2 way nat?

This is the problem I have....

I have an access point that only has configuration settings available for IP address and subnet mask.   It does not allow me to set a default gateway.   As you would know this causes problem if I wish to administer this access point from a remote location on a different network.

I'm trying to take my router and perform some fancy NAT features to get this to work.   Yes I know it would be cheaper to go out and get a new access point.   But I thought it would be fun to see if this was possible.

Basically I need to take an available IP address on the outside interface.   And translate this to my access point then I need to take my source IP address and translate this to an inside ip address on my router.


attempt to connect from pc to access point:
translates to... <---

And then back... ---->

translates back to...

Note: That all IP address above are static except for   This IP address is dynamic and would changed based on the system being used to administer the access point.

I have enabled the following debug:
Router#show debug
Generic IP:
  ICMP packet debugging is on
  IP NAT debugging is on
  IP NAT detailed debugging is on

When I issue a ping from my pc this is what I get on the router:

Jun 17 08:29:07.225: NAT*: o: icmp (, 512) -> (, 512) [57742]    
Jun 17 08:29:07.225: NAT*: s=>, d= [57742]
Jun 17 08:29:07.225: NAT*: s=, d=> [57742]
Jun 17 08:29:07.229: ICMP: echo reply rcvd, src, dst

It seems that the translation one direction works fine.   And you even see the ping responding back from the access point.   BUT it seems like this not translating back over to the outside interface.

Here is a show ip nat tran

Pro Inside global      Inside local       Outside local      Outside global
---         ---                ---
--- ---                ---      

I have played around for this for some time hope someone else can help out...   Here is my full running config...

If I'm going at this all wrong please advise!  Thanks!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
ip audit po max-events 100
username cisco privilege 15 password 0 cisco
interface Loopback1
 no ip address
interface Ethernet0
 ip address
 ip nat inside
interface FastEthernet0
 ip address secondary
 ip address
 ip nat outside
 speed auto
interface Async1
 no ip address
 encapsulation slip
ip nat pool test2 netmask
ip nat pool wanip netmask
ip nat inside source list 100 pool wanip overload
ip nat inside source static
ip nat outside source list 101 pool test2 add-route
ip classless
no ip http server
no ip http secure-server
access-list 100 permit ip any any
access-list 101 permit ip any host
line con 0
line 1
 modem InOut
 modem autoconfigure discovery
 transport input all
 transport output pad udptn telnet rlogin ssh
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 login local
line vty 5 15
 login local

Open in new window

Who is Participating?

I have just taken the config you originally posted, and put it in a lab environment, and it works! It is correctly translating both the source and destnation address. I set up a router on the outside with IP and a router on the inside with IP and no default route.

Here is the response:-

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 200/277/416 ms

*Mar  1 00:15:12.559: ICMP: echo reply sent, src, dst
*Mar  1 00:15:12.855: ICMP: echo reply sent, src, dst
*Mar  1 00:15:13.127: ICMP: echo reply sent, src, dst
*Mar  1 00:15:13.415: ICMP: echo reply sent, src, dst
*Mar  1 00:15:13.583: ICMP: echo reply sent, src, dst

One thing that may cause some issues though is your wanip pool overlaps with the IP address you are statically natting the acces point to ( I would recommend changing the pool or just using the outside interfaces address for all dynaic nat translations.

Assuming you only use this router for this purpose and your Accesspoint administration page runs on (port 443), remove all "ip nat" lines and replace them with these:

ip nat inside source list 100 interface ethernet0 overload
ip nat inside source static tcp 443 interface ethernet0 443
GageDigitalAuthor Commented:
Not quite sure how this will work.   Seeing that the is on the same network as ethernet0.   So I will assume that you meant fa0.      

ip nat inside source static tcp 443 interface FastEthernet0 443

Then it would seem this would only perform a single directional nat and the access point would receive a packet from with a public source IP address and not an ip on the local network.

I will try and report back...
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

i sure do mean ethernet0 as this is your NATted interface on which the port 443 is forwarded to the device.
GageDigitalAuthor Commented:
I think I understand what you are doing now.   Instead of me using an ip address on my fa0 interface to access my access point I would attempt to access it via the AP's IP address it's self and have the router only nat the source IP address.

I did as you noted and this is the commands I used:
ip nat inside source list 100 interface ethernet0 overload
ip nat inside source static tcp 80 interface ethernet0 80

This seems like a good idea, but does not seem to work.    

By the way my AP admin page runs on
GageDigitalAuthor Commented:
Thanks for taking the time to test this out!   It seems that the problem lies in my router and/or ios version.  All research I have done states it should work.

Thanks again for working on this.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.