'ip nat enable' and VRFs

Unanswered Question
Nov 26th, 2007
User Badges:

Hi all,

I'm the sysadmin for a medium sized international enterprise and we have just rolled out a new network which, amongst other components, uses a Cisco 2821 router at our head office and various Cisco 878s at our branch offices connecting via MPLS to the head office server.

At the head office site, we have various servers that are accessed via the external IP of the head office connection and then port-forwarded to the various servers.

The head office network range is and an example of a branch office network is .

The Cisco 2821 has 2 Gigabit ports and 8 FastEthernet ports (all FE ports are part of VLAN 1)

We have the internet connected to GE 0/0, the MPLS connected to GE 0/1 and the local network ( connected to VLAN 1.

I have defined GE 0/0 as 'ip nat outside' and GE 0/1 and VLAN 1 as 'ip nat inside'.

I have then enabled PAT for certain ips/ports. For example, assuming our external IP is, and our internal SMTP server is on, I have added nat/pat rules such as 'ip nat inside source static tcp 25 25 extendable'.

This, as expected, allows me to access the SMTP server from anywhere on the internet via the external IP of the Cisco 2821.

Unfortunately, what does not work, is accessing the external IP/port from the internal network. This means that a request from either the head office network (, or from any branch office (for example, to the external ip/port does not work.

Can this be rectified by using 'ip nat enable' in addition to 'ip nat outside'? or are the two solutions incompatible?

The use of 'ip nat enable' seems not to be as fully documented as the rest of the nat commands so I'm fairly confused as to how compatible it is with other nat commands.

Thanks and regards,

Mike Hughes.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
aghaznavi Mon, 12/03/2007 - 13:41
User Badges:
  • Silver, 250 points or more

Could you paste your running configuration on your head office router?


This Discussion