Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

source ip for outgoing traffic

Unanswered Question
Mar 15th, 2008
User Badges:


i have a 2821 hooked up to my isp and my lan. the isp interface is configured with a ip only routed inside the isp network. the inside ip is routed worldwide. now when i try to connect to a network outside the isp directly from the router the package get dropped at the isp border router.

can i tell the ios to use insides interface ip for source ip of outgoing connection? normaly you dont need that but i have a webvpn running on the box and no outside http servers are reachable because of that.

any hints, regards Martin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joseph W. Doherty Sat, 03/15/2008 - 08:17
User Badges:
  • Super Bronze, 10000 points or more

If you mean you want to do something like ping from the router itself, you can specify a different address or interface for the source IP.

If you mean you have devices behind your router, and their addresses aren't valid, you'll need to activate NAT.

m.hierling Sun, 03/16/2008 - 04:11
User Badges:

i want to initiate traffic from the router itself. not the networks behind the router, they are working well.

i know that i can choose the source address while using the ping command. but other traffic initiated by the router, in my case webvpn, should also have the inside ip as source addresse.

Basically it looks like this:

inet -> provider -[transfernet] -> my router -> my lan

My webvpn is running on inside interface, when a client connects from the internet and initiates a http connection to the internet my router uses the outside ip as source address. but the transfernetwork is only routed inside the provider backbone. so the packages get dropped at the edge. my lan networks are routed propper, also from the internet.


Joseph W. Doherty Sun, 03/16/2008 - 05:38
User Badges:
  • Super Bronze, 10000 points or more

Think I understand. Your problem is webvpn not permitting Internet traffic to work correctly to the remote client (bouncing off your internal network). I'm unfamiliar with webvpn, but its solution might be allowance of split tunneling from the remote host. However, I can see reasons for doing what you want, such as additional security to/from the Internet.

Again, unfamiliar with webvpn. If I've stated the problem correctly, and no one else responds on this forum, you might try a post in the VPN forum.



Some other traffic types, from the router, can be told to have a specified source address.


ip ftp source-interface


cisco24x7 Sun, 03/16/2008 - 06:17
User Badges:
  • Silver, 250 points or more

I think I can help with this. assuming

on your router, F0/0 is the ouside interface

and F0/1 is the inside interface. Here

we go:

int F0/1

ip address

ip nat inside

int F0/0

ip address

ip nat outside

ip nat inside source static tcp 80 interface FastEthernet0/0 80

ip nat inside source static tcp 443 interface FastEthernet0/0 443

Now Internet users will hit the outside

router IP and then router will translate

it into the internal IP.

Keep in mind that these things are designed

to work with hosts that sit behind the

router, NOT something that designs

to nat the outside ip of the router to

inside ip of the router, but you can

give that a try and see it its works for you.

CCIE Security

m.hierling Sun, 03/16/2008 - 08:18
User Badges:

thanks for pointing out the direction, but i didnt get it 100%. can we play this through with real values:

! Inside / officaly routed ip network

int gi 0/0

ip address

ip address secondary

! Outside / network to provider, only routed inside provider network

int gi 0/1

ip address

ip route

Webvpn is running on

Connections initiated from the router to outside should be rewritten to while leaving int gi0/1.


cisco24x7 Sun, 03/16/2008 - 08:29
User Badges:
  • Silver, 250 points or more

"Connections initiated from the router to outside should be rewritten to while leaving int gi0/1."

Who is the one initiating the connection first?

Must be some users over the internet right?

For example, user(s) come from hitting ip on port 80/443? is that a

a correct assumption?

If the router is the one initiates connection

first, then I don't think it is possible.

m.hierling Sun, 03/16/2008 - 08:50
User Badges:

A Client on the internet authenticates at webvpn running on 112.229. Requesting a website, the router gets the website from over his outside interface and delivers the page to the client on the internet. Some sort of proxy. The router is the client for the webserver, initiating the connection to the webserver, rewriting the http content and sends it to to the client.

the client ip has not to be modified, it is the routers ip address while getting the http content from the internet.



This Discussion