Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

2611 Router for Nat

Hello everyone, I'm playing with a 2611 router just for fun. I have gotten the router to do NAT, but I'm wondering if anyone has any solid & secure configuration files for setting up a router such as the 2611 to do NAT. I haven't completely gotten a grasp on access lists. For example, I could telnet to the router from the outside.



  • Other Network Infrastructure Subjects

Re: 2611 Router for Nat

to remove access to the router via telnet, use the following,

access-list 1 deny any

line vty 0 4

access-class 1 in

This would prevent any body to access the router from the outside.

Now if you want to permit some ip addresses ( say one ip address from the internet is allowed to telnet, while rest is to be denied)

Then add a permit statement on the access-list as follows:

access-list 1 permit host

access-list 1 deny any

The last statement of the above access-list is not needed , because every access lists have a implicit deny at the end.

Hope that helps in securing your router via telnet ....

New Member

Re: 2611 Router for Nat

Now, do I need to do any special access lists for the inside interface doing the nat? Do I need access lists to block the non-routable networks? ect?

Also could someone explain what the following lines do with the ***'s? These are the commands I added to my config of the router to get nat working, but I'm not really sure what they do.


interface Ethernet0/0

*** ip nat inside

ip address


interface Ethernet0/1

*** ip nat outside

ip address xx.xx.xx.xx

***ip nat inside source list 1 interface Ethernet0/1 overload

***access-list 1 permit


Re: 2611 Router for Nat

You can use access-lists to define which addresses on the inside interface/network will be translated with the permit and deny conditions. With the example you that have posted, you are permitting ONLY the network to be translated. So for example, the Ethernet0/0 ip add ( will be translated to the ip add of Ethernet0/1 (xx.xx.xx.xx) before going out Eth0/1. Similarly, for example, a host with an ip add of will use xx.xx.xx.xx as its outside ip address.

And with the "overload" command, which performs PAT (Port Address Translation), every host on the network will use the ip add of Eth0/1 as its outside address. Which means if all the 254 hosts are connecting to the outside, the will have the same translated ip addresses but the router will be able to differentiate them based on the port number that it has assigned each host.

"ip nat inside" indicates that the interface is connected to the inside network (the network subject to NAT translation).

"ip nat outside" indicates that the interface is connected to the outside network.

"ip nat inside source list 1 interface Ethernet0/1 overload " indicates that access-list 1

is the source inside network and will use interface Eth0/1's ip add as its outside address.

The following URL is a common example in using NAT:

Useful info: Every translation uses about 160 bytes of the router's DRAM memory.

Hope this helps.

New Member

Re: 2611 Router for Nat

Thanks for the info... How can I get a CCO account?? Would this allow us to download the updates for our PIX 515 and VPN conncentrator (they were installed by an outside client before I started at the company)