Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Questions about a particular NAT scenario

I have a  router in a remote site that has a primary connection via MPLS and a backup connection via VPN to the hub site. The router at the remote site connects to the hub site router with both of these connections. The remote site has numerous connections on their local network that must be NATed on my side.

Each remote endpoint has a static one-to-one NAT translation.

For the VPN tunnel, the NAT is done on the hub site router on my side. On the MPLS link, the NAT translation is done on the remote side router.

The remote router MPLS interface is the NAT outside, the remote DMZ to the retailer is the NAT inside.

This particular retailer has asked that we PAT all communication from our side to the router DMZ interface.

Most of the communication is initiated from the hub side, but there will be some traffic sourced from the remote side in the retailer network.

This presents a couple of problems:

I cannot PAT and overload the DMZ interface on the remote side, because the DMZ interface is NAT inside and "Overload" cannot be applied to the NAT inside interface.

As mentioned, most of the source traffic is initiated from the hub side, from a single IP Address, so I am wondering if I can do a one-to-one static NAT translation that will allow me to NAT my source IP Address on the Outside (MPLS) interface to the DMZ interface (inside).

If this is possible, is it also possible to create the on-to-one NAT translation, and apply NAT outside to the VPN public ip address interface and create the same NAT through the VPN as well.


If those will not work, I am thinking perhaps a NAT on a stick with a loopback address on the remote side and do static on-to-one NAT on a stick.

Anyone have any thoughts on this?




CreatePlease to create content