NAT Redirection. Help!

Unanswered Question

Hi Net Pros,

My network looks like this:



Ok, here is the challenge. I have been assigned the IP address by my ISP. I'd like for people to connect to on port 443 on the WAN, and have traffic redirected to on the LAN. This should be easy right? Also, I want host to only see traffic coming from and not the true host across the WAN.

It seems like this would be easy with static NAT, but I have not been able to accomplish this using a combination of NAT tricks. Thanks!

For example:

Internet Host: connects to me over the WAN.

SA: --> DA:

Then, the router takes the traffic and sends it to my host on the LAN. My host on the LAN sees:

SA: --> DA:

Is this possible? Thanks pros!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
yagnesh_tel Mon, 08/31/2009 - 13:34

Hi Nick,

This configuration should work straight way unless you have ACL applied.

ip nat inside source static tcp 443 443

interface f0/2

ip nat outside

interface f1/0

ip nat inside

Share your router configuration if you still find problem.

I tried what you suggested, and traffic gets though. But, the host on the LAN ip nat inside ( still sees traffic coming from the actual WAN host, and not the router.

So using my example, traffic is sent from an outside WAN host, to my router:

SA: --> DA:

And my inside host sees:

SA: --> DA:

I want my inside host to see traffic originating from the router instead of the actual source. So my inside host sees:

SA: --> DA:

I don't want my inside host to see the IP of whatever host is connecting to it across the WAN.

Thanks for the help!

yagnesh_tel Tue, 09/01/2009 - 10:22

Hi Nick,

I apologize for not reading your requirement completely. Assuming is the only host accessing your server- from WAN. You may achieve this by creating static NAT:

ip nat outside source static

Although conceptually I don't see issue with this setup, I am not completely convince considering same address- is being used for two different static entries.

yagnesh_tel Wed, 09/02/2009 - 05:21

In that case, use 'ip nat outside source list' command:

Match interesting traffic:

access-list 110 permit ip any > to permit any IP address from internet.

ip nat outside source list 110 interface Fa2/0 overload

I am not quite sure that overloading interface option works in 'ip nat outside' command. If not,you can define pool with just one IP address and attach that pool in NAT statement.

ip nat pool WANACCESS netmask

ip nat outside source list 110 pool WANACCESS overload

I tried this, but the inside host is still seeing the IP of the actual outside host, and not the IP of the router. Here is my config:

interface FastEthernet1/0

ip address

ip nat inside

interface FastEthernet2/0

ip address

ip nat outside

ip nat pool WANACCESS netmask

ip nat inside source static tcp 443 443 extendable

ip nat outside source list 110 pool WANACCESS


access-list 110 permit ip any

On a host across the WAN (, I connect to, and it gets through to, but I don't want to see the traffic coming from - I want the inside host to believe the traffic is coming from Here is what I see in the inside host's debug ip packet:

*Mar 1 00:51:28.827: IP: tableid=0, s= (FastEthernet1/0), d= (FastEthernet1/0), routed via RIB

*Mar 1 00:51:28.831: IP: s= (FastEthernet1/0), d= (FastEthernet1/0), len 44, rcvd 3

*Mar 1 00:51:28.839: IP: tableid=0, s= (local), d= (FastEthernet1/0), routed via FIB

*Mar 1 00:51:28.843: IP: s= (local), d= (FastEthernet1/0), len 44, sending

I feel we're getting close! Thanks for the help so far!

Jon Marshall Thu, 09/03/2009 - 04:29


You can't do this because you cannot overload on an outside static statement ie. you can't NAT multiple outside addresses to one inside address on an IOS router. Funnily enough this is a trivial thing to do on an ASA/pix firewall !

If however you want to hide the Internet addresses does it have to behind the address ?

If not what you can do is create a NAT pool using private addressing on the router. This NAT pool will have to be big enough to account for all concurrent connections to the server on port 443.

If you wanted to do this you would need to

1) Keep your existing line -

ip nat inside source static tcp 443 443 extendable

2) Create a new NAT pool eg.

nat pool NPS netmask

3) create an acl to match the traffic

access-list 101 permit tcp any host eq 443

4) add the NAT statement

ip nat outside source list 101 pool NPS

5) Add a static route for your NAT pool

ip route fa2/0

this route is needed because of the order of NAT/routing in IOS

6) If you have internal routers they too will need to know where to route traffic from 172.16.5.x addresses back to but from you example above it doesn't look like this is needed.

Note that the NAT pool i have used has only 254 useable addresses but you can make it as as big as you like. As i said it needs to be big enough to cover all the concurrent connections from the Internet. For the NAT pool addressing you should use private addressing that doesn't conflict with your internal addressing.


yagnesh_tel Thu, 09/03/2009 - 04:52

One thing I noted is that even though router accept command 'ip nat outside source list' with overload option, you can not see that once command is in running-config. Even command reference doesn't mention overload option. So that makes me think that overloading option may not work in this command.(I have never experience this so someone else can correct me if I am wrong) Considering this you may need to create NAT pool using some private IP range so it can create one to one natting using that pool addresses.

Here is the example:

Be sure to select address range for NAT pool such a way that it does not overlap with your existing IP scheme. Also it should be large enough to accommodate all connections at once. You will require to provide routing for this NAT pool range in your inside host( One static route pointing towards NAT router will be good enough for this.

I will see if I can lab up this issue.

Jon Marshall Thu, 09/03/2009 - 04:55


On my version of IOS (12.4) i don't even get the option of overload when doing an "ip nat outside source list ..." statement.

"I will see if I can lab up this issue."

Just have labbed it up and it worked for me. I used the same approach as you ie. used a private address range for the NAT pool. See my previous post.


yagnesh_tel Thu, 09/03/2009 - 05:32

And MVP(Most valuable participant) of Netpro goes to Jon :). Thanks for confirming my doubt. IOS won't give you error while entering 'overload' so I was not able to perceive this issue at first glance.

Jon, thanks for your post and for clarifying!

Would it be possible to swap the inside and outside interfaces, and 1) overload any Internet IP and also 2) have the static nat statement, but maybe change it to ip nat outside source static tcp....

I'm trying to figure out if there is a way to get all Internet traffic over to this inside host and make the traffic come to and from the router. I'm currently doing this with Linux and ip masquerade, and would love to replace it with this 1811.

Thanks again Jon and Yagnesh.


This Discussion