Query on NAT

Unanswered Question
Sep 17th, 2008


Can advice what is the problem with this configuration. I am trying to nat an external IP from the internet with another IP on the firewall.

Here's the configuration

access-list vpn permit ip host host

access-list nonat permit ip any any

nat (outside) 0 access-list nonat outside 0 0

nat (outside) 1 access-list vpn outside 0 0

global (inside) 1 netmask



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Fernando_Meza Wed, 09/17/2008 - 15:26

Hi ..

I am not too sure what you are trying to achieve .. If you want to do a one to one mapping and allow inbound traffic from the internet then you need something like this ..

static (inside,outside) netmask

access-list outside-in permit any host eq

access-group outside-in in interface outside


Global IP address: is the address you want the Internet users to connect to.

Local IP address: Is the real address used on the server's NIC

The above lines will allow inbound access from the Internet to the Global IP address using the required ports.

I hope it helps .. please rate helpful posts

pokwan Wed, 09/17/2008 - 15:39


What you have is natting an outbound IP Address to another IP Address as it traverses from inside to outside.

What I wanted to do is to nat an inbound IP (from the internet) to an internal IP Address as the traffic comes in from the outside interface. Instead of using the actual IP, I want the IP to change to another IP as it traverse the network as permitted.



husycisco Thu, 09/18/2008 - 00:14

Hello Poh-Fun,

nat (outside) 0 access-list nonat outside 0 0

With the command above, you tell the router not to nat any traffic as it traverses from outside to inside. It is "any" traffic, so your desired traffic will never ever reach the "nat (outside) 1 access-list vpn outside 0 0" and get translated. Remove the "nat (outside) 0 access-list nonat outside 0 0 " command, and use /32 subnetmask in global statement.


global (inside) 1 netmask

pokwan Thu, 09/18/2008 - 17:40


Thanks very much for your reply. If I remove the statement nat (outside) 0 access-list nonat outside 0 0, other outside users will not be able to access the inside network.

Will it make a difference if I have

nat (outside) 0 outside in replace of nat (outside) 0 access-list nonat outside ?



husycisco Fri, 09/19/2008 - 03:20


Hmm, try adding the following statement in the first line! of nonat ACL

access-list nonat line 1 deny ip host host

pokwan Sun, 09/21/2008 - 14:53


I have tried that before and it makes no difference. Removing the statement of nat (outside) 0 ... for some reason worked once for some websites. So I removed the statement and renter it again and it didn't work at all... external users cannot access anything on the internal except for the IP I have translated.

I have something similar on the PIX firewall (the above problem was a FWSM) and it works. Here's the config

PIX# sh run | inc nat

nat (outside) 0 access-list nonat outside

nat (outside) 1 access-list vpn outside 0 0

PIX# sh run | inc global

global (inside) 1

PIX# sh access-list nonat

access-list nonat; 18 elements

access-list nonat line 1 permit ip any host 202.n.n.150 (hitcnt=53004045)

access-list nonat line 2 permit ip any host 202.n.n.152 (hitcnt=16913986)

access-list nonat line 3 permit ip any host 202.n.n.159 (hitcnt=2182759)

access-list nonat line 4 permit ip any host 202.n.n.160 (hitcnt=43935)

access-list nonat line 5 permit ip any host 202.n.n.161 (hitcnt=5868)

access-list nonat line 6 permit ip any host 202.n.n.163 (hitcnt=3024526)

access-list nonat line 7 permit ip any host 202.n.n.164 (hitcnt=16284)

access-list nonat line 8 permit ip any host 202.n.n.166 (hitcnt=348659)

access-list nonat line 9 permit ip any host 202.n.n.167 (hitcnt=9113)

access-list nonat line 10 permit ip any host 202.n.n.168 (hitcnt=3152444)

access-list nonat line 11 permit ip any host 202.n.n.169 (hitcnt=271793)

access-list nonat line 12 permit ip any host 202.n.n.171 (hitcnt=46280)

access-list nonat line 13 permit ip any host 202.n.n.172 (hitcnt=105019)

access-list nonat line 14 permit ip any host 202.n.n.174 (hitcnt=54859603)

access-list nonat line 15 permit ip any host 202.n.n.179 (hitcnt=0)

access-list nonat line 16 permit ip any host 202.n.n.180 (hitcnt=17722)

access-list nonat line 17 permit ip any host 202.n.n.170 (hitcnt=168883)

access-list nonat line 18 permit ip any host 202.n.n.156 (hitcnt=0)

PIX# sh access-list vpn

access-list vpn; 1 elements

access-list vpn line 1 permit ip any host 202.n.n.133 (hitcnt=264110)



husycisco Thu, 09/25/2008 - 17:25

I actually coouldnt understand the external users part. Can you explain this a little more? Where is the firewall located?

pokwan Thu, 09/25/2008 - 19:55


This firewall is to protect the corp network from the internet. We have a client with an external IP when accessing xxx aplication comes in via yyy link into our network. However, when they wanted to use VPN they directed this external IP to come in via our internet link. In order words, depending on application, the external IP will come in from different link.

We have a static route specifically to route this external IP to the yyy link, hence VPN will never work. My idea was to translate this external IP to another IP xxx when it comes into the firewall before traversing the network. With the natted IP xxx, we should not have to worry about the external IP being routed to yyy.




This Discussion