Multiple Connections with NAT

Unanswered Question
Jul 8th, 2009
User Badges:

I have an issue after attempting to use the same configuration to what is used in the following example.

the load balance seems to work fine.

However i am attmepting to forward ports back into various locations. These do not work so well.

I have something liek the following.

ip nat inside source static tcp 25 25 extendable

ip nat inside source static tcp 25 25 extendable

When i telnet to port 25 from outside the network. Only one of these will work at any one time. Not both.

There are also more post forwards to other computer and these appear ot randomly work / dont work. I belive the issue is because the packets are being sent back out the wrong interfaces. Does anyone have any suggestions to get around this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Mistralol Wed, 07/08/2009 - 03:55
User Badges:

This can be ignored. I have solved it by using source based policy routing.

gnich Thu, 07/16/2009 - 03:19
User Badges:

Hi Mistralol,

Ive got the same problem how did you fix it?


Mistralol Thu, 07/16/2009 - 03:26
User Badges:

The fix i have is not fully working. It still has issues.

Pritty much the cisco seems to have the same issue's and most other routers when trying todo this. It leaks packets out the wrong wan interfaces. eg packet comes in dialer 1 but goes out dialer 2.

So you create 2 route-map's eg

route-map Redirect permit 10

match ip address 152

set interface Dialer1


route-map Redirect permit 11

match ip address 153

set interface Vlan2

on the inside interface. Matching the source ip's after the nat and redirect them out the correct interface.


access-list 153 permit ip host any

where is the isp ip address

this however only partially works as things still seem to get stuck in a cache. so it still leaks packets just not to many.

gnich Thu, 07/16/2009 - 03:29
User Badges:

Thanks Mistralol,

I'll give it a go


bflseanny Sat, 07/18/2009 - 04:08
User Badges:

What if instead of using two different ip nat inside statements with two different external IPs, you create a single external address in your NAT statement.

I assume from your post that you have two interfaces with IPs of and Could you create a NAT statement like this:

ip nat inside source static tcp 25 25

I think that what this would do is to forward any traffic for SMTP to the address. Upon replying, this inside host traffic would be translated back to

So, no matter which outside interface the reply goes out of, it would send the traffic with a destination address of

You don't have to use IPs associated with a physical interface in NAT. You just have to own the IP that you are using in the NAT translation. And, routers would need to know how to get to the IP ( in this case).

I think that what is happening in your case is that if you telnet to it is hitting that interface but the reply can be translated with an address and this just won't work because the host is expecting a response from

Let me know your thoughts.

Mistralol Mon, 07/20/2009 - 00:32
User Badges:

Unfortunatly that wont work as the 2 external addresses are with different isp's which have rougue packet filters and both isp's only provide a single ip address each.

The ip nat inside statements are using the hard coded ip's otherwise you cannot create them on both external interfaces as ios will say that it is already in use.

Or a easyier way to trigger the problem.

From a remote host. telent to external ip1 the connection will work. Then telnet to external ip2 the connection will not work.

Disconnect / clear the router cache.

telnet to external ip2 and the connection will work. But the conneciton to external ip1 will now not work.

this is 100% reproducable ;)

k.hariharan1 Mon, 07/20/2009 - 02:30
User Badges:


your router configuration seems to be correct.

my only concern about your conf is that you have enabled per-port cef load sharing , can u disable that one and try again.

no ip cef load-sharing algorithm include-ports


Hariharan k

Mistralol Mon, 07/20/2009 - 02:31
User Badges:

Its more stable with it on than off. Which would seem correct since the routing cache is both per port and host instead of just by host.


This Discussion