Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

NAT on a Stick

Hi All

I'm trying to configure NAT on a Stick using a Cisco 881 router using Cisco Configuration Professional.  Based on the Cisco document "Netwrok Address Translation on a Stick" (Document ID:6505) I run into some questions.

1) The document states to use the Cisco Feature Navigator II to determine which IOS version I could use with this feature.  But I have no idea what feature exactly I have to look for in the Cisco Feature Navigator.  Could anybody please help me with this? Right now I'm using Version 12.4(24)T3.

2) As I mentioned above, I'm trying to use Cisco Configuration Professional (version 2.2).  As stated in the document I created an Loopback interface.  Following the document I should now designate the loopback interface as inside NAT interface.  However, trying to do this fails, because it is not possible to configure the loopback interface.  Instead of showing the select box with options inside/outside/<none> (as it is e.g. on VLAN interfaces) the selct box is greyed out and states <NOT-SUPPORTES>.  Does anybody know why?  Is this because I'm using a wrong IOS version, is it a bug in Cisco Configuration Professional or something else I'm missing?

Thnaks for your help.



Re: NAT on a Stick


If you would like to explain the scenario for what you're trying to accomplish with NAT on a Stick, I can help you configure it via CLI.

Or someone else could help you out with CCP.


New Member

Re: NAT on a Stick

Hi Frederico

Thanks a lot for your reply.

Could you tell me if the IOS version I'm using is capable of this functionality?

I will try to put something together (sketches, ...) to make it more clear  (see Attachment).

In addition a little description in words (as good as I could):

The clients in the remote location (networks should be able to talk to clients in the near location (network /24).  The remote clients are configured to use the gateway  Data packets received on gateway are routed directly to network or to the next gateway exept for traffic with destination address from network  This traffic is rerouteted to Cisco 881 router with ip address  Now I want this router to bild a vpn tunnel to the near location ASA with IP address

To do that, my idea was to create a virtual interface (loopback, NAT inside) on cisco 881 with IP address  All traffic received on - NAT outside - (should be traffic from network to only - routed to from gateway should than be routed using a route-map to Between inside and outside there should be a NAT for IP Address to  The VPN configuration is on the interface Here it should be rated as intersting traffic and cause the VPN tunnel to be created.

I'm not it the office anymore.  As soon as I'm back tomorrow I could past my non working configuration.  This may help you understand what I'm trying to do and maybe point out my error.

Thanks a lot.


New Member

Re: NAT on a Stick

Hi Federico

I updated the sketch attached to my previous reply slightly (corrected one error and added loopback0 interface).

Below you could see the configuration as it is right now (still not working).  I tetsed the VPN tunnel using Cisco Configuration Professional.  The VPN Tunnel itself looks fine.  Must be something wrong with route and nat.


version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname TEST
boot system flash c880data-universalk9-mz.124-24.T3.bin
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 $1$0KZ4$S65tv.EKwuTR3exlfKXsD/
no aaa new-model
crypto pki trustpoint TP-self-signed-1535404978
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1535404978
revocation-check none
rsakeypair TP-self-signed-1535404978
crypto pki certificate chain TP-self-signed-1535404978
certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31353335 34303439 3738301E 170D3130 30383236 30363439
  35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35333534
  30343937 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B55B 507D3DFD C2E028CF C6E2798D 70B4CDA7 E7CDB892 C2CD1580 3B8C1AB9
  EA5CB2D7 21024492 305A4AAC 05AB70C6 8F6DC00F 934A6FEB 6D19B46F E25AE0BD
  76350D93 B936CE8D 61589204 5DDE0161 E1322698 47ACBD61 39625970 FFA0549B
  2DC3AF65 3819BB39 16D249D1 C7E327E7 BCB511E7 642098CD 1CD0256C C938411D
  20A30203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 147A92AF 6814610C BB29B366 39542604 3621C07F
  46301D06 03551D0E 04160414 7A92AF68 14610CBB 29B36639 54260436 21C07F46
  300D0609 2A864886 F70D0101 04050003 81810014 1CF65E51 91F9CAD7 271E2690
  B725CDB9 F3F35E2D 7C6F08C0 B0069DA2 3EC548BB 7EB67516 6E3E1510 BE298ACA
  3F3C78E3 77D7DD38 06909174 DECD89D4 A8B39B1F 0073004D 3B135AB2 B8C2A2F8
  F30DB7DC 2E93387F 3ACD16E2 50BC3F54 183CDF5E 1FFAED90 DECF155E 7BC4EBD0
  7D02766A 3467C58A C88D976D 44F7CA84 0C81DD
ip source-route
ip cef
no ip domain lookup
ip domain name
no ipv6 cef
multilink bundle-name authenticated
username MCAdmin privilege 15 secret 5 $1$UFpt$D/6klqFSrp.f212e9UcU11
crypto isakmp policy 1
authentication pre-share
crypto isakmp key xxxxxxxxxxxxxxx address no-xauth
crypto ipsec transform-set VPN_Maschinen esp-des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to
set peer
set security-association idle-time 300
set transform-set VPN_Maschinen
match address 103
log config
interface Loopback0
ip address
ip nat inside
ip virtual-reassembly
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
no ip address
duplex auto
speed auto
interface Vlan1
description Machine Network$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address
no ip redirects
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip policy route-map NAT_VPN
no autostate
crypto map SDM_CMAP_1
ip forward-protocol nd
ip route permanent
ip route Loopback0 permanent
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static /24
access-list 23 permit
access-list 103 remark Interesting VPN Traffic
access-list 103 remark CCP_ACL Category=4
access-list 103 permit ip
access-list 110 remark Route Remote Support Traffic
access-list 110 remark CCP_ACL Category=1
access-list 110 permit ip
no cdp run

route-map NAT_VPN permit 10
match ip address 110
set ip next-hop
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000


What I found in the meantime is the following:

If I ping from client, the route-map works fine.  Also the NAT for ip addrss to looks OK.  Debugging with "debug ip nat" shows, that ip is trying to reach (what is correct, because the vpn tunnel is initiating).  But ip address is nated to what is wrong.  So, something with my nat (or maybe route) is wrong.

Best regards


Re: NAT on a Stick

One question that I have is if the IPsec tunnel goes over the Internet how could it be defined
between private IPs?
The 881 has a and the VPN peer (ASA)

Are these two addresses NATed in order to esablish the tunnel?

The concept that you're trying to accomplish can be done, I just want to clarify the first things
first to understand.


New Member

Re: NAT on a Stick

Hi Federico

Sorry for the confusion.

For right now, i'm testing in our lab with private addresses only.  IP address is being translated (PAT) to interface ip  In the end, the connection will run over the internet and for sure use public ip addresses.  The will be a public IP address as well as  The will than be translated (PAT) to the public ipaddress as well.  Since both vpn end point support NAT-T this part worked fine from the beginning.

I could get the configuration I postet yesterday to work by changing the static NAT to not include the

What I tried first to NAT is:

ip nat inside source static /24 (see earlier posting)

Now I changed to:

ip nat inside source static /31

ip nat inside source static /32

ip nat inside source static /30

ip nat inside source static /29

ip nat inside source static /28

ip nat inside source static /27

ip nat inside source static /26

ip nat inside source static /25

This way it works fine. Looks like ip address got nated without having data packets travelling from the nat inside to the nat outside interface.  I didn't expect this.

Doing a dynamic nat (including the ip address) instead of the static nat will also result in a working configuration.  Looks like in case of dynamic nat the data packets really have to travel through the interfaces to get nated.

ip nat pool NAT_Maschinen netmask type match-host
ip nat inside source list 20 pool NAT_Maschinen
access-list 20 deny
access-list 20 permit

Since I have to initiate client connection from both sides: -> ( ( ->

I guess I will have to go with static nat and just exclude the interface ip from the nat statement.  Is there a better way to do the exclude than what I did up to now (see config above).  Maybe something analog to the exclude I did for dynamic nat?

Thanks a lot for your help.


CreatePlease to create content