Destination NAT

Unanswered Question
Jun 2nd, 2010


I trying to figure out how i can NAT the destination (DNAT?).

The idea is not to route the public ranges in the network, but to use only private range, this beside.

In this setup, the idea is that when the pc goest to, he arrives at

What's the best way to do this? Thanks !!!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Wed, 06/02/2010 - 05:38

Assuming that you have the following configured currently:

On the router interface --> ip nat inside

On the router interface --> ip nat outside

Then you would need to configure the following:

ip nat outside source static

Hope that helps.

Brononius Wed, 06/02/2010 - 05:49


Tried this, but isn't working. :$

I think it's because the routers isn't listening on this ip (

I've added it as a standby ip, so now it's listening. But also answering directly. So it's not being NAT or forwarded (?).

Jennifer Halim Wed, 06/02/2010 - 05:50

Please make sure that proxy arp is enabled on the router interface (

Brononius Wed, 06/02/2010 - 05:58

Shouldn't this be one by default? :$

I've issued the command (ip proxy-arp) on the interface VLAN2 which is, but doesn't change a lot...

i've got debugging on 'ip nat' and 'ip icmp'. But no entries when i try to ping the from the workstation.

Jennifer Halim Wed, 06/02/2010 - 06:01

What is the ARP entry on your PC for

Also, please share the output of "show ip nat translation"

Nathan Cole Wed, 06/02/2010 - 15:25

I am slightly confused about what you want, but you mean something different then

ip route


Do you want to not allow LAN users to access each other?

Brononius Wed, 06/02/2010 - 23:15

The idea is that the router is listening on a ip (in this case, and translate it to/as

This way, i don't need to have the network known in the network.

The idea is that the clients pc only can use addresses.

So if they want to reach, they need to go to

Maybe a bit of history?

Some compagnies don't allow public ip ranges (in our example in their network (must go by proxy or whatever).

And this way, we can solve the issue of communicating with external server without the need of advertising the public ranges in our network. Just a kind of virtual ip on the router, he translate it to the internet and that's it...

The router here isn't necessary the internet/core router. So a default route on the client isn't the solution. :$

Nathan Cole Thu, 06/03/2010 - 12:24


I guess for some reason I missed the "NAT" part. 

Thank you for the explination.  Always love new information.

Brononius Thu, 06/03/2010 - 00:22


Just dit a complete 'rebuild' of my setup, and now the ping is answering once i've got the nat in there (without a standby).

But i see that the NAT itself isn't done.

Ping from the router to the server


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/28 ms

The NAT table on the router

TestA#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
---   ---                     ---          

The configuration of the interface

interface Vlan1
ip address
ip nat outside
ip virtual-reassembly

interface Vlan2
ip address
ip nat inside
ip virtual-reassembly

The debugging on the router

TestA#sh debugging 
Generic IP:
  ICMP packet debugging is on
  IP NAT debugging is on

A ping from the client towards results in:

Jun  3 09:10:17.376 CEDT: ICMP: echo reply sent, src, dst
Jun  3 09:10:17.380 CEDT: ICMP: echo reply sent, src, dst
Jun  3 09:10:17.384 CEDT: ICMP: echo reply sent, src, dst
Jun  3 09:10:17.384 CEDT: ICMP: echo reply sent, src, dst
Jun  3 09:10:17.388 CEDT: ICMP: echo reply sent, src, dst

But as you can see in the debug, no natting is performed. :$

Brononius Thu, 06/03/2010 - 01:19

Okay, found it.

I needed to add a route for the towards the other network.

So once i've added

ip route vlan 1

And now it works...

Or if you see issues why not to do this....


This Discussion