Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Changes in NAT for firewall

We have a 2600 router with 2 serial interfaces and 1 ethernet interface which acts a gateway for our local LAN. We have static routes specified for some internal servers with NAT and the router performs NAT for users on our local LAN. Administration has asked that we disable all static routes except to a new machine that will run Winroute as our firewall. None of us here are exactly Cisco experts and we are not exactly sure how to proceed. It seems that changing the configuration to only have one static route mapped to the firewall server would be enough? Would that pass through all traffic to just that server then? We are also not sure how to disable the NAT the router currently performs for our internal users.

Any advice or direction is appreciated.



Re: Changes in NAT for firewall

If I understand you correctly, it seems to me what you are want to do is something like this:

Create one static NAT address for your firewall, you do that like this:

ip nat inside source static x.x.x.x y.y.y.y

with "x" being your private address and "y" being the public

Then, if you want other machines on the LAN to access the net you will want to create a NAT pool rather than static address translation. I don't know if Winroute will handle the NATing of those addresses, but it may. If that's the case, create your dynamic NAT pool on the firewall. If it doesn't do that, you can create a dynamic pool on the router, or use overload so that internal hosts can still get to the net. Then, you will want to create and apply access-lists to allow/deny the traffic you want to make it to the firewall from the outside, and the type of traffic you want comming from the firewall to pass through to the net. Although you can find out detailed information on access lists at, has a couple of easy to use tutorials for people who aren't "Cisco experts" that explain basic access list theory. That should do it. Good luck