static NAT query

Unanswered Question
Apr 12th, 2008
User Badges:

i have a query about the static NAT command.

if the command static (outside,inside) is entered i believe this is a reverse of the static (inside, outside); in other words the source is changed to whatever is specified in the command.

on this basis the following commands would be incorrect for port forwarding;

static (inside,outside) mask

static (outside,inside) mask

i assume the above would cause an IP conflict as would be both a host on the internal network and a NAT IP address present on the firewall.

this brings me to my question.... how can you NAT your outbound email out on one address; ie mail server internal address is and should be NAT'ed out to, but have any inbound email to forwarding to a different email server on

i am not sure how to do this using static NAT commands on Cisco as it seems the static(inside,outside) command creates a one 2 one mapping only?

please help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
sundar.palaniappan Sat, 04/12/2008 - 17:05
User Badges:
  • Green, 3000 points or more


I am afraid you can't setup NAT to translate two inside hosts to use the same global address for the same ports. I assume both inside hosts use SMTP, one inbound and one outbound.



pengfang Sun, 04/13/2008 - 13:20
User Badges:

Hi Mike,

static (outside,inside) is not a simply reverse of the static (inside,outside). One of the most popular usage is to hide a internal private IP with a public IP from Internet, which is like your first command "static(inside,outside) mask"

Your second command is used in such a rare scenario:

You want to hide an destination IP from inside users by giving them the IP traffic leaving outside interface, destination IP will be translated from to

To answer your second question, it can be achieved by policy nat/pat. There could be multiple combinations, I give you 2 examples.The codes not been verified, please test it if you plan to put it in production.

1. static PAT + policy PAT

access-list smtp_outbound permit tcp host any eq smtp

nat (inside) 2 access-list smtp_outbound

global (outside) 2

static (inside,outside) tcp smtp smtp netmask

2. policy static PAT

access-list smtp_outbound permit tcp host any eq smtp

access-list smtp_inbound permit tcp host eq smtp any

static (inside,outside) access-list smtp_outbound

staitc (inside,outside) access-list smtp_inbound

mikedelafield Mon, 04/14/2008 - 00:14
User Badges:

thanks thats excellent.

i was certain this was achievable our my old Checkpoint box. By translating the destination...

Ah well

mikedelafield Mon, 04/14/2008 - 03:44
User Badges:

i have just checked and currently on our firewall (which i did not configure) we have the following 2 sets of static NAT statements

static (inside,outside) netmask

static (outside,inside) netmask

this seems incorrect to me as is an internal host which is NAT'ed outbound to

yet the static (outside,inside) command is also hiding to the internal network as in the NAT translation the other way.

surely this is incorrect and cannot work?

pengfang Mon, 04/14/2008 - 08:28
User Badges:

Hi , I believe it was wrong for the second "static", because it doesn't make sense when it come together with the first "static".

Followed is a summary of my understanding for natting behavior of "static":

static (real_ifc,mapped_ifc) mapped_ip real_ip

Static NAT is a "bi-directional" NAT, which means traffic can be initiated from both sides of firewall with different security levels when NAT occurs.

1. Traffic ingress interface is "real_ifc", egress interface is "mapped_ifc"

Traffic entering "real_ifc" and leaving "mapped_ifc", source IP with "real_ip" will be translated to "mapped_ip"(nat-src); the returned traffic entering "mapped_ifc" and leaving "real_ifc",destination Ip with "mapped_ip" will be translated to "real_ip" (nat-dst).

2. Traffic ingress interface is "mapped_ifc",egress interface is "real_ifc"

Traffic entering "mapped_ifc" and leaving "real_ifc",destination IP with "mapped_ip" will be translated to "real_ip" (nat-dst); the returned traffic entering "real_ifc" and leaving "mapped_ifc",source IP with "real_ip" will be translated to "mapped_ip" (nat-src).



This Discussion