outside nat on router ---Urgent

Unanswered Question
Jun 15th, 2009

Hi Experts,

I have one global nat with IP 195.24.4.XX (i have some number of public IP's)

when i want configure outside nat to one private IP 10.246.6.XXX (SMTP server) with public IP 195.24.5.XX every time its going out through the global nated IP only

But i want the private IP 10.246.6.XXX should go through 195.24.5.XX only.

Can somebody help me please...



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Mon, 06/15/2009 - 09:57

Here's a working example-

<font size=2>ip nat inside source list 25 interface Vlan2 overload</p><p>ip nat inside source static extendable</p><p>access-list 25 permit any</p><p></p><p>Vlan1                YES manual up                    up      </p><p>Vlan2                   YES manual up                    up      </p><p>NVI0                       unassigned      NO  unset  up                    up      </p><p>Loopback0            YES manual up                    up </p><p></p><p>Router#ping source lo0</p><p></p><p>Type escape sequence to abort.</p><p>Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:</p><p>Packet sent with a source address of </p><p></p><p>*Sep  8 19:52:41.403: NAT: s=>, d= [50].</p><p>*Sep  8 19:52:43.403: NAT: s=>, d= [51].</p><p>

Capture from Workstation

<font size=2></p><p>No.     Time            Source                Destination           Protocol QoS Info</p><p>   8093 12:50:04.688002                ICMP     0   Echo (ping) request</p><p></p><p>Frame 8093 (114 bytes on wire, 114 bytes captured)</p><p>    Arrival Time: Jun 15, 2009 12:50:04.688002000</p><p>    [Time delta from previous captured frame: 0.000483000 seconds]</p><p>    [Time delta from previous displayed frame: 0.000483000 seconds]</p><p>    [Time since reference or first frame: 1.881112000 seconds]</p><p>    Frame Number: 8093</p><p>    Frame Length: 114 bytes</p><p>    Capture Length: 114 bytes</p><p>    [Frame is marked: False]</p><p>    [Protocols in frame: eth:ip:icmp:data]</p><p>    [Coloring Rule Name: ICMP]</p><p>    [Coloring Rule String: icmp]</p><p>Ethernet II, Src: Cisco_c9:8e:8c (00:1b:90:c9:8e:8c), Dst: HewlettP_4d:a6:0c (00:19:bb:4d:a6:0c)</p><p>    Destination: HewlettP_4d:a6:0c (00:19:bb:4d:a6:0c)</p><p>        Address: HewlettP_4d:a6:0c (00:19:bb:4d:a6:0c)</p><p>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)</p><p>        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)</p><p>    Source: Cisco_c9:8e:8c (00:1b:90:c9:8e:8c)</p><p>        Address: Cisco_c9:8e:8c (00:1b:90:c9:8e:8c)</p><p>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)</p><p>        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)</p><p>    Type: IP (0x0800)</p><p>Internet Protocol, Src: (, Dst: (</p><p>    Version: 4</p><p>    Header length: 20 bytes</p><p>    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)</p><p>        0000 00.. = Differentiated Services Codepoint: Default (0x00)</p><p>        .... ..0. = ECN-Capable Transport (ECT): 0</p><p>        .... ...0 = ECN-CE: 0</p><p>    Total Length: 100</p><p>    Identification: 0x0037 (55)</p><p>    Flags: 0x00</p><p>        0... = Reserved bit: Not set</p><p>        .0.. = Don't fragment: Not set</p><p>        ..0. = More fragments: Not set</p><p>    Fragment offset: 0</p><p>    Time to live: 255</p><p>    Protocol: ICMP (0x01)</p><p>    Header checksum: 0xa307 [correct]</p><p>        [Good: True]</p><p>        [Bad : False]</p><p>    Source: (</p><p>    Destination: (</p><p>Internet Control Message Protocol</p><p>    Type: 8 (Echo (ping) request)</p><p>    Code: 0 ()</p><p>    Checksum: 0xad9c [correct]</p><p>    Identifier: 0x000b</p><p>    Sequence number: 0 (0x0000)</p><p>    Data (72 bytes)</p><p></p><p>0000  00 00 00 00 42 6a 8e 38 ab cd ab cd ab cd ab cd   ....Bj.8........</p><p>0010  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................</p><p>0020  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................</p><p>0030  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................</p><p>0040  ab cd ab cd ab cd ab cd                           ........</p><p>        Data: 00000000426A8E38ABCDABCDABCDABCDABCDABCDABCDABCD...</p><p></p><p>
ilnaiduccna Mon, 06/15/2009 - 21:43

Hi Colin,


ip nat inside source list 25 interface Vlan2 overload

ip nat inside source static extendable

access-list 25 permit any

Vlan1 YES manual up up

Vlan2 YES manual up up

NVI0 unassigned NO unset up up

Loopback0 YES manual up up


As per you said, we have to create access-list eg: 25 first.

Can you give me idea how to create access-list for this task (please find the below private SMTP server IP and public IP)

My present task is the private SMTP server IP ( to nated with

And when packet from private SMTP server going to outisde it should go with nated IP only

We have one global nated IP and everytime whatever private nated IP going through this global nated IP only but in this scenario it should not be like that, it should go through only the particular nated IP (

Thanks in advance.



Collin Clark Tue, 06/16/2009 - 05:24

access-list 25 permit any

ip nat inside source list 25 interface [your outside interface]overload

ip nat inside source static extendable

That should do it.

ilnaiduccna Tue, 06/16/2009 - 20:16

Hi Collin,

Thanks for you reply.

As you said access-list 25, we no need to define any access-list before implement(eg: access-list 25)?

If we have to define access-list 25, please give me idea how to define for this particular scenario.

The private SMTP server IP:

The public IP for NAT:

Outside interface: Fa0/0

Inside interface: Fa0/1

Please help me....



Collin Clark Wed, 06/17/2009 - 05:40

The ACL tells NAT what IPs to translate. This owuld be your internal network. It looks like it would be

ilnaiduccna Thu, 06/18/2009 - 03:50

Hi Colin,

If it would works....then i think to define as like below

access-list 25 deny (global nated IP)

as whatever packet going out though th global nated IP

I think if we deny as like above statement then it will not have any option, only option is the real nated IP (

Please correct me if i am wrong.



Collin Clark Thu, 06/18/2009 - 05:24

Denying it isn't necessary (won't hurt anything either). Since there is a specific NAT configured for the host, the router will use that NAT'd IP instead of the global IP.

ilnaiduccna Thu, 06/18/2009 - 21:28

Hi Colin,

That is what my problem, the specific NAT configured for the host but the router was using global nated IP only instead of specific nated IP.



Collin Clark Fri, 06/19/2009 - 04:39

Check my earlier post. I posted a working config and a packet capture verifying it works. You must have your NAT configuration configured differently.


This Discussion