Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT configuration


We are trying to configure a Cisco 1841 with basic NAT.

There is an inside pool,lets say 192.168.1.* which gets translated to and outside pool of 64 IP's. Lets assume outside range is

The outside Ip's must be distributed randomly to the inside ip's.

What I want to configure is NAT inside to outside. For now this works but the incoming connections from the outside pool get translated to inside, even when the connection originates from OUTSIDE.

I want to block incoming connections and allow only established.

How is this done?



  • WAN Routing and Switching
Hall of Fame Super Blue

Re: NAT configuration


if you have setup dynamic NAT eg.

ip nat pool TEST

ip nat inside source list 101 pool TEST

access-list 101 permit ip any

then a connection cannot be initiated from the outside UNLESS there is already a translation for that address in the nat translation table ie. is inside address. If hasn't connected out thru the router then you can't connect to it by using one of the pool addresses. But obviously if it has connected out there will be a NAT translation and therefore the NAT will work coming back as well.

Solutions -

1) Assuming no firewalling capabilities on router you could use the "estasblished" keyword for TCP connections in an acl applied to the outside interface in an inbound direction.

2) Reflexive acl's - an improvement on 1)

2) Alternatively you could simply overload on the port numbers ie. instead of mapping one-to-one you map all your inside addresses to one single outside address. Still would allow connections to be initiated from outside but now you have to get the port details as well which is a lot less likely.


This widget could not be displayed.