Cisco 831 Source and Destination NAT

Unanswered Question
Jan 27th, 2008
User Badges:


I've got a problem dealing with Cisco-NAT.

I've a device which is reachable on the IP, with no route set. For some reasons I can't change this setting nor set a route.

I've tried to set up a Cisco 831 with source- and destination-NAT, so the SA gets translated to the pool and the DA to

The WAN Net of the Cisco is

The Cisco is konfigured as follows:

interface Ethernet0

description "LAN"

ip address

ip nat inside


interface Ethernet1

description "WAN"

ip address

ip nat outside


ip route


ip nat pool apipa-pool netmask

ip nat inside source static

ip nat outside source list 1 pool apipa-pool


access-list 1 permit

access-list 1 remark "The Network where the clients reside"

When I now start telnet on my Host, it just hangs:

xxx@host:~> telnet


On the target device, the debugging looks like the following lines:

01/23/2008-15:04:02:IP-FILTER: I:PROTO 6 (TCP) pkt from

01/23/2008-15:04:02:IP-FILTER: to accepted, SYN Flag

01/23/2008-15:04:02:IP-FILTER: O:PROTO 6 (TCP) pkt from

01/23/2008-15:04:02:IP-FILTER: to accepted, SYN/ACK Fls

So the packets are sent correct and get answered.

Debugging on the Cisco 831 looks like this:

fritz#debug ip nat detailed

IP NAT detailed debugging is on

fritz#debug ip packet detail

IP packet debugging is on (detailed)

*Mar 1 11:21:32.019: NAT*: o: tcp (, 1993) -> (, 23) [4363]

*Mar 1 11:21:32.019: NAT*: o: tcp (, 1993) -> (, 23) [4363]

*Mar 1 11:21:32.019: NAT*: s=>, d= [4363] <===== OK!

*Mar 1 11:21:32.019: NAT*: s=, d=> [4363] <===== OK!

*Mar 1 11:21:32.019: NAT: installing alias for address

*Mar 1 11:21:32.027: IP: tableid=0, s= (Ethernet0), d= (Ethernet0), routed via RIB

*Mar 1 11:21:32.031: IP: s= (Ethernet0), d= (Ethernet0), len 44, rcvd 3

*Mar 1 11:21:32.031: TCP src=23, dst=1993, seq=1298156341, ack=1465516680, win=4096 ACK SYN

*Mar 1 11:21:32.031: IP: tableid=0, s= (local), d= (Ethernet0), routed via FIB

*Mar 1 11:21:32.035: IP: s= (local), d= (Ethernet0), len 40, sending

*Mar 1 11:21:32.035: TCP src=1993, dst=23, seq=1465516680, ack=0, win=0 RST

NAT Table:

fritz#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- --- ---

--- --- ---

I don't know what's wrong. It looks like the answers are not noticed at all on the Cisco router, and don't get routed or NATted. Why not?

IOS is c831-k9o3sy6-mz.124-18.bin.

Any help is greatly appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Sun, 01/27/2008 - 16:08
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Why do you mean by "no route set" on device

Do you mean you are enable to set a default gateway to Because you need to in order for this device to know that to get to the internet, packets must go to

What you are experiencing is a network with Windows machines and no DHCP available. When a machine boots up and DHCP is unavailable, it automatically addresses itself in the subnet.

You need to create a DHCP server on that LAN and change the IP address on the router's LAN interface.

If it's a small LAN, go with a class C address such as On the router LAN interface, assign and create a DHCP scope for that subnet. Make sure the default gateway on that scope is set to

Change the NAT pool on the router and then you should be able to connect to the internet, it's that simple.




Jens Bretschneider Mon, 01/28/2008 - 02:19
User Badges:

I can't change the IP on that device and I can't add a route or a default gateway on that device.

It is NOT a windows PC. I know that a windows PC uses APIPA adresses too when no DHCP is available, but that's not the point here.

Edison Ortiz Mon, 01/28/2008 - 06:45
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The point is, you don't get routed nor natted from the host.

The host does not have a default gateway.

You are unable to set a default gateway because the IP addressing scheme used does not allowed you to do that.

Did you force the IP address on those devices or were they automatically self-assigned? I'm assuming it's self-assigned due to the inability to set a default gateway.

If you are unable to set the default gateway, how the host is supposed to know to use your router as the exit point of your network?

Makes sense?



Jens Bretschneider Mon, 01/28/2008 - 06:53
User Badges:

Did you really read my first message?

The cisco has an IP pool in the same 169.254.x.x Subnet and should renumber the SA to this pool, so no gateway is needed.


This Discussion