Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Configuring policy-based static NAT, together with dynamic NAT, on SR520


I'm trying to combine dynamic and static NAT on an SR520.

My dynamic NAT is specified with:

ip nat inside source list 1 interface Dialer0 overload

access-list 1 permit

In addition to this I want to perform static NAT for a couple of selected internal hosts. I can do this:

ip nat inside source static

which works fine but means that the source address is translated to for all destination IPs. What I want is for the above static translation only to occur for a particular destination subnet.

To accomplish this I have tried:

ip nat inside source static route-map toOtherSite

route-map toOtherSite permit 10

match ip address 150

access-list 150 permit ip

But this does not appear to work. Instead it seems to render the host unable to progress through the NAT, whether the destination subnet is or not, and I can't work out what I'm doing wrong.

Any help gratefully received.

Many thanks, Ian.

Cisco Employee

Configuring policy-based static NAT, together with dynamic NAT,

Hi Ian,

You can just add some specific port detail for the applications you need to forward to you original config line:

ip nat source static interface Dialer0

Inside port number is what the local host is expecting to see, outside port number is what the remote client sends. Often these will both be the same, but you can use this to translate if you like (either to "hide" services on a non-standard port, or to differentiate between a common application running on multiple local clients).

For example:  ip nat source static tcp 80 interface Dialer0 8080.

You can add similar lines for all of the applications you need to allow in. (Don't forget to add permit rules on your inbound firewall configuration to allow the forwarded traffic in in the first place).



New Member

Re: Configuring policy-based static NAT, together with dynamic N


Many thanks for the reply. I had wondered about filtering by port but, unfortunately, it isn't really what we're trying to achieve. I may have to go down that sort of route if I can't get anything else to work, but in the first instance what I'm trying to understand is why the route-map argument isn't working.

I've noticed that what I said in my previous post wasn't quite correct. The situation is that the simple static NAT command:

ip nat inside source static

appears to work 'as advertised', whereas:

ip nat inside source static route-map toOtherSite

does not.

You might have thought that if the 'toOtherSite' route map just matches an access list of 'any source, any destination' the effect should be the same as the previous line (ie without the route-map argument). But it isn't - I've tried. Instead, the very presence of the route-map argument appears to filter out all traffic. The static entry:

Pro Inside global         Inside local          Outside local         Outside global

---             ---                   ---

is still present in the NAT translation table but it's as if it's no longer used. Pinging from the host generates dynamic NAT entries (courtesy of my dynamic NAT command line - see previous post) but they're not translated to

So, in practice, the effect of adding the route-map argument is exactly the same as removing the static NAT command altogether, and I'm finding that more than a little counter-intuitive, not to mention counter- what the documentation appears to be saying.

I have wondered whether this feature isn't supported on my hardware. The route-map option certainly pops up in the CLI interactive help but does this mean that it will work on my hardware? I've tried to find the answer to that on the web but failed.

As ever, any enlightenment gratefully received.

Cheers, Ian.

CreatePlease to create content