Outside --> Inside NAT question

Unanswered Question
Nov 12th, 2008


I have 3 public subnets. I have a situation that is going to require me to NAT 2 public subnets, and not NAT 1.

Of these 2 that will need to be natted, I need to statically NAT a complete subnet to inside addresses.

Int fa0/0

ip address

ip address sec

ip address sec

I've NEVER set up complete pools to be translated before, but I've done one-to-one before. The interesting thing with this is that this router will have a public address on the inside interface because it connects to a public facing switch. It has to nat to the subnet if it's coming from or because the router only knows of the subnet on it's inside interface.

What lines do I need to get this to work? Do I need a NAT pool, or do those only affect outbound traffic?


ip nat outside source static

ip nat outside source static




I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 11/12/2008 - 09:59


NAT is bi-directional so

ip nat inside source static

would mean that traffic coming from inbound would translate to and traffic going out from would translate to


John Blakley Wed, 11/12/2008 - 10:03

So, I wouldn't need to create a pool for the subnets that I own for this to work? This is part of what we were talking about yesterday.

In the statement:

ip nat outside source static

isn't the first host the source, and the second the destination really?


Jon Marshall Wed, 11/12/2008 - 10:10

ip nat outside ... is used when you want to present an outside address as an inside address. Inside/outside in this context are purely to do with which interfaces you designate as inside/outside.

But that's not really what you are trying to do. You just want to make sure that inside address of 1.1.1.x are translated to addresses of 3.3.3.x.

What we do need to sort out is you keep mentioning pools but the examples you are giving are one-to-one mappings.


John Blakley Wed, 11/12/2008 - 10:17

We have 3 public blocks of IPs from 3 different ISPs. I need to provide a way for people from outside to get to our web servers, mail servers, etc.

The addresses that are on the public interface are routable addresses. The reason that I keep going back to "ip nat outside" is because I'd be expecting traffic coming from the public interface in.

I have one to one mappings because I looked in the fatpipe today, and I noticed that we're doing one-to-one from the other two subnets to the "private" subnet. (It's not a private IP, just on the inside interface.)

So, all translations need to be done from and to an public address on the subnet.

Thanks Jon!


Jon Marshall Wed, 11/12/2008 - 10:23


I admit NAT is a bit confusing in terms of inside/outside. If you have the time some day we can through it in details. But suffice to say if you want to present an internal address to the outside then "ip nat inside source static is the way to go.



This Discussion