Showing results for 
Search instead for 
Did you mean: 

Inside source static NAT translates destination instead...

Hello all,

You probably know the feeling when something works, but you don't know why it works, because it shouldn't

Here's the example of the topology I am working with:


The case is the following:

Two loopback addresses lo1 and lo2 on the CE router are being used for management purposes, including SNMP monitoring source addresses for various different monitoring servers each accepting the traffic only from one of the loopback addresses. host is used for management purposes but it also acts as SNMP monitoring server and only accepts traffic originated by lo2, however lo1 is set as snmp-server trap-source, so the following global statement exist in the configuration:

ip nat inside source static route-map SNMPLOGGING

Obviously, lo2 is configured with:

ip nat inside

SNMPLOGGING route-map includes the routes to those SNMP servers accepting the traffic only from lo2:

route-map SNMPLOGGING, permit, sequence 10                                           

  Match clauses:                                                                     

    ip address (access-lists): 199                                                   

  Set clauses:                                                                       

  Policy routing matches: 0 packets, 0 bytes

Extended IP access list 199                                                          

    10 permit ip host host                    

    20 permit ip host host                                  

    30 permit ip host host                                  

    40 permit ip host host                                  

    50 permit ip host host

Routes to LAN subnet and lo2 are being advertised from CE router to PE router via BGP.

The problem is the following:
SSH to CE router lo2 ( doesn't work from It seems like it's attempting to connect infinitely (via bash). I managed to fix it by adding ip nat outside statement to Se0/0/0 of the CE router, but I just can't understand why it fixes the problem. I added it because I saw that in the debug output of the CE router while attempting establishing SSH session from


008157: Dec 11 13:04:40: IP: s= (Serial0/0/0), d=, len 52, input feature <-- note that destination is, whilst I was connecting to

008158: Dec 11 13:04:40:     TCP src=42315, dst=22, seq=2610185189, ack=0, win=49640 SYN, CCE Input Classification(5), rtype

0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

The only reason for that I could think of is PE router doing the destionation NAT from to but it doesn't! There's no NAT happening on the PE router at all.

So if someone could just explain me why adding ip nat outside statement to Se0/0/0 of the CE router helps to get the SSH traffic going it will definitely save me from the headache , I just don't see why NAT is happening here if traffic is originated from as global NAT statement only specifies as the source address for translation...

Everyone's tags (2)
Hall of Fame Guru

Re: Inside source static NAT translates destination instead...


I am slightly confused as you seem to be saying before you enabled "ip nat outside" on the s0/0/0 interface everything worked except for ssh but i would have expected you to have to have configured that for anything to work ?

In answer to your specific question -

I just don't see why NAT is happening here if traffic is originated from as global NAT statement only specifies as the source address for translation...

The source and destination are relative to the interface they are coming in on. So when you configure a static NAT statement like this -

ip nat inside source static

this creates a permanent entry in the NAT table. What it means is -

1) any traffic from the inside where the source IP is will have the source IP translated to


2) any traffic from the outside where the destination IP is will have the destination IP changed to

note that inside and outside in the above are defined by the "ip nat ..."  statements on your router. It has to work like this because you need to NAT the IP both ways.

Both dynamic and static NAT need to translate the addresses in both directions. The difference with a static NAT is that because it creates a permanent entry in the translation table the traffic can be initiated from either the inside or the outside. In your case it is being initiated from the outside.


A very common use of static NAT is for internet services eg. you have a web server on private addressing and you want it to be accessible from the internet. So using the example above your web server has a real IP of but this is not routable on the internet so you allocate the public IP of to it.  So if a user on the internet connects to the web server it would look like -

src IP   ->  dst IP   (translated to

src IP (translated to -> dst IP

notice that this is exactly the behaviour you are seeing when you connect from the outside to your loopback interface.

Hope that makes sense.


CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards