Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT and NVI NAT Virtual Interface Troubles


I've tried several different setups including a standard NAT configuration and have also tried to use NVI.

Here's what I have and would like to achieve:

- A Main Internal Network that has several hosts NATed to the external world (i.e. Mail Server, Web Server, etc)

- A Guest Network (i.e. Wireless Access) that restricts access to all the internal IP addresses on our main network, but allows access to our 'public services' (i.e. Mail Server, Web Server, etc)

- An additional internal network for a different workgroup that can access all hosts on the main network.

- VPN Access to the Internal Network

I first set this up using a traditional NAT configuration. 'ip nat inside' on the three internal networks, 'ip nat outside' on the external network, and several static nat statements. Problems arose with this setup. On the guest network, users were unable to access the external IP addresses of our hosts. I needed to setup a ACLs to allow traffic to the internal IP addresses. VPN users were also unable to access hosts that had Static NAT setup at their internal IP addresses. NAT would kick into effect before the return packets were encrypted and would never reach their destination.

I have found NVI's and thought it would solve our problems. It has solved our guest network problem. Now hosts on the Guest network can access the external IP addresses of our hosts. External users can still access the Static NAT hosts. However now users from the second internal network can no longer access the internal IP addresses of our mail and web servers. They can however access them at their external IP addresses.

What seems to be happening is that with no concept of 'inside' and 'outside' networks traffic from a machine at is sent to a host on our main network at That host at has a static nat mapping that maps it to The host at gets the packet and responds to the machine at The router see's the packet from, performs a lookup, sees it has a mapping and forwards the packet onto with a source of This is of course not the host it expects it to come from. I would typically set up a route-map to prevent the static nat statement from applying to internal <-> internal traffic however NVI's do not support route-maps.

Some sample configuration:

interface FastEthernet0

description Internet Access

ip address

ip nat enable


interface FastEthernet1.11

description Main Office Network

encapsulation dot1Q 11

ip address

ip nat enable


interface FastEthernet1.13

description Boot Hill Network

encapsulation dot1Q 13

ip address

ip nat enable


interface FastEthernet1.15

description Guest Network

encapsulation dot1Q 15

ip address

ip access-group guestnet-in in

ip nat enable


ip nat source list nat interface FastEthernet0

ip nat source static

ip nat source static


ip access-list extended guestnet-in

deny ip any

permit ip any any

ip access-list extended nat

deny ip

permit ip any

Simply enough, I want to prevent NAT from occurring on any 172.16/12 to 172.16/12 traffic except for traffic destined for the external IP addresses of the statically NATed hosts.



Hall of Fame Super Silver

Re: NAT and NVI NAT Virtual Interface Troubles

Hello James,

I would suggest to use a route-map and then reference the extended named ACL inside it:

ip nat source route-map NAT_select int f0 overload

route-map NAT_select permit 10

match ip address nat

Hope to help


New Member

Re: NAT and NVI NAT Virtual Interface Troubles

I was running into trouble just like this at my last company... I finally setup a firewall and let it do all of the NAT.

CreatePlease login to create content