static NAT with two outside interfaces

Unanswered Question
Dec 19th, 2007
User Badges:

I have a router, which performs NAT on two outside interfaces with load balancing and had a task to allow inbound connection to be forwarded to the specific host inside on a well known port.

here is example

interface Fas0/0

ip nat outside

interface Fas0/1

ip nat outside

interface Vlan1

ip nat inside

ip nat inside source route-map rm_isp1 pool pool_isp1

ip nat inside source route-map rm_isp2 pool pool_isp2


all worked fine

then i tried to add static nat

ip nat inside source static tcp 25 interface Fas0/0 25

ip nat inside source static tcp 25 interface Fas0/1 25

and in result only last static NAT line appeared in config.

the solution was to use interface's IPs instead of names. that helped but isn't that a bug?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (1 ratings)
sergey.klusov Tue, 12/25/2007 - 22:14
User Badges:

That didn't work. Load balancing makes packets coming back to exit interfaces, based on load balancing, not state table.

a.velitsky Wed, 07/27/2011 - 22:37
User Badges:

And what about this config?

ip nat inside source static tcp 25 25 extendable

ip nat inside source static tcp 25 25 extendable

lgijssel Thu, 07/28/2011 - 04:24
User Badges:
  • Red, 2250 points or more

You will not be able to make this work in such a way that it provides full redundancy.

The router has no means to decide to which interface a packet from must be sent.

The required setup for redundancy is more complex:

You need to host your own range of public ip addresses and peer with at least two providers.



Amit Aneja Sat, 07/30/2011 - 14:37
User Badges:
  • Bronze, 100 points or more

In this scenario, we are trying to access a mail server located at from outside and we have two outside IP, let's say, and

With CEF Enabled

Packet comes in to Fa0/0 interface with Source IP 66.x.x.x and

Destination IP Our NAT rule translates this to

Packet goes to The return packet goes to the LAN interface

first and the routing rule is determined *before* the packet is


Packet source IP at this point is and destination is

66.x.x.x. Now, based on CEF, it will go out via Fa0/0 or Fa0/1,

irrespective of the way it came in. Because of this, with CEF enabled

this will not work. CEF is per-destination.

So, let's say somebody on outside tried to access this server using, then he would

expect a reply from which may or may not be true as the traffic could be Nat'd to or

If it gets reply packet from, it should work.

If it gets it from, it will simply drop it as it never sent a

packet to

With CEF and Fast Switching Disabled

Same steps as above, only that the packet is sent to the process level

to be routed. At this point, the packets will be sent out in a round

robin fashion. One packet will go out via the Fa0/0 and the other via the

Fa0/0. This will have a constant 50% packet loss and is also not a

viable solution.

So, what are you trying to achieve is not possible on Cisco router.


Amit Aneja


This Discussion