.1 this will translate only this host using gig0/1 address for outbound connections , if the acl was “ permit 10.11.11.0 it would permit any inside host in the 10.11.11.0 subnet for outbound connections, also it is noted your access-list name NAT_LIST does not match the name in your ip nat source list “NAT” which I tend to believe access list is not doing anything and router is processing dynamic NAT for all your inside hosts to outside .

As for the"ip nat inside source static tcp 10.11.11.1 8080 interface GigabitEthernet0/1 8080 " this is for inbound connections TCP port 8080 redirection to host 10.11.11.1 using gigabitethernet0/1 interface as the global NAT outside address to inside host 10.11.11.1. I believe the format of this NAT statement could be used when there is only one public IP address which in this case is the IP address of Gigabitethernet0/1 interface as your outside interface and you want to use this interface to redirect different TCP/UDP ports traffic to specific inside hosts using just one global NAT address. You will also need an acl permitting inbound traffic to host 10.11.11.1 from outside.

HTH

Jorge

Jorge Rodriguez

ahh I see, just as I thought. So source list is basically NAT and source static is also NAT but with port forwarding too?

Yes, that is correct, normally if one have spare public IP addresses if we assume this scenario one would simply write several " ip nat inside source static "local_ IP" "global_ip " addresses and create access-list permiting traffic for specific ports or have acls wide opened for any tcp/udp ports inbound.

Rgds

Jorge

Jorge Rodriguez

Excellent, thanks for the info.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco