Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ip nat outside on zone-based FW (877)


If I look through many web-pages on the subject, it should be possible to combine NAT outside and NAT inside.  However, which way I try it, it doesn't work...

There are various reasons which can cause this:

* The router really doesn't support it (it's a cisco 877 with IOS C870 Version 12.4(15)T7)

* I didn't configure it correctly...which is the most likely case, because I have difficulties really understanding the zone-based firewall it's using... Maybe the fact it's using zone-based FW, doesn't work correct for the translation...(the zone based FW was started by the web-access to the router)

I give the snippets of the config which I think are important:


ip port-map user-pm-udp6565 port udp 6565


class-map type inspect match-all sdm-nat-user-protocol--6-2

  match access-group 199


policy-map type inspect sdm-pol-NATOutsideToInside-2


  class type inspect sdm-nat-user-protocol--6-2

    pass log


zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

   service-policy type inspect sdm-pol-NATOutsideToInside-2


ip nat pool poolExt netmask

ip nat inside source static tcp 6565 interface Dialer1 6565

ip nat inside source static udp 6565 interface Dialer1 6565

ip nat outside source list 199 pool poolExt add-route


access-list 199 permit tcp any host eq 6565

access-list 199 permit udp any host eq 6565


In this Dialer1 is defined as "ip nat outside" and Vlan1 as "ip nat inside".

The port translation works correct, it makes the connection to, but with the outside address, which I wanted to be translated to some address in the range - 220...

Can someone see why the external address (on port 6565) isn't translated by this code ?  It is using access-list 199 because when it doesn't pass the router when I remove the lines



Everyone's tags (3)
CreatePlease to create content