Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

NAT Configuration Question

I have a NAT configuration issue which I can't seem to easily (more specifically cleanly) solve. I need to implement NAT at several customer locations due to IP overlap with other customer sites (we have no control over their IP space). Please consult the attached diagram. Hosts at customer sites A and B should be able to communicate with one another using their native (Local) IP addresses and NOT be NATed. When communicating with the server farm, they should be NATed according to the diagram. Is there a way to implement static nat on a /24 subnet in conjunction with an access list to determine whether NAT is performed or not? If not, is there another way I can implement this? IP addresses need to be consistent; i.e. the first and third IPs in the subnet must ALWAYS be the first and third IPs in the subnet. A global pool that dynamically assigns IPs won?t work. Right now all packets are being NATed upon egressing the router. Thanks in advance.

p.s. I am not atually using the cheeseball IPs depicted in the diagram. I used them in the drawing for you to easily identify Local from Global IPs (saving a little face here :)


Re: NAT Configuration Question

you should be able to provide a one to one nat with /24 as long RouterX interfaces facing RouterA and RouterB are also /24.

Since you have RouterA comming on one interface in RouterX and RouterB to RouterX respectivaly your global translation from RouterB should be different from that of RouterA.

For RouterA allocate global NAT as

For RouterB allocate global NAT as ( NOT )

From RouterX to RouterA use static NAT as indicated in your post using

RouterX interface facing RouterA

Provide one to one static NAT for your servers RouterX facing RouterA and hosts comming from routerA to the servers.

Working with customer RouterA


RouterX interface connection facing RouterA NAT specifications

Server1 IP NATed to

Server2 IP Nated to

Server3 IP Nated to

Server4 IP NATed to

ip nat inside source static

ip nat inside source static

ip nat inside source static

ip nat inside source static

Define inbound/outbound extended access list and apply to interface RrouterX under Custermer_A interface connection.

Note: using names in extended access-list is case sensitive, with names you can indentify your customers

based on named access list.

ip access-list extended Customer_A_IN

permit tcp host host log

permit tcp host host log

permit tcp host host log

permit tcp host host log

ip access-list extended Customer_A_OUT

permit ip any any log

permit tcp any any log


Interface #

Description Connection to Custumer_A_1.1.1.0/24

ip nat outside

ip access-group Customer_A_IN

ip access-group Customer_A_OUT

Interface #

Description Server Segment_3.3.3.1/24

ip nat inside


Iterate the above process using global NAT and create inboond/outbound extended access-list

for customer_B ( RouterB )


show ip nat statistics ( shows one to one static nats )

show ip nat translations ( shows nated address )

show access-list Customer_A_IN ( shows hosts matches based on current traffic )


Please rate if this helps


New Member

Re: NAT Configuration Question

Thanks for the reply Jorge.

I actually figured out a better way to do it. I am going to implement DMVPN tunnels between the customer sites. The tunnel interfaces will not have NAT applied. The physical interfaces, used to pass traffic between the customer sites and the server farm, will have NAT applied. I will then apply distribute-lists to the BGP processes to filter out undesirable routes from the routing tables.


Re: NAT Configuration Question

sounds like a good plan/solution .

CreatePlease to create content