destination IP translation between 2 inside interface

Unanswered Question
Jul 16th, 2010
User Badges:

Hi, I just got a C800 series router running on static internet IP at the WAN port and having 2 VLANs as inside interface. Ports forwarding has defined for Internet to the application in order for Internet users to access the application. Due the application limitation, the client program has hardened with public IP to access the server. is there anyway that the user can access the the server thru public IP even though their connected to internal network? Currently, the user cannot access the server once they back to office unless change the reconfiguration the client software back to private ip. probably you will have a better view by refering to below.




application server IP:

application client software harden with TCP port 9090 to access from Internet

Port forwarding: TCP port 9090 to TCP port 9090 (allow user to access thru Internet)

User have to manual reconfiguration the client software from to once he is connected to VLAN 20.

I'm wondering is it posibble to use ip nat inside destination just to translate destination IP back to private ip for the traffic from VLAN 20 to VLAN 10?

hope that someone can help me... thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
manish arora Fri, 07/16/2010 - 11:57
User Badges:
  • Silver, 250 points or more

Check for errors on your device , i think the user is not able to access the public ip because of Hairpinning.

can please check the logs for ip spoof denied messages or errors ?

Please post port redirection nat statement as i did this on a cisco asa , never on router , so i need to see it.



edmand.hon Fri, 07/16/2010 - 20:33
User Badges:

Hi, you may refer the attachment for the overview diagram. below is the configuration. i see nothing from the router log. anyway to traslate the destination IP from inside to inside traffic? hope that you can help me us everytime the user back to office need to harden the client software to private ip in order to work at office. thanks.



interface FastEthernet4
description SDSL Link
ip address
ip access-group DENY_ROGUE_ATTACK in
  ip nat outside
ip virtual-reassembly
duplex auto
speed auto

interface Vlan10
description Server Farm Segment
ip address
ip pim sparse-mode
ip nat inside

interface Vlan20
description User Segment
ip address
ip pim sparse-mode
ip nat inside

ip route FastEthernet4

ip nat inside source list 80 interface FastEthernet4 overload

ip nat inside source static tcp 9090 9090 extendable

access-list 80 remark Inside NAT Subnet
access-list 80 permit
access-list 80 permit

stanleyb Fri, 07/16/2010 - 23:35
User Badges:


It appears that your best bet may be using DNS. Do you have internal DNS Server? Can your client be configured instead of IP to use a FQDN? If answer is Yes on both, then:

1. Register your public IP address (request with your ISP) with a unique FQDN (ex.

2. Add the new name into your internal DNS server records

3. Replace client's configuration from or to

Clients now will respond consistently same way and you don't have to change anything, whather they work from home or office. Keep in mund that if in the future you want to add more apps, then you may need more public IP addresses/fqdn registrations.

Lemeno if that solution works for you,


stanleyb Fri, 07/16/2010 - 23:59
User Badges:


In case you don't have DNS Server and your DHCP Server assigns router's interface for both Gateway and DNS, you can use your router as a DNS server to add a FQDN for  resolution. Here are the commands:

ip dns server
ip host

Thats it,


More details:

edmand.hon Sat, 07/17/2010 - 00:11
User Badges:

Hi stan,

   currently, the user is running dhcp and i have configured dhcp setting that push ISP public DNS server to their laptop. if i use this method, i need to change the dhcp setting so that i will push vlan interface ip as their dns server while the router will become the rely?

stanleyb Sat, 07/17/2010 - 01:18
User Badges:


In that case:

1. nslookup yr public IP

2. If it resolves, use that name as []

3. If not, request your ISP to associate your public IP address to an unique FQDN (ex.

4. Reconfigure DHCP server to assign primary DNS=, secondary and tritery=Public DNS servers

5. Add the following commands to your router:

dns server
ip domain lookup
ip name-server
server-address1 [server-address2  ... server-address6]    <<<  don't add your local dns ip address here

6. Replace client's configuration from or to:

In case of, resolves by public dns to fqdn:

C:\Documents and Settings\Stanley>nslookup


Questions is, can the client be configured to use FQDN instead of IP? If yes, (per above example) ponting to: "" should now work from both home and office.


stanleyb Sat, 07/17/2010 - 01:39
User Badges:

Just to answer directly your question.

"is it posibble to use ip nat inside destination just to translate destination IP back to private ip for the traffic from VLAN 20 to VLAN 10?"

Not with the router. As an example, if you server is linux to internaly nat, coupled with a static route on your router should do. However Cisco can't static nat internal to internal (to my knowledge), hence I recommended dns solution that works everytime. Also see:



/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}



ip nat inside source

·  Translates the source of IP packets that are   traveling inside to outside.

· Translates the destination of the IP packets   that are traveling outside to inside.

ip nat outside source

· Translates the source of the IP packets that   are traveling outside to inside.

·  Translates the destination of the IP packets   that are traveling inside to outside.

edmand.hon Sat, 07/17/2010 - 01:55
User Badges:

Hi Stan,

   Thanks for your great help.. let me try and probably enable DNS server at the router to have a static hostname redirect to private IP will be sufficient. Thanks you very much for your great idea


This Discussion