Showing results for 
Search instead for 
Did you mean: 
Erik Dekkers

NAT - rewrite source address

Hi folks,

I'm stuck with some NAT issues. I've got an 800-series router wich connects to the internet via a PPP connection (dialer0).

On the inside the router has as IP address, the outside is negotiated with the ISP

My mailserver has the ip address of but with default gateway of (primary internet connection).

If I use plain NAT (ip nat inside source static tcp 25 interface Dialer0 80) the packets arriving on the mailserver do have a public  IP address as source address.

Would it be possible to rewrite those packets (source address) so they have as source address. This way the mailserver won't send the replies to it's default gateway but back to the cisco router

Thanks in advance,


Erik Dekkers

Wilk van der Sande

Jon Marshall
VIP Community Legend


This is a very easy thing to do on an ASA/pix but IOS is different. The trouble is there is no interface overload option on the "ip nat outside source" option. It gets worse. You can use a pool of addresses to translate the outside addresses to but there is no overload option with this pool so you need to have an IP per outside IP connecting.

In addition presumably your negotiated address is the same each time, otherwise how would the mail server be reachable ?

So you can either -

1) use PBR on the device to send it back out to This depends on whether your device supports PBR ?

2) Use a big enough network in your pool to account for all possible simultaneous connections to your mail server. Note this pool does not have to have a physical interface on the router by configuring the pool the router will respond to it. So on the device -

access-list 101 permit tcp any host eq 25

ip nat pool MAIL netmask  <-- note this will only allow 254 simultaneous connections to your mail server. If you need more use a bigger subnet.

ip nat outside source list 101 pool MAIL add-route

There may be another way to do it with NAT but i don't know of it.



Hi Jon,

Sadly the isn't a cisco but juniper . However PBR should be possible with that device.

I see there's no simple 1-to-1 solution for IOS unfortunateley. I will digg deeper into this and will let you know.

I really need a 'simple' solution for it without using things like PBR on the default gateway.

Thank you very much for your reply on this!


Erik Dekkers

Marwan ALshawi

The ip nat you have will not translate the source address from the internet it will translate the mail server ip to the Internet interface ip

Also connection to port 80 will be translated into your mail server as 25

Why you want to translate ip coming from the Internet ? It's better to leave it with original source ip (public ) and the mail server will already send the reply to it's default gateway !!

Sent from Cisco Technical Support iPhone App

@marwanshawi: sorry, the port 80 was a typo, that should be 25 ofcourse

The reason I would like to translate the source addres is because of this:

The is used as secondary internet connection ( is the primary). If my primary internet connection goed down (wan error or router failure) I can use my secondary connection to receive mail. But, when the source address of a packet is public, my mailserver would send the reply to the default gateway (0.254) instead of the cisco (0.253). But when I to a rewrite of the source address the reply would be send to the cisco.

Im sure this should be possible, but im not sure IOS (advanced security) supports it.


Erik Dekkers


It is possible with the config i gave and it will work. But i can understand why you want a "simpler" 1 to 1 method. Like i say with a firewall like the ASA/pix it is easy to do.

I wouldn't have thought there were that many simultaneous connections your mail server ?

I do understand your frustration that something so simple should not be possible. I am not a fan of NAT on IOS because it always seems that every time i want to do something there is a limitation and you have to use a workaround.


Marwan ALshawi

in this case just follow the suggested config by Jon it is almost the only way

unless you can add some redundency between your default gateways in the network


I know it is not elegant no simple but if the 800 router is only used for sending email, the Ethernet interface can be defined outside and by pbr traffic incoming from the internet cen be sent to a loopback classified as inside. Do an initial rounf of NAT  and then sent out to the mail server with a further round of nat and this time oveload would be available ....

Just watch the size of the NAT table and the CPU overhead I believe that the 800 can only process route PBR and cannot use fast switchin of CEF for it.

If you use that router for additional tasks it becomes more difficult.


this might work but need to be labed