Showing results for 
Search instead for 
Did you mean: 
Community Manager


Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco experts Aamer Akhter and Kevin Eckhardt about the Network Address Translation (NAT) which is designed for IP address simplification and conservation. NAT enables private IP networks that use unregistered IP addresses to connect to the Internet. Aamer Mr. Akhter is currently leading a team for testing Layer 3 VPNs and related technologies in a cross-Cisco effort. He is a CCIE number 4543. Kevin He has six years of experience working with IS-IS, OSPF, and BGP routing protocol performance and scalability. Eckhardt is currently working as a technical marketing engineer in the areas of IP Routing and IP Services.


Remember to use the rating system to let Aamer and Kevin know if you have received an adequate response.


Aamer and Kevin might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 3, 2006. Visit this forum often to view responses to your questions and the questions of other community members.


Aamer or Kevin. Not sure that this is the right forum for this but it is NAT related. I have heard that NetFlow V5 has a difficutly with NAT enabled interfaces but was supposedly corrected in V9. The only documents I could find relating to the subject referred to 6500 series switches could not have NAT running on interfaces configured as full or interface-full flowmasks. Can you verify if there is a NAT issue with the V5 version of Netflow?

Hi jmentzer,

I am unfamaliar with a specific problem with v5 vs v9 NF and any problems with NAT. v5 and v9 are for the most part export formats changes.

The restrictions for the 6500 (and 7600) are related to the the collection (and storage) of NF data and the NAT translation table.

6500/7600 specific:

You must configure 'mls flow ip' with a mask shorter than full to prevent conflict with

NAT. NAT uses interface-full flow mask by default when configured as a feature. Once this is set, netflow with a full flow mask or longer will conflict with NAT's flow mask requirements. We must configure 'mls flow ip' to be source, destination, destination-source,

destination-source-interface. These are the only masks that will not conflict with NAT's flow mask.

Hope this clarifies,


I have a problem with nat configuration on cisco router.

In my scenario I have one VPN remote access and second VPN site-to-site.

In my VPN remote access I have configured IP network for example 192.x.x.x, but my partner want from me that my connection should go from another network/address for example 172.30.x.x.

So I have to translate traffic from remote vpn (addresses 192.x.x.x) to 172.30.x.x network/addresses.


From inside to vpn it isn't a problem, but from vpn to vpn...

Traffic for site-to-site vpn is configured like:

permit 172.30.x.x 172.28.x.x


I try configure like this

acl 100:

permit 192.x.x.x 172.28.x.x

ip nat pool vpn_traffic 172.30.x.1 172.30.x.127 netmask

ip nat outside source list 100 pool vpn_traffic add-route - but it is not working


nat table:

--- ---                ---                172.30.x.1     192.x.x.x


Is it possible configure this on router?

If yes, what I do wrong?