Nat Help

Unanswered Question
Apr 2nd, 2009

Hi Everyone,

This one might sound a little funny but I am trying to find a solution to accomplish the opposite of a PAT I think I need a reverse PAT?

I need a method of translating a single IP into multiple IP's.

one to many - not many to one.

I am not looking for port forwarding unless i am able to translate the source ports. I am looking for address translation from one ip to multiple ip's. For example,

Source - ip =

Destination - ip =

Potential pool: -

Source must be translated to pool when it reaches the destination on a per session basis, not per source basis.

Looking forward to your response.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Thu, 04/02/2009 - 07:51


How are you defining sessions ?

If it by TCP/UDP Ports then you could do something along the lines of if port = 23 then use and if port = 25 then use but this would all need to configured manually with individual nat statements/route-maps and event this would need thorough testing.

I don't know of a way to dynamically do it.


christopher.clayden Thu, 04/02/2009 - 08:04

Hi Jon,

Thanks for the reply. I would have to define sessionS based on source port as apposed to the destination port.

I had the idea of static NAT as such for example:

source source port 1024 destination source port 1024.

Not sure if this is going to fly though.



Jon Marshall Thu, 04/02/2009 - 08:21


I was thinking of something like the following (would need testing)

access-list 101 permit tcp host eq 1026 host

access-list 102 permit tcp host eq 1027 host

route-map PNAT1 permit 10

match ip address 101

route-map PNAT2 permit 10

match ip address 102

ip nat inside source static route-map PNAT1

ip nat inside source static route-map PNAT2


but you can see this is an awful lot of config and you still need to manually add all the others.


lamav Thu, 04/02/2009 - 08:27


How could you be sure of what the source port will be?

1026, 1027....?

Jon Marshall Thu, 04/02/2009 - 08:33

Well that is a ver

y good question and i'm being a bit dense (no need to point that out).

I guess you could use ranges which would cover 1024 - 65535 ie. map 1000 ports to one IP etc. but that wouldn't meet the requirement either.

Thanks for pointing out my stupidity :-) Rated


lamav Thu, 04/02/2009 - 08:40

No stupidity, man...It is a confusing request and you were being creative...brainstorming :-)

Thanks for the rating...

lamav Thu, 04/02/2009 - 07:52

What are you trying to achieve?

Why do you want one source address to get NATed to a different IP everytime it wants to reach a host on the remote network?

christopher.clayden Thu, 04/02/2009 - 08:01

Hi lamav,

Thank you for the reply. The source address is always originated from a VIP.

The destination requires a different source IP every time for authentication purposes.

Thanks again.



This Discussion