PAT from outside to inside?

Unanswered Question


I'm looking for a way to do PAT from an outside to an inside interface, on a 2811 router running IOS 12.4

I've checked the documentation and only found information for PAT from inside to outside, but it is not clearly said that we can't do it on the other side.

The "ip nat outside" command does not accept the "overload" keyword...

Is there a way to implement PAT this way or do I have to switch nat configuration (inside <-> outside)?

Thanks in advance for your help.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 02/24/2009 - 02:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Unfortunately i don't have a router to test with at the moment but from memory i don't believe you can specify the "interface overload" with ip nat outside.

What you can do though is use a NAT pool ie.

access-list 101 permit ip any any

ip nat pool SNAT netmask

ip nat outside source list 101 pool SNAT

This should translate all incoming src addresses to - 10. If you just want to translate to 1 address make the NAT pool only have 1 address.


Hi Jon,

Thanks for your answer.

If I understand correctly, you propose a NAT solution, and not a PAT solution.

That means my pool must contains as many addresses as the number of source IP to NAT. Is that right?

Regarding my needs, many people, from a customer company, with private addresses (not routable) need to reach a server in my company.

As the router is owned by my company and is used to protect it, the "inside" has been defined on our side and outside on customer's side.

But, as you said, "overload" keywork is not available with "ip nat outside".

Does that mean I'll have to change all the nat configuration by switching inside to outside (and outside to inside)?

Thx in advance for your help.


Jon Marshall Tue, 02/24/2009 - 10:21
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Apologies, after reading my original post i can see how it may have confused the issue. Yes i am proposing a one-to-one NAT because as you say the overload keyword is not available. Interestingly this type of thing is trivial to do with a pix/ASA. I thought i had done this before on a router but perhaps i am remembering incorrectly.

My point was that you can use any unused IP range (private IP's) to NAT the customer IP's to. As long as the IP range you select is routed back to the inside interface of your router when the server sends a packet back to the client it should work fine.


t4tauseef33 Tue, 03/03/2009 - 09:11
User Badges:

Hi, I require the same thing. Have you got any solution?

zenon_electronics Mon, 04/13/2009 - 22:51
User Badges:


did you found decision of your problem?

If you make a static PAT translation from inside to outside it can be uset from outside to inside too.

for example:

ip nat inside source static tcp (inside_interface) 80 interface (outside_interface) 80

Thatway when you attempt to connect from internet to the outside address of your router on 80 port you will be redirected to the inside address that you have defined.

The other thing is to specify witch interface is inside and witch is outside:

#int (inside)

ip nat inside

#int (outside)

ip nat outside

Hope i helped!


lamav Tue, 04/14/2009 - 04:41
User Badges:
  • Blue, 1500 points or more


You cannot PAT from outside to inside because of the NAT order of operations.

When a packet is received on a NAT inside interface, it will route before it NATs. So, when a packet has a destination address that matches the NAT inside interface address, the packet will be routed right there and die with no NAT translation.



Rupesh Kashyap Wed, 04/15/2009 - 01:11
User Badges:

You can NOT implement PAT from Outside to inside. Overload is made to translate only Inside traffic.


This Discussion