Cisco Support Community
Community Member



i want to pass all my users out my internet pipe on the same NAT/PAT address

at the moment i have all users behind a firewall which passes traffic to the perimeter router (the firewall's external ip is a private address & non routable)so the router's external IP is the address i present to the internet

i have implemented a PAT solution on the external interface and access to the internet is working but i thnik i remember reading that PAT doesn't like streaming, VoIP etc and this would match my problem - when i access some sites with streaming content it hangs

should i use a nat solution instead but rather than use a pool of addresses (which i don't have) just use the external interface's IP?

thanks to anyone taking the time to reply

ps - any links to configs are greatly appreciated

hope this finds you all well

Community Member

Re: NAT or PAT

You can do both.

define 2 access lists, first would forward traffic to a NAT Pool and second would forward traffic to PAT IP.

global (outside) 1 {public_Ip_start_range public_Ip_end_range }

global (outside) 1 {public_PAT_IP}

nat (inside) 1 access-list {acl_name-1}

nat (inside) 2 access-list {acl_name-1}

Hall of Fame Super Gold

Re: NAT or PAT


Perhaps there is some confusion about terminology. NAT is translation with a pool of addresses. When you do NAT with only a single address you have created PAT.

If you have only a single address then your alternative is to do PAT. If that is causing problems then perhaps you need to negotiate with your provider for additional address space.


The solution that you suggest is a PIX/ASA solution. But Michael has clearly stated in his original post that his firewall outside interface is using a private non-routable address and that he needs to do translation on his router.



Hall of Fame Super Gold

Re: NAT or PAT

somehow my post got posted twice.



Community Member

Re: NAT or PAT


many thanks for your reply, its greatly appreciated

i have 2 or 3 addresses currently available but as this may change (i may have to allocate them to other perimeter devices) i opted for pat

are you aware of any problems with pat and streaming protocols or performance?

my perimeter kit is a hsrp 3845 cluster with 1Gb ram connecting to an isp router (3825)

thanks for your time

Community Member

Re: NAT or PAT

Streaming endpoints should reside on a VLAN different from that of data.

By performing NAT and creating 2 pools one for streaming application which has the same subnet mask of the Voice/Video VLAN and the other can be static or dynamic PAT for data VLANs.

access-list 1 permit ip %Voice/Video VLANs

access-list 2 permit ip %Data VLAN

ip nat pool nourvoice y.10.10.1 y.10.10.254

ip nat pool nourdata x.10.11.1 x.10.11.2

ip nat inside-source list 1 pool nourvoice

ip nat inside-source list 2 pool nourdata overload

Community Member

Re: NAT or PAT

I have a 2811 and streaming works fine as long as you have the streaming protocols declared in your "ip inspect" list on the router. Assuming that you already have an "ip inspect" list on the outbound interface of your, just add the streaming protocols you want to the list:

ip inspect name LIST_NAME PROTOCOL

for example

In global config:

ip inpect name mylist pcanywhere

ip inspect name mylist h323

Interface config mode for external router interface:

ip inspect mylist out

That's all it takes to set it up, though the inspect list is usually pretty long. Mine has nearly 40 protocols listed.

CreatePlease to create content