Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Static NAT (in and out) and PAT on a Router

Static NAT and PAT

I need to have a customer network connected to my extranet.

I’m not in control of the customer network addressing. But need to configure a VPN connection.

I will supply the router that will also be the customer Firewall to the Internet (PAT).

(1) I need to be able to do PAT on traffic from internal hosts to the Internet.

(2) I need to hide (NAT) the customer network behind a network supplied by me (match-host), when they are accessing my extranet (through VPN).

(3) I need to be able to access hosts on the customer network, through the hiding (NAT) addresses from my extranet (through VPN).


The following configuration will solve (1) & (2), but I can not (3) reach the internal servers from my extranet, except if the internal host has made connection to the extranet, witch will create a translate entry in the NAT table.


Extranet is:

Internal net is:



interface Vlan1

ip address

ip nat inside


interface FastEthernet4

ip address

ip nat outside


access-list 175 deny

access-list 175 permit any

access-list 176 permit

ip nat pool FRO netmask type match-host

ip nat inside source list 175 interface FastEthernet4 overload

ip nat inside source route-map HIDE pool FRO reversible

route-map HIDE permit 10

match ip address 176


Re: Static NAT (in and out) and PAT on a Router

Create a NAT configuration in the router which also translates even your outside Global address(your extranet) into the inside Global(any private) address through the keyword "rotary".Only this rotary pool will provide the pool of inside global IP address for yopur outside Global IP addresses.

The following white paper will provide you with the required information,

CreatePlease to create content