Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL doesn't match packets for NAT purpose

Hi, I cannot understand why ACL does't  match packets from PCs or, but it matches

In Wiresahrk I see source when I run ping from However, it must be

By the way, I tried to set static NAT that worked fine, but it is not what I want.

interface FastEthernet0/0
 ip address
 ip nat outside
 duplex auto
 speed auto
interface FastEthernet0/1
 ip address
 ip nat inside
 duplex auto
 speed auto

ip nat pool pool1 netmask
ip nat inside source list 1 pool pool1 overload
access-list 1 permit log


Router#ping source

Router#sh ip nat tr
Pro Inside global      Inside local       Outside local      Outside global

Router#trace source

Type escape sequence to abort.
Tracing the route to

  1 0 msec 0 msec 4 msec
  2 0 msec 0 msec 4 msec




Cisco Employee

Try using a named standard

Try using a named standard access list instead.

Your example converted

ip nat inside source list nat-source pool pool1 overload
ip access-list standard nat-source

My output

Pro Inside global      Inside local       Outside local      Outside global


if you only want to use the interface address, consider the following instead:

   ip nat inside source list nat-source interface fa0/0

New Member

thanks!However, I managed to


However, I managed to do this in this way:

ip nat pool pool213 prefix-length 30

ip nat inside source route-map isp1 pool pool213 overload

access-list 101 permit ip any

route-map isp1 permit 10
 match ip address 101
 match interface FastEthernet0/0


It is pretty weird, but thanks god it works.

Hi,I do agree with Dasthomp,


I do agree with Dasthomp, log keyword is not supported with nat acl, if you revert your original configuration back by removing the log keyword at the end of acl 1 you will be good to go.

Regards | Aref.

Cisco Employee

Last I check the use of the

Last I check the use of the 'log' statement is not supported with NAT.