Cisco Support Community
Community Member

Static NATs using the network parameter

If I want one-to-one static NATs which allow inbound traffic, will this work? I want to be able to ping, SSH, etc to by going to from the other side of the VPN.


ip nat inside source static network /24 route-map VPN_Somerset_NAT-rm reversible

route-map VPN_Somerset_NAT-rm permit 10

 match ip address VPN_Somerset_NAT-ACL


ip access-list extended VPN_Somerset_NAT-ACL

 permit ip



To translate the real address

To translate the real address to the mapped address when sends traffic to the network, the access-list and static commands are as follows:

hostname(config)# access-list TEST extended ip host

hostname(config)# static (inside,outside) access-list TEST


In this case, the second address is the destination address. However, the same configuration is used for hosts to originate a connection to the mapped address. For example, when a host on the network initiates a connection to, then the second address in the access list is the source address.

This access list should include only permit ACEs. You can optionally specify the real and destination ports in the access list using the eq operator. Policy NAT does not consider the inactive or time-range keywords; all ACEs are considered to be active for policy NAT configuration. See the "Policy NAT" section for more information.

If you specify a network for translation (for example,, then the ASA translates the .0 and .255 addresses. If you want to prevent access to these addresses, be sure to configure an access list to deny access.

Community Member

I'm on a router, not an ASA.

I'm on a router, not an ASA.

CreatePlease to create content