Showing results for 
Search instead for 
Did you mean: 




When configuring Static and Dynamic NAT, i've always used an ACL to block off the statically used IP address from initiating dynamic NAT, i've been doing this cause i was told this is best practice, however i really dont know the reasoning behind it!!could some one point out some of cons on NOT using a ACL to block off the statically assigned address?i've configured the same setup with OUT the ACL and the routers seem to be running fine so far!any input would be appreciated(I've done a copy&Paste from one Cisco's docs here as well)

Thanks in advance for your time

ip nat pool test netmask

ip nat inside source list 7 pool test

ip nat inside source static

interface e 0

ip address

ip nat inside

interface s 0

ip address

ip nat outside

access-list 7 deny host

access-list 7 permit

Note: ACL 7 (access-list 7) in the above configuration denies the inside local address, which is used in the static nat command. This will prevent packets sourced from the inside local address,, from being able to generate NAT dynamically. This is necessary because the inside local address of is already being used for static NAT. This practice should always be used when configuring static and dynamic NAT simultaneously.




I have also configured the router without the ACL for Static NAT assignments and works well just as in your case. The only CONS i see about preventing static assignment from trying to get a dynamic assignmnet would be more statements and maybe more processing on the router CPU although this may be negilible.

Just my 2 cents


There no use for the static if you don't deny it in he acl for the dynamic nat since it will then use the same dynamic adres(sen) to translate to the outside.

This is also needed for traffic initiated from the outside nat interface to be able to connect to the nat adress en thus be natted to the inside adres.

see also:

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: