Showing results for 
Search instead for 
Did you mean: 

Hiding Internet public addresses with NAT on IOS

Scott Aitken
Level 1
Level 1

Hi all,


is it possible to hide a lot (think Internet) of public IP addresses with NAT on an IOS device?  By hide I mean translate to the RFC1918 namespace.


The logical construct would be:

ip nat outside source...

but this isn't suited to many outside local IPs as you either need individual static mappings or a pool; neither being sufficient given the expansive namespace of public IPs.


If there is a solution can you please attach an example configuration?




3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

You can certainly present public IPs as private IPs to internal clients if that is what you are asking. 


But it sounds like you are talking about the entire internet IP address space which is totally impractical. 


Perhaps you could clarify exactly what it is you are trying to achieve ?



Hi Jon,


When you say it's possible, do you mean the way I've already described (and discounted)?  Or some other way?


What I'm trying to achieve is the hiding of a subset of the public address namespace using the private address namespace.  I understand that on a one-to-one mapping that is impractical, however with overloading, which I do not see possible with the outside source function, it would be reasonable to hide a lot of multiplexed connections (TCP,UDP) behind a number of private IPs.  (eg. a 10.a.b.0/24 could support ≈16 million IPs (assuming each public IP made a single connection).


My understanding is that this is possible on ASAs.



So you mean hide any incoming public IPs behind a subset of private IPs. 


If so you are correct about IOS (as far as I know), there is no overload from outside to inside so if you want to do it dynamically you need a pool of private IPs equal in size to the number of public IPs. 


And yes you can overload with an ASA.



Review Cisco Networking for a $25 gift card