how to know the publc ip address is actually NAT ed

Posted on 2012-09-07
Last Modified: 2012-09-10
I'm  going to establish a vpn connection with a public ip address on the destination .
However, how can I test to ensure that the destination public ip address is not actually NAT (ed)?

Question by:peteryau
    LVL 24

    Expert Comment

    Not sure what you are asking...public IP's are not NAT'd that I know of, can you explain what you are asking a bit more?
    LVL 25

    Expert Comment

    If I follow what you are asking then I would be suprised if the Public address was NOT NAT'd to a private (internal) address at the firewall of the receiving location.  

    I have to agree with smckeown777 that more information, better explanation is needed.

    Author Comment

    It was happened in a case before that even though the ISP assign a publc ip address, the cisco vpn router cannot establish a vpn connection because the real ip detected is not the pubic ip address assigned.
    So I want to test if the public ip address is NAT'd . (or is a real pubic ip address)
    LVL 24

    Expert Comment

    Ok I think I know what you are asking...some ISP's allocate public addresses but a different public address for the router

    In this case I've no way to determine(that I know of) if the address is NAT'd, but can you ask the other side if they've got their router setup correctly?

    To make this work they need a NAT rule mapping the public IP to the private, without this nothing will work correctly...

    Course the other way to know is does your VPN connection work? If not then they haven't the rules setup on their end...

    Author Comment

    does it mean if the ipsec works on the vpn conneciton test, then I don't need to worry about the bad experience I encountered before?
    LVL 24

    Expert Comment

    Em...well if the VPN connects and you obtain IP/connection then yes you are ok...least I think you are...unless I've missed something
    LVL 6

    Expert Comment

    typically when you configure a VPN such as that, you would only configure the public/NAT IP on the crypto map and then the NAT rule handles the rest in the background.

    at least on a Cisco ASA that's the way it works, you configure your host IP object with it's real/internal IP and then specify it's NATed IP. Then when building the IPSEC tunnel you just specify the public address in your crypto map.

    if your private IP isn't part of your tunnel configuration then it wouldn't be exposed to the peer. generally speaking, if you want to test the NAT itself you can just go to or similar from the host is question and see if it returns your dedicated NAT IP or the overload address.

    Author Comment

    I can establish ipsec vpn connection usiing both dratek router on each side. I don't know it means I can do it using cisco vpn router at both side again?
    I have checked using on a workstation behind the destination router (NAT) and it shows the fixed ip address of the public address of the destination router. Does it means OK?
    LVL 24

    Accepted Solution

    If you can connect the VPN with one router there's no reason a different router will not work...that I know of

    As for the NAT check that test isn't going to work, since a workstation on the destination network will ALWAYS show the destination router's public IP - since the majority of pc's behind a router are using the basic NAT translation - i.e. they all use the router's public IP as their public IP

    Need more details on what is on the destination end to put this to bed...

    I'll explain as best I can
    Some ISP's allocate a block of public IP's to a customer - one of the IP's is allocated to the router and the others to servers behind the router
    Lets say you got - for example

    Router is

    Now 99% of pc's/laptops/servers behind the router use the default NAT rule - which basically says everyone on the inside uses the router's public IP for access to internet
    In the cases where you need a server to have a seperate public IP(one of the other IP's from your block) in order to make it work you need a static NAT rule on the router saying

    2nd Public IP - internal private IP -

    Without this NAT rule the server behind the router will default to use the existing NAT rule and when you browse from it to it will report the router's public

    If you've added the proper static NAT rule, when you browse to whatismyip it will now report the actual public IP you expect

    So in those cases that's where you can determine if a public IP is actually being allocated/used correctly

    But I dont think any of this applies to you since you've already established the vpn circuit, so the only issue may be the difference between a Cisco and the Draytek

    Or...the destination router's public IP(which showed up from whatismyip - is this the actual public IP you are trying to connect to?)
    If it is then you are good to go...

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Suggested Solutions

    Title # Comments Views Activity
    DMZ DNS query 5 38
    Outbound Internet Access Firewall Best Practice 8 63
    Cisco help 4 34
    Network Design for Guest Internet Access 88 129
    This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
    AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now