Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT one-to-one-to-only-one


I'm trying to do the following, but can't find the way.

I have to configure a 1721 with one Serial and two ethernets. Serial0 receive internet trafic AND WAN trafic. One ethernet is connected to "internal" LAN and the other to the "unsecure" LAN.

A resumed configuration:

interface Serial0

ip address

ip nat outside

interface FastEthernet0

description INSIDE LAN

ip address

interface Ethernet0

description UNSECURE LAN

ip address

ip nat inside

interface Loopback0

description IP internet connections

ip nat outside

ip address x.x.x.113

interface Loopback1

description IP for GRE-TUNNELS

ip address

interface Tunnel1,2,3...


ip nat inside source list NAT interface Loopback0 overload

ip nat inside source static tcp 25 x.x.x.114 25 extendable

ip classless

ip route Serial0

ip access-list standard NAT


Customer need that:

-When connect to internet host Z.Z.Z.1, this connection have NATed as from x.x.x.117

-When internet host Z.Z.Z.1 (but... only this host) connect to x.x.x.117 (all ports, TCP UDP and ICMP) have a NATed route to host

-When host goes to any other internet hosts (as web surfing, for example) not be specifically NATed as x.x.x.117, instead would be NATed as a generic host (NATed as x.x.x.113)

I only find to do some-like-this as:

ip nat inside source static x.x.x.117

But then, ALL internet trafic that goes to x.x.x.117 is NATed to, and all traffic from is NATed to x.x.x.117. Where to say that this static NAT translation is only for/from Z.Z.Z.1?

I try to apply access-list to Loopback0 but in loopbacks, access-list dont work.

Is there some workaround to do all this?

Thanks in advance!!

Hall of Fame Super Blue

Re: NAT one-to-one-to-only-one


What you need is policy NAT ie. you NAT from one address to another not just based on the source IP address but also the destination IP address. You can do this with route-maps in your NAT statements.

Attached is a link to white paper on NAT - there are some examples of using route-maps near the end.



New Member

Re: NAT one-to-one-to-only-one

Hello Jon,

Thanks for your fast reply, your idea put me on the road again :-)

I've create a new access-list to be NATed in the "general way"

ip access-list extended NEWNAT

deny ip host host Z.Z.Z.1

permit ip any

then, change this:

no ip nat inside source list NAT interface Loopback0 overload

ip nat inside source list NEWNAT interface Loopback0 overload

Now ALL the trafic from host goes to be NATed, but the destination Z.Z.Z.1

To do this, as you say:

access-list 188 permit ip host Z.Z.Z.1 host X.X.X.117

access-list 188 permit ip host host Z.Z.Z.1

route-map SPECIALNAT permit 10

match ip address 188


no ip nat inside source static X.X.X.117

ip nat inside source static X.X.X.117 route-map SPECIALNAT extendab

The packets from to Z.Z.Z.1 are NATd as from X.X.X.117

But ALL trafic to X.X.X.117 is statically NATd to :-(


interface Serial0

ip access-group BADBOYS in

ip access-list extended BADBOYS

permit ip host Z.Z.Z.1 host X.X.X.117

deny ip any host X.X.X.117


Thanks for your guide,


CreatePlease login to create content