Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAT equivalents to IPTables

I am replacing a Linux router with a Cisco device. The Linux device provides NAT services, and I have successfully configured inbound access from public addresses to private addresses. However, the Linux router has IPTables configuration as shown below which I cannot replicate in Cisco:

-A POSTROUTING -s -d ! -j SNAT --to-source xx.yy.124.161 (sanitised public address)

I translated this as meaning "For packets with a source address of and a destination address outside the range, then translate the destination address to xx.yy.124.161

On that basis, I created the following configuration

ip access-list extended corenat1

 deny   ip host

 remark denies traffic source dest

 permit ip host any

 remark permits traffic source to any

ip nat pool natpool1 xx.yy.124.161 xx.yy.124.161 netmask

ip nat inside source list corenat1 pool natpool1

This was intended to identify the traffic to nat (access-list corenat1), then create a nat pool with one address in it, and finally NAT the identified traffic to the new address. It does not work, and I'm not seeing any translations occurring from these commands. The NAT router simply returns "unavailable" when pinging is attepted

Am I doing something wrong, or is this just not possible?







Community Member

Can you see the following

Can you see the following configuration :

access-list 101 deny ip host
access-list 101 permit ip host ant
access-list 1 permit ip host

ip nat pool natpool1 xx.yy.124.161 xx.yy.124.161 netmask
ip nat inside source list 1 pool natpool1

interface Fa0/1
 ip nat outside
 ip access-group 101 out

Community Member

Hi Walter,Thanks for the

Hi Walter,

Thanks for the interest. Your suggestion will apply the access-group to the interface, and will manage packets going in/out of the interface. My access-list was to direct certain traffic to the NAT-RULES, not the interface, so that there was no permit/deny on the interface, but a selection of traffic to which NAT-ing was my way of working possible?

Community Member

I think that you can use the

I think that you can use the access-group in the interface for the traffic input/output and you can use the access-list 1 for the traffic that you want nat

CreatePlease to create content