NAT Concept

Unanswered Question
Nov 15th, 2007

Hi All

I would like to check whether my NAT config is going to work good.Also I'm not not sure if this config is Source NAT (or) Destination NAT.

If someone can shed some light on this that will be appreciated.Hope my explanation below will be good enough to understand the network topology

Here's the scenario:

The actual server IP range is

Customer is trying to access 2 web servers(, network-

Snapshot of the config is given below:

Router has 2 FE interfaces:

interface FastEthernet0/0

ip address

ip nat inside


interface FastEthernet0/1

ip address

ip nat outside

ip nat inside source static

ip nat inside source static


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
JORGE RODRIGUEZ Thu, 11/15/2007 - 19:23

Hi Beno ,

you have as your " ip nat inside interface " meaning a segment in your inside network where your local servers reside for network (not ), and as " ip nat outside " meaning outside interface where custumer will be comming through for inbound connections to get to web servers on and 69, will not work, what interface is routing network where your servers & 69 are? if you have an interface routing place " ip nat inside " statement in that interface and your current static nat will work along with an access list to permit inbound traffic.


access-list 101 permit ip host Custumer_IP log

access-list 101 permit ip host Custumer_IP log

apply acl to interface for

interface fe0/2

ip access-group 101 in



bjacob1976 Thu, 11/15/2007 - 19:52

Hi Jorge,

Thanks for your comments.

My config is working fine.But I should have explained a bit more of the network topology.


Router doing NAT is connected to a firewall which has 2 ports for these networks and in separate Vlans: servers range)

Both these networks can talk to each other.

Firewall has got a static route( pointing to Router's Fastethernet 0/0 []

Ofcourse the Router has got a default route pointing to the VIP of network

Anyway thanks very much for your help


JORGE RODRIGUEZ Thu, 11/15/2007 - 21:19

Sorry Beno, I should have read your initial question carefully an/or asked about your topology thinking you were dealing with a single device.. thats what happens when reading fast.

ON your initial question your configuration is conisder a source NAT.

I quote from a link

"Destination-based NATing uses route maps to determine which IP address each IP session is translated to based on routing reachability of the destination IP host. The dynamic translation command can now specify a route map to be processed instead of an access list. A route map allows the user to match any combination of access list, next-hop IP address, and output interface to determine which pool to use "

Example of destination NAT


Also, even though my previous post is useless because I was thinking that was a single device I am abligated to correct something in the statement " ip access-group 101 in " should be applied on interface with "ip nat oustide".




This Discussion