ip nat outside destination

Unanswered Question
Dec 2nd, 2008


if I want to redirect tcp port 22 traffic from outside to inside, I would do this:

ip nat inside source static tcp IP_LAN 22 IP_WAN 22

Wouldn't be more logical to use:

ip nat outside destination static tcp IP_WAN 22 IP_LAN 22

I know that the first command, basicaly, is equel to the second, but why cisco does not have an "ip nat outside destination ..." command ? Is there an explination?

Thank U!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lejoe.thomas Tue, 12/02/2008 - 16:29

Hi Spinu,

I checked cisco NAT commands for IOS 12.4, I couldnt find anything regarding ip nat ouside destination.

However ip nat oustide source list X :

translates source of IP of packets traveling outside (an outside interface, ip nat outside) to inside (an inside interface) .

translates destination of IP of packets traveling inside to outside.



Spinu Viorel Wed, 12/03/2008 - 01:32

hello thomas,

thank u for answering

u are telling me something that I already did reed and understand, but my question was why can't u use ip nat outside destination, becouse I find it far more easy to understand. Is there some explanation? Is security issue?

I find it more rational to think like that:

all packets that comes to router with source IP/port and destination IP/port to be redirected to another host(internal host in my case) indifferent of the direction of the packet (inside-to-outside or outside-to-inside).

lejoe.thomas Wed, 12/03/2008 - 03:43


Things which might sound logical to you are perhaps not logical to others. The objective which you have mentioned can be achieved through other means in Cisco NAT. Most of us, including me would not think of it the way you have mentioned. I think it sort of varies from person to person.

As far as ip nat outside destination command is concerned, no such command is supported by the IOS simply because there are ways to achieve the same thing without that command.



steven-dunn Tue, 12/02/2008 - 19:19

may have something to do with the process sequence. The ingress and egress process sequences are different. I think outbound is route then nat, inbound is nat then route.


Spinu Viorel Wed, 12/03/2008 - 01:38

thank u for ansewering

u are not so categorical. I need a more firm answer. NAT is very important to understand. I have read so much docs of cisco nat, but I did not find this explanation. I know I ask too much, unless u are working at cisco, but I find NAT on cisco very hard, complicated to understand.

Laurent Aubert Sat, 12/06/2008 - 11:52


I know terms can be confusing but they refer to which source address we are talking about. A source address in one side is the destination address in the other side and vice-versa so with one command we cover both ways of traffic.

NAT definition:


- Case 1: Outside Global addresses are known by the inside world (Outside Global = Outside Local)

We need to translate the source IP address of any packets coming from the inside and destination IP address of any packets coming from the Outside

1a: Session initiated from the Inside only:

you need the ip nat inside source command. PAT is allowed (N to 1 rule) because the initiation is always from the inside to the outside. NAT table keeps track of each entry so the router is able to translate the destination @ of the packet received on the outside interface

1b: Session initiated from the Outside or the Inside:

you need the ip nat inside source static command. The entry created by the previous command are all dynamic. So we need a permanent entry in this case with a 1:1 rule. Otherwise the router will not be able to match any dynamic NAT entry (session is not initiated from the inside)

That's why you need to use ip nat inside source static tcp IP_LAN 22 IP_WAN 22 to redirect traffic destinated to port 22 to a specific inside host.

- Case 2: Outside Global addresses are not known by the inside world (Outside Global @ are different from Outside local @)

In this case, it means we need translation rules between the Outside Global addresses and the Outside Local addresses.

We need to translate any destination IP addresses for packets coming from the inside and source IP addresses of any packets coming from the Outside.

Use rules explained in Case 1 if the Inside IP addresses are still not known by the Outside world.

2a: Session initiated from the Inside or Outside:

You need the ip nat outside source static command. You need a permanent NAT entry because you want to reach a specific host in the Outside. You can't use a pool in this case.


2b: Session initiated from the Outside:

You need the ip nat outside command. You can use a pool in this case because the initiation is coming from the Outside so the router can create a NAT entry which match the real Outside Global @ to any Outside Local @.


Hope that helps




This Discussion