Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco best practice...

We have a new internal network setup, with a few ip addresses assigned by our ISP.

Behind our Cisco 2800, we have a few webservers for which I have designated static NAT rules.

My question is, we also set up one dynamic nat rule for inside to outside with an address pool using some of the ISP given ips. Should we use this dynamic rule, or is there a better way?




Re: Cisco best practice...

Hi Will,

The dynamic pool for your outgoing interface traffic should be fine. However, you need to be careful how you define the dynamic nat translation. If you have more hosts behind your firewall than addresses in the pool, you will run out of addresses very quickly. Therefore, if that is the case, ensure you specify the 'overload' option when configuring the translation:

ip nat inside source list list1 pool NatPool1 overload

This will ensure that source port numbers are translated as well as source addresses, allowing you to support a larger number of hosts ..

Hope that helps - pls rate the post if it does.



Community Member

Re: Cisco best practice...

Thanks for your prompt replies!

What about the dynamic nat translation timeouts? Should this be set to 0, 24 hours, or should I set it longer?




Re: Cisco best practice...

Hi William,

The default default timeouts have been carefully chosen and as you may have see, they depend on the type of protocol associated with the translation.

Therefore, I would suggest that you just use the defaults. There are plenty of ports available (it is a 16-bit field, after all) so I can't imagine that you will run out of source ports anytime soon.

Hope that helps,


Re: Cisco best practice...


To make sure there are always enough translations for all user requests use NAT overload (i.e. PAT).

Config could look like this:

ip nat pool MyIPs netmask

ip nat inside source route-map NATmap pool MyIPs overload

interface Ethernet0

ip address

ip nat inside

interface Serial0

ip address

ip nat outside

The dynamic rule will be the best choice in case there are more internal hosts than official IPs.

Hope this helps! Please rate all posts.

Regards, Martin

CreatePlease to create content