2 way nat?

Posted on 2009-12-31
Last Modified: 2012-05-08
This is the problem I have....

I have an access point that only has configuration settings available for IP address and subnet mask.   It does not allow me to set a default gateway.   As you would know this causes problem if I wish to administer this access point from a remote location on a different network.

I'm trying to take my router and perform some fancy NAT features to get this to work.   Yes I know it would be cheaper to go out and get a new access point.   But I thought it would be fun to see if this was possible.

Basically I need to take an available IP address on the outside interface.   And translate this to my access point then I need to take my source IP address and translate this to an inside ip address on my router.


attempt to connect from pc to access point:
translates to... <---

And then back... ---->

translates back to...

Note: That all IP address above are static except for   This IP address is dynamic and would changed based on the system being used to administer the access point.

I have enabled the following debug:
Router#show debug
Generic IP:
  ICMP packet debugging is on
  IP NAT debugging is on
  IP NAT detailed debugging is on

When I issue a ping from my pc this is what I get on the router:

Jun 17 08:29:07.225: NAT*: o: icmp (, 512) -> (, 512) [57742]    
Jun 17 08:29:07.225: NAT*: s=>, d= [57742]
Jun 17 08:29:07.225: NAT*: s=, d=> [57742]
Jun 17 08:29:07.229: ICMP: echo reply rcvd, src, dst

It seems that the translation one direction works fine.   And you even see the ping responding back from the access point.   BUT it seems like this not translating back over to the outside interface.

Here is a show ip nat tran

Pro Inside global      Inside local       Outside local      Outside global
---         ---                ---
--- ---                ---      

I have played around for this for some time hope someone else can help out...   Here is my full running config...

If I'm going at this all wrong please advise!  Thanks!
version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption


hostname Router






memory-size iomem 25

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero




ip cef

ip audit po max-events 100



username cisco privilege 15 password 0 cisco







interface Loopback1

 no ip address


interface Ethernet0

 ip address

 ip nat inside



interface FastEthernet0

 ip address secondary

 ip address

 ip nat outside

 speed auto


interface Async1

 no ip address

 encapsulation slip


ip nat pool test2 netmask

ip nat pool wanip netmask

ip nat inside source list 100 pool wanip overload

ip nat inside source static

ip nat outside source list 101 pool test2 add-route

ip classless

no ip http server

no ip http secure-server



access-list 100 permit ip any any

access-list 101 permit ip any host




line con 0

line 1

 modem InOut

 modem autoconfigure discovery

 transport input all

 transport output pad udptn telnet rlogin ssh

 stopbits 1

 speed 115200

 flowcontrol hardware

line aux 0

line vty 0 4

 login local

line vty 5 15

 login local



Open in new window

Question by:GageDigital
    LVL 4

    Expert Comment

    Assuming you only use this router for this purpose and your Accesspoint administration page runs on (port 443), remove all "ip nat" lines and replace them with these:

    ip nat inside source list 100 interface ethernet0 overload
    ip nat inside source static tcp 443 interface ethernet0 443

    Author Comment

    Not quite sure how this will work.   Seeing that the is on the same network as ethernet0.   So I will assume that you meant fa0.      

    ip nat inside source static tcp 443 interface FastEthernet0 443

    Then it would seem this would only perform a single directional nat and the access point would receive a packet from with a public source IP address and not an ip on the local network.

    I will try and report back...
    LVL 4

    Expert Comment

    i sure do mean ethernet0 as this is your NATted interface on which the port 443 is forwarded to the device.

    Author Comment

    I think I understand what you are doing now.   Instead of me using an ip address on my fa0 interface to access my access point I would attempt to access it via the AP's IP address it's self and have the router only nat the source IP address.

    I did as you noted and this is the commands I used:
    ip nat inside source list 100 interface ethernet0 overload
    ip nat inside source static tcp 80 interface ethernet0 80

    This seems like a good idea, but does not seem to work.    

    By the way my AP admin page runs on
    LVL 10

    Accepted Solution


    I have just taken the config you originally posted, and put it in a lab environment, and it works! It is correctly translating both the source and destnation address. I set up a router on the outside with IP and a router on the inside with IP and no default route.

    Here is the response:-

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 200/277/416 ms

    *Mar  1 00:15:12.559: ICMP: echo reply sent, src, dst
    *Mar  1 00:15:12.855: ICMP: echo reply sent, src, dst
    *Mar  1 00:15:13.127: ICMP: echo reply sent, src, dst
    *Mar  1 00:15:13.415: ICMP: echo reply sent, src, dst
    *Mar  1 00:15:13.583: ICMP: echo reply sent, src, dst

    One thing that may cause some issues though is your wanip pool overlaps with the IP address you are statically natting the acces point to ( I would recommend changing the pool or just using the outside interfaces address for all dynaic nat translations.


    Author Closing Comment

    Thanks for taking the time to test this out!   It seems that the problem lies in my router and/or ios version.  All research I have done states it should work.

    Thanks again for working on this.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
    There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now