Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT overload question


I have Cisco 1841 that is providing NAT overload (PAT) for a LAN.

I have 2 LAN's using the same IP range. Basically one LAN has the servers and many users and the other LAN has just users.

What I have is the router doing NAT overload at this remote site, so all IP's are seen at one address and they can access servers etc successfully.

Problem I have now is we need to connect to some of these PC's that are remote, but we only see them as one IP, what options do I have?


New Member

Re: NAT overload question

Hi there,

You have a couple of options, some more secure than others.

If it is a secure method you are using to connect, (e.g. https / SSH / PPTP) then you can simply create a Static PAT (AKA Port Forwarding)

e.g. You can forward port 222 on the outside to port 22 on an internal server.

Like this:

ip nat inside source list 1 interface ATM1 overload

ip nat inside source static tcp 22 222

Now if you ssh to the external IP on port 222, you will get access to the internal server on port 22.

See here for more details:

Make sure that your access-lists lock access to the port down - you don't want the script-kiddies attacking your server.

If you aren't using secure methods, then I would strongly recommend using a VPN instead.

Please rate this post if you found it useful.



Re: NAT overload question


I really liked your post. It was very informative and thoughtful.

Rated it...


New Member

Re: NAT overload question

Thanks Victor ;-)

Re: NAT overload question

You can set specific remote PC's with a specific NAT address. It should be in the same network as your PAT, just not that same address.

ip nat inside source list 2 interface serial0/0 overload

ip nat inside source static extendable

Hope that helps.

New Member

Re: NAT overload question

Couple of things, I have about 50-80 PC's would I need to create a static IP for each PC? Also what is the "extentable" command I have not used this before.

You mention these commands should be added on the side of the PAT, looking at my config would this be on the FE0/1:

C1841#sh run

Building configuration...

Current configuration : 1752 bytes


version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption


hostname C1841





logging buffered 8192 informational


no aaa new-model

ip cef



no ip dhcp use vrf connected


ip dhcp pool scope




lease 0 2



ip domain name gb.vo.local


interface FastEthernet0/0

description WAN Link to Servers Port

ip address

ip nat outside

duplex auto

speed auto


interface FastEthernet0/1

description LAN Port

ip address

ip nat inside

duplex auto

speed auto


ip forward-protocol nd

ip route


ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat pool Mypool netmask

ip nat inside source list 100 pool Mypool overload


logging history informational

logging trap notifications

logging source-interface FastEthernet0/1


Re: NAT overload question

Your NAT pool is so we'll use an address in the same IP scheme, but one that is not in the pool.


ip nat inside source static

New Member

Re: NAT overload question

So I just make the PC's have static IP's on the remote network like and statically NAT this to say, 101, 102 etc and any PC not requiring a static IP will just use the pool?

So if the server side need to get to they will via

This is alot of work as there are a lot of PC's, but long term I guess changing there whole scope is the next step via DHCP maybe.

Re: NAT overload question

Yup, you got it. It's not very elegant, but it works. It probably makes more sense to put the work in and change the IP scheme.

New Member

Re: NAT overload question

Hi There,

I had assumed in my previous solution that you only had 1 Public IP address with which to work.

If you have more IPs, then there's a much simpler method of doing this than setting up 50-80 Static NAT translations.

First, you need a DNS server on the inside of this network, that has entries for every device that you want to connect to.(If these are windows servers then it's highly likely you already have this)

Then you set up a Dynamic NAT pool (NOT overloaded)

Configure a Static NAT translation for your DNS server, so that you can perform DNS lookups against it from outside.

And that's it! All you have to do now is Connect to your devices by their FQDN. The DNS response will be automatically NATed and you will be able to connect.



DNS Server -

(DNS Entries)

- A - =

- A - =

ServerA -

ServerB -

Router Config:

ip nat pool Mypool netmask

ip nat inside source list 100 pool Mypool

ip nat inside source static

ip nat translation timeout 32400

Now when you connect to

1) A DNS lookup runs against

2) The DNS Query hits the NAT router, and the destination IP is changed to

3) The DNS query hits your DNS server and a DNS response saying " =" is sent back.

4) The DNS response hits the NAT router, and:

4a) The Source IP is changed to

4b) The DNS Response is changed from " =" => " =" (Where the 192 address has been chosen from the NAT pool)

5) The DNS response gets back to your PC, and your Client software then connects to servera by its NATed address of

The NAT translation will remain active until there has not been used for 9 Hours, then it will clear.