NAT/PAT solution in Cisco 515e firewall

Unanswered Question
Feb 2nd, 2010

My internal IP address range is due to be changed from 172.x.x.x net to 10.x.x.x net in March, in which not enough time to migrate my systems and access. Is there a NAT/PAT solution in which requests to internal hosts can be translated to 10.x.x.x host? I want to leave my internal network with 172.x.x..x but also I want the outside world to contact my network as 10.x.x.x network, also outside network and hosts should be able at the same time contact my network as 172.x.x.x. along with 10.x.x..x net


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sachinraja Tue, 02/02/2010 - 13:48

Hello Raed

How is your WAN setup ? Is there a router terminating the connection and then forwards the traffic to this firewall ? or is the connection directly onto the firewall ? if there is a router, then yes, you can forward the traffic onto NATted/PATed IP addresses (incase these are not overlapping anywhere on your network)..

make sure you document all traffic which enters and exits your netework... Incase of desktops which would just have outbound connection, you can PAT the 172.x.x.x network to 10.x.x.x IP address and route them across.. this is the case ONLY when these PCs have just outbound connections.. if you need to manage these PCs inbound directly on IP, then you would have issues with PAT.. you should then do a one-to-one NAT which can become a bit difficult, depending on the number of PCs on your network..

For Server and printers which would be accessed from outside (traffic both ways) , you can define static One-on-one NAT rules.. you can define a static with 172.x.x.x local and 10.x.x.x global, so that the server can go out to your WAN, and also traffic from outside can come in.. it all depends on your network layout...

One big advantage of NATting this way, is your existing routing information stays, and you just need to add small static routes for your 10.x.x.x network on the external router.. if you readdress whole LAN, you might have to change routing both internal and external..

Hope this helps.. all the best...


Kureli Sankar Tue, 02/02/2010 - 17:38

You would like the outside hosts to talk to the inside hosts using their 172.x.x.x as well as 10.x.x.x?? This may be possible only when you know which outside hosts or network will try to address them as 172.x.x.x.

You can use nat exemtion if they need to be access using their real IPs and you can do static 1-1 (172.x.x.x to 10.x.x.x) if they try to access them via the translated address.


nat (inside) 0 access-l no-nat

access-list no nat permit ip

static (inside,outside) net

nat 0 with acl takes precedence and is bi-directional just like the static.


c1scouser Wed, 02/03/2010 - 08:11

I only have few servers to communicate that way and yes there is a router behind the firewall handling the routing of 10.x.x..x network.

I only want to make the change in my firewall in which as you mentioned static one-on-one , for example:

static(local global) 172.x.x.2 10.x.x.2 and that goes for each server. Is this all I need to add to my firewall to get this NAT in place?

Thank you


This Discussion