877: Port Static NAT with normal Static NAT

Unanswered Question
Jul 22nd, 2009


With a Cisco 877 Router I want to make a setup in which the outside address is translated when using port forwarding to an the inside address.

The port forwarding is working like it should, but I don't know if it's possible to combine this with the NAT of the outside address. I guess it should have some 'Static NAT' on the outside (ip nat outside source ...) but this has to be combined with an access-list which is already used in combination with the "ip nat inside source"-command...

Can this be done, preferably for specific port translations ?

At the moment the port forwarding is made with the following commands:

ip nat inside source static tcp 8234 interface Dialer1 8234

ip nat inside source static udp 8234 interface Dialer1 8234

ip nat inside source static tcp 4321 interface Dialer1 4321

ip nat inside source static tcp 4421 interface Dialer1 4421

Can I establish that for the 4321 & 4421 the 'server' retrieves the address of the router (or one of the NAT-pool) ; and on the other server it may be the original external address (but if this isn't possible ; translation may be always...).

I hope the questions is clear enough, so anyone can help me...



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Wed, 07/22/2009 - 07:23


I just labbed this quick to make sure I was going to answer correctly. Per your config above, both servers above will use an IP from the NAT pool you have configured. Only when there is a full NAT will it use the source IP of that NAT statement.

Hope that helps.

Alain Cloet Wed, 07/22/2009 - 23:01

Hi Collin,

Thanks for the reply, but actually I didn't define a pool yet. I'm a not sure what inside or outside is in this matter. For the port mapping I must use the 'nat inside' command (as I translate an inside port) ; but for the pooling I guess it has to be 'nat outside'. But I don't know for sure how to trigger and combine this...

It has also to do with the zone-security the router applied itself that it looks confusing to me. Should I make a simple access-rule for this which is than made more strict by the port mapping or the zone security ?

Collin Clark Thu, 07/23/2009 - 05:19

You'll be source NATing your addresses (inside), so your pool will look something like this-

ip nat inside source list 50 interface dailer0 overload

Then configure the ACL. It should include your internal network(s) that you want NAT'd.

access-list 50 permit

Alain Cloet Thu, 07/23/2009 - 05:49

I have a line

ip nat inside source list 101 interface Dialer1 overload

and the access-list behind is:

access-list 101 permit ip any

but this from inside to outside ; and the outside address isn't translated with this.

Would this require an extra line

access-list 101 permit ip any

And wouldn't this open everything than ? Or is this where the zone-security applies ?

However, I'm not able to test this before monday, so this is based on the current settings & experience, and the problems I think of...


Collin Clark Thu, 07/23/2009 - 05:52

I don't think we're on the same page. I'm confused on this statement, and the outside address isn't translated with this. Can you explain this in a little more detail?

Alain Cloet Thu, 07/23/2009 - 06:06

The line means I would like to have the outside address translated, so the server behind the 'published port' sees the address of the router, i.s.o. the address of the external client.

The real reason is that the router isn't the default gateway for this specific server, so when a unknown address connects (not manually defined in it's routing table), the server tries to use it's default gateway.


An internet client xx.xx.xx.xx connects to the external address of the router yy.yy.yy.yy port 4321

At the moment the router passes this request to port 4321 ; and sees that the request is coming from xx.xx.xx.xx

If the server knows the address xx.xx.xx.xx is behind the router, it'll answer correctly, if he doesn't know it, he'll try to reply via it's default gateway.

So I want to achieve that the server would see the address of the router ( in this case ; or one defined in a pool so I can make this routable), so the replies also go back to the router (and to the original client).

Collin Clark Thu, 07/23/2009 - 06:12

Gotch ya. Are you having a production problem with this? It should never go to the default gateway, it should go to the router where the connection was established.

Alain Cloet Thu, 07/23/2009 - 06:22

I think this is normal behaviour for any device that it won't route back, if the ip-address isn't defined in that path...

(if it would just use the mac-address it might work, but this doesn't seem to be the case, and still, arp-data isn't kept forever).

Maybe it's more that the server drops the connection, because of the fact that it doesn't expect the address at that network card (oops ... writing this reminds me that I didn't mention that the default gateway is on another NIC) ; so it's considered spoofing...

Collin Clark Thu, 07/23/2009 - 06:32

As long as the 2nd NIC on the server and the NAT router are on the same IP subnet, it will work. When a packet goes to the server (and comes from the router) after translation, the source IP will be the router, the source MAC will also be the router. Return traffic for that TCP session will go back to the router and the router will then translate it back to the outside address. To the server, it looks like it's communicating with some machine on the local network.

Alain Cloet Mon, 07/27/2009 - 23:53


Sorry I didn't come back to this earlier, but what your writing is not the case with my current config, and exactly the problem I have.

The external address isn't translated ; it's the inside port that is translated with such a config. And I would like to combine them...(internal port translation, and external IP translation)




This Discussion