Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT before routing??? Confused

I have a 2800 series router running c2801-advsecurityk9-mz.124-10.bin. This is the internet facing router. We have an overload statement for internet users on the interface, and a static nat for a server on the internet. If any of the internal networks over VPN, GRE, or T1 behind this router try to connect to the internal server IP address for whatever reason the server then responds and the router sends that traffic out to the internet vs taking the routing path back to the destination host on the internal networks???? This doesn't make sense to me. What am I missing here?

Here is an example, if I try to telnet to TCP 3389 to the internal server IP address of from remote over GRE tunnel using router source IP of it puts it into the NAT table and out to the internet vs taking the path back thru the GRE tunnel to the remote network What am I missing?

r.lamesa#sho ip nat trans | inclu 3389



tcp ---


r.lamesa#sho ip route

Routing entry for

Known via "eigrp 600", distance 90, metric 235402496, type internal

Redistributing via eigrp 600

Last update from on Tunnel1, 14:41:02 ago

Routing Descriptor Blocks:

*, from, 14:41:02 ago, via Tunnel1

Route metric is 235402496, traffic share count is 1

Total delay is 9000100 microseconds, minimum bandwidth is 512 Kbit

Reliability 255/255, minimum MTU 1476 bytes

Loading 1/255, Hops 1


Hall of Fame Super Bronze

Re: NAT before routing??? Confused

It's doing what's told, you have an ip nat outside on Tunnel1. As packets exit that interface, they will be NAT'd according to the ip nat inside statement.


Re: NAT before routing??? Confused

Maybe I am misunderstanding what you are trying to say, since there is no accompanying diagram. But in the title of your post you mention an order of operations concern -- or so it seems like that.

When a packet is received on the INSIDE NAT interface of a router, it is routed first and then the NAT operation occurs.

On th eother hand, when a packet is received on the OUTSIDE NAT interface, it is NAT'ed first and then routed. This is why you can do a PAT overload to an OUTSIDE interface only.

Did that help you?

New Member

Re: NAT before routing??? Confused

Hi Edison !

i made a config based on below link

i use 12.4.1 and nat was one of side only.

it is not working because the nat entry was not created in router when traffic arrived from outside. Based your response ( which wasextremely helpful ) i put the nat outside on the tunnel interface.

IT is working now.

PLease give a short description or link which shows why was wrong the example config. What is the process of order when i use crypto,nat,gre ?

Maybe was the IOS behavior changed ?

Thank in advance