Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT on a Stick

First an apology as I think this has been covered a few times. However I am having trouble getting it to work for me.

I wish to allow an internal subnet access to a webserver using it's FQDN (Public IP).

The webserver is pinholed through NAT.

All the posts I can find point to the Cisco NAT on a Stick examples.

I can access the webserver via the private IP but need to access the webserver via the public IP.

I don't want to setup a hosts file on each machine or create an internal dns zone to support the clients.

Please could somebody point me in the right direction of a working config.

Internal Subnet:

IP of Webserver:

Public IP:

Current NAT line: ip nat inside source static tcp 80 80 extendable

Thanks in advance


Re: NAT on a Stick


The easiest way to make this work is to route the public IP server packets to your ISP who will send them back. Then your normal NAT will work.

Is the .123 server address part of the subnet on your external interface? If not, this should be easy. If it is you will need policy based routing to set the next hop address of the ISP router.

Can you post your config?

NAT on a stick uses policy based routing to send packets to a loopback interface that is set as NAT outside. It has the disadvantage of always using process switching.


New Member

Re: NAT on a Stick


Please find attached an edited config,

The .123 is my public IP (not acutally the IP)assinged by my ISP.

.122 is my ADSL modem attached via ethernet

Hope this helps,

Please contact me for me info if needed.

Thanks Again

Re: NAT on a Stick

I see a crypto map applied to the outside interface.

Can you try removing this?


New Member

Re: NAT on a Stick


The config is edited & forgot to remove that line, please ingore it.


Re: NAT on a Stick

Are you sure that the DNS/LM host solution can't be used?

You are using a single address for both the outside interface and the global NAT address for dynamic and static NAT. With this setup I don't think you will ever get PBR and/or NAT on a stick to work. The only NAT on a stick example I could find was for a totally different scenario.

Here is an example of someone accomplishing what you want to do, but they are using separate addresses for the server NAT and dynamic NAT that are not part of the connected subnet.

Good Luck, Dave

New Member

Re: NAT on a Stick

Hi Dave,

Thanks again for your response.

Unfortunatly the DNS/LM work around doesn't work well as the devices cache the internal IP of the webserver, so when the devices are removed from the company LAN and connect to a 3rd party connection/roaming they fail to connect.

Explaing to the users they have to reboot the devices when they arrive/leave the office is. a solution but I know they'll say "We didn't have to reboot before the new router was installed!!!!"

Trying to explain to our client why their old $100 router will do the trick and a Cisco won't is a task in itself!!!

I appreciate this type of configuration is odd but after doing lots of digging I'm not the only person with this problem, however nobody seems to have a solution.

I'll keep plodding and post if I find anything.


New Member

Re: NAT on a Stick

If you setup an internal DNS server couldn't you set the TTL to some ridculously low number so by the time the client made it to a remote location the cached entry would have expired and require another DNS lookup?