Unanswered Question
Mar 4th, 2009

Helo guys,

I tyr to configure NAT for two subnets that I have, I have this command

Router(config) # access-list 101 permit tcp y.y.y.y host x.x.x.x

then I put the nat outside in host x.x.x.x

Router(config)# int fa0/1

Router(config-if)# ip nat outside

Router(config)# ip nat outside source list 101 interface fa 0/1

but when i try to ping from any host in y.y.y.y network, I can't do.

Thanks for the tips,,,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
dflores83 Wed, 03/04/2009 - 15:35

sorry the last was....

router(config)#ip nat outside source list 101 pool (name_of_pool)

adamclarkuk_2 Wed, 03/04/2009 - 15:38

Are you trying to do source NAT or destination NAT

I think you want source NAT which is

ip nat inside source source list 101 interface fa 0/1 overload

Don't forget the overload keyword so that PAT is used.

You also need to apply the 'ip nat inside' command to the inside interface of your network for this to work.

Jon Marshall Wed, 03/04/2009 - 15:38


Could you be more specific as to what you are trying to do in terms of which are the source IP addresses, which are the destination addresses etc.


dflores83 Thu, 03/05/2009 - 11:19


I attach a diagram that can explain better the issue.

I want access all the network to server x.x.x.x in some services like http & https


Jon Marshall Thu, 03/05/2009 - 12:08



y.y.y.y network =

Interface on router that connects to y.y.y.y network = fa0/0

x.x.x.x =

Interface on router that connects to x.x.x.x = fa0/1 and it's IP address is

access-list 101 permit tcp host eq 80

access-list 101 permit tcp host eq 443

int fa0/0

ip nat inside

int fa0/1

ip nat outside

ip nat inside source list 101 interface fa0/1 overload

The above config will change all the 192.168.5.x addresses to ie. the interface address of fa0/1.


Richard Burts Thu, 03/05/2009 - 15:05


There is another aspect of this issue. Your original post used an access list which had a statement that permitted tcp for certain source and destination. Jon's example here also uses permit tcp. That may be ok if what you really want to translate is tcp traffic. But if you do that you can not test it with ping, as your original post describes. Ping is not tcp traffic and therefore will not test your translation.

If you want to test with ping then I suggest that your access list should permit ip rather than permit tcp.




This Discussion