Cisco Support Community
Community Member

2-way NAT? Is it possible?

I'm in a situation where I need the following:

1. I need the IP address for a remote system to appear to me as an address range I assign (doing it today, no problems). This allows me to connect to multiple overlapping address ranges (i.e. 5 customers, each with networks)

2. At the same time, I need for the remote system to see my IP Address as part of its local subnet. The goal here is to remove the need to place routes on the remote system in order to get back to my subnet.

I don't think it's possible to make these two solutions work at the same time, but wanted to ask.



Re: 2-way NAT? Is it possible?

When a packet is traversing inside to outside, a NAT router checks its routing table for a route to the outside address before it continues to translate the packet. Therefore, it is important that the NAT router has a valid route for the outside network. The route to the destination network must be known through an interface that is defined as NAT outside in the router configuration. It is also important to note that the return packets are translated before they are routed. Therefore, the NAT router must also have a valid route for the Inside local address in its routing table.

Community Member

Re: 2-way NAT? Is it possible?

Thanks. I actually have some output to help explain my problem now.

In this example:

1. is my local host

2. is the remote host I need to reach

3. is the NAT'd address of the remote host (as it appears to me)

4. is an address I'm using to NAT my local host to the remote network.

and here we go:

*Mar 9 12:52:58.889: NAT*: s=>, d= [7086]

*Mar 9 12:52:58.889: NAT*: s=, d=> [7086]

*Mar 9 12:52:58.893: ICMP: echo reply rcvd, src, dst

So my local host is being NAT'd to, as it should. Then my destination IP is NAT'd to from to, as it should. We can see the reply from to Great! Ok, where's my NAT to get the traffic back to

I know the NAT order of operations is probably killing this (TAC even said that was the likely culprit), so I tried to get around that by putting a policy route on the remote router's LAN interface so it would set the next-hop of all traffic destined for to a loopback IP. The loopback is an "outside" NAT interface. I was hoping that it would route to the loopback, NAT, and then send it on its way, but alas I was mistaken.

Hope I haven't muddied the waters too much.


CreatePlease to create content