Cisco Support Community
Community Member

NAT over WAN

In a general question, is it possible to have a remote LAN connected by a Point-to-Point where only half or some of the LAN's IP addresses are translated and the others are sent without translation?

This question arises from the need to have my IP phones addresses NOT translated or translated into the correct subnet of the Nortel phone server.

Please provide any information

Config outputs pending

Thank you

Hall of Fame Super Bronze

Re: NAT over WAN

Yes, implementing ACLs to include only the subnet you want to NAT and the other subnet on the deny statement.

Something like:

access-list 101 deny ip [nonat subnet]

access-list 101 permit ip [nat subnet]

ip nat inside source list 101 interface #### overload

Community Member

Re: NAT over WAN

Thank you for the quick response.

My follow up quest then becomes:

Is it possible to translate private IP to private IP?

For example: NATed to

with an ACL filtering out those that are destination public and those that remain private destination to my phone server?

Also, does NAT have to be in place on both routers?

It sems to me that NAT really only needs to be on the "hub" router.

Forgive the simple questions, new to some of the gory details.

Thank you for the info


Hall of Fame Super Bronze

Re: NAT over WAN

Yes, you can translate from private to private but the IP has to be routeable to the other end.

NAT does not need to be in place on both routers. The remote router needs to know about the translated network in order to route it back.

For instance, if you NAT to, you need to have a static or dynamic route pointing back to the originating router.

Re: NAT over WAN

Just a tip:

The best device to use for these kinds of requirements are on a PIX Firewall Box, as it enhancees the chances of having full control on the traffic pattern.


Wilson Samuel

Community Member

Re: NAT over WAN

Thank you Wilson,

Would PIX Firewall box be necessary on a stub network. The remote router has one connection out the Point to Point line to my main "hub" router. I was planning to use the security features in the software build i have and had not thought an additional piece of equipment would be necassary.

Also this remote router will be handling alot of VoIP traffic and have no information on the degradation of traffic or signal through an additional box.

Any information that you could provide would be great

Thank you both


CreatePlease to create content