NAT - how to change destination address and port?

franklaszlo Wed, 03/19/2008 - 07:30

Hi !

For instance :

ip nat inside source static tcp 80 8080 extendable



franklaszlo Wed, 03/19/2008 - 07:53

Sorry, I may not clearly understand your network setup, because it seems to me that your proxy server is on the same network as your hosts whose traffic you want to redirect, is it not ?

franklaszlo Wed, 03/19/2008 - 08:07

Well, as far as I know, this is not possible.

NAT is always working between interfaces designated as inside and outside and are able to translate between different networks.


franklaszlo Wed, 03/19/2008 - 08:39

So you want to redirect all traffic destined to specific ports but any ip address, to a specific ip address and a specific /squid/ port ?

First I thought PBR would help, but it will not change the destination IP.

What you want to do, is rather a proxy functionality, and I do not think a router would do that.

It is an interesting question and I am still thinking on it, but for now I do not have any idea.

alig.norbert Thu, 07/24/2008 - 09:03


Have you found a solution. I'm looking for the same workaround?



dhananjoy chowdhury Thu, 07/24/2008 - 09:40


What if we create subinterfaces on the inside interface ?

f0/0.1 - VLAN 10 - - your inside LAN

f0/0.2 - VLAN 20 - - NW in which your Squid proxy resides

dhananjoy chowdhury Thu, 07/24/2008 - 11:19

create subinterfaces on the inside interface....

f0/0.1 - VLAN 10 - - your inside LAN

f0/0.2 - VLAN 20 - - NW in which your Squid proxy resides

Configure the Squid proxy with 2 instances one listening on port 80 and other instance listening on port 443.

Now Use route map to forward port 80 requests to Squid proxy on port 80

and forward port 443 requests to Squid on port 443

alig.norbert Thu, 07/24/2008 - 12:30


Can this linux sample somehow be configured on an ASA or IOS-Router?

At least it should be work for the squid-box. Route-map (port 80) -> squid (port 80) -> iptables -> squid (port 8080)


There is a specialized case of Destination NAT called redirection: it is a simple convenience which is exactly equivalent to doing DNAT to the address of the incoming interface.

## Send incoming port-80 web traffic to our squid (transparent) proxy

# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \

-j REDIRECT --to-port 8080


