Configuring Cisco

ip nat outside


Read this article in Russian

Overlapping IP address ranges in your own LAN and the local area network of the organization you’re partnering with is a common issue that network administrators are faced with in their daily jobs. The textbook solution for this issue is NAT.
Let us skip the explanations of how to do basic configurations for dynamic and static NAT scenarios that you use when you need to hide your internal IP address behind a public IP address in order to get access to outside resources (dynamic NAT), or allow internal resources to be available from the outside world (static NAT). You can find tutorials for these types of configurations in the “Basic Configuration of Cisco Router” and “Basic Configuration of Cisco ASA” articles, as well as the “Using NAT” article.

Destination address substitution

Let us look at an example, in which we need to create a special fictional dummy IP address, that is used to impersonate the real IP address that overlaps with something in your network, and redirects the traffic towards the real destination.

cisco ip nat outside – the actual IP address of the server that you need to gain access to – dummy IP address, that will redirect the user’s traffic to

In order to implement this scenario, you need to configure the router’s interfaces to be recognized as either inside or outside network using the following commands:
conf t
interface FastEthernet X
ip nat inside
interface FastEthernet Y
ip nat outside

After you’ve done that, enter the command:
ip nat outside source static

After creating that NAT rule, you must add a static route for the dummy IP address, directing traffic towards the real server.
A) If the server is located on a network directly connected to one of the router’s interfaces, then use the server’s real IP address as the next hop:
ip route
B) If the server is located farther in the network behind some other router, use that devices IP address as the next hop (x.x.x.x):
ip route x.x.x.x

cisco ip nat outside

Verifying NAT

Use the command sh ip nat translations in order to check the active translation rules for your IP addresses. Your output should look similar to this:
R-DELTACONFIG-1#sh ip nat translations
Pro    Inside global Inside local       Outside local    Outside global
---          ---          ---      
---          ---          ---      

Substituting source and destination IP addresses at the same time

The scenario described above does not limit you from using “regular” NAT along with it. If you need to hide the real IP address of your workstation behind some “outside” IP, you will have to create the regular translation rules, like you use for dynamic NAT, for example.
Let’s say the real IP address of our workstation is (source IP), and it needs to be hidden behind a dummy IP address of

cisco ip nat outside

Add the configuration lines for dynamic source address translation:
ip access-list extended ACL_NAT
permit ip host any
ip nat pool NAT netmask
ip nat inside source list ACL_NAT pool NAT

As a result of this configuration, the original packet from source IP of our workstation destined for will be converted into a packet with source and destination as it traverses our router.

Don’t forget to check the routes on all your network devices if you encounter problems with this configuration. All of your devices need to “know” not only the routes to your real IP addresses, but to the dummy ones, as well.


Don’t forget to save your configuration changes on all your devices with the command write or copy run start. Otherwise you will lose all your changes after the next reload.
Building configuration...

Table of Contents


deltaconfig Personal Cisco Tutor



How can I help you?