Showing results for 
Search instead for 
Did you mean: 

PROBLEM WITH NAT on Router 1841

Hello Everyone!!!

I have a little probelm configuring NAT on router 1841, like this is the topology:

                    WAN (PUBLIC´S ADDRESS)   fast0/0        fast0/0/0                PUBLIC´S ADDRESS                        INSIDE (

ROUTER ====== X.X.X.X/30============= ROUTER ======== Z.Z.Z.Z/29 ============ SW 3560==============

  (ISP)      .253                                         .254 CLIENT  . 47                                                .48    

The conection with ISP or Extranet is a metro ethernet, so the isp gave two ip address to the client:

WAN (/30)

LAN (/29) Which be the public addresses to be used by the client if you need to publish any server on the network (like www), so they do not have any device that will could do the nat, like an asa or linux server, so the router has to do the nat, because the sw 3560 does not support this feature.

So... I did the following:

On router 1841:

inter fast 0/0

description WAN

no shut

inter fast 0/0.316

encapsulation dot1Q 316

ip address x.x.x.254

interface vlan 448

description LAN-ME

ip address Z.Z.Z.47

ip nat outside

no shut

inter fast 0/0/0

switchport mode access

switchport access vlan 448

no shut

I create an interface lookbackp to simulate the lan connection (

Inter loopb 0

ip address

ip nat inside

ip access-list nat

permit ip any

deny ip any any

ip nat inside source list nat interface vlan 448 overload

ip route x.x.x.253


interface vlan 448

description LAN-ME

ip address Z.Z.Z.48

no shut

ip route Z.Z.Z.47

But if i try to do ping from the ip address to any server´s internet the ping fails, but if i do the ping from vlan 228 the ping is success. I will think that route map could solve the problem.

Any idea???



With a setup like this, you will be living dangerously.

You will make life both easier and safer when you add a firewall (AS5505) in between the router and the switch.

Public ip subnet can be on router's inside interface. The ASA can do the NAT and secure your network.



Thanks lgijssel,

unfortunately the customer does not have enough money to buy an asa or any firewall.



Marwan ALshawi

can you post sample topology of what you trying to do so we might help you here

Of course marwanshawi,

Like this is the topology, as the public address does not match the pattern for safety.

Like I said before the client have a metro ethernet that comunicate with internet, but they does not have any firewall that can do the nat, so the router-internet have to do that, because the switch core does not have the feature. The problem is that the router have two public ip address, so the config that i put before does not work, i will think that the route map could solve this problem.

What do you think??


Hi Katherine,

You are using a network mask instead of wildcard mask for your access list.

And the subnet is not right.

It should be:

permit ip any


hi kc,

you should perform NAT overload/PAT on the WAN and use the ip address secondary command instead of creating a loopback interface.


int f0/0

ip address

ip nat out

int f0/1

ip add secondary

ip add

ip nat in

ip nat inside source list nat int f0/0 over

for the 3560, you need to consider if this would be a L2 or L3 switch. having a point-to-point IP of .48 with your 1841 would waste IP space.

if you chose it to be a L2, you would perform a router-on-a stick with the 1841. on the other if it's L3, you would perform static and dynamic routing.

can you please confirm thebellow first

ISP/internet will send any traffic destined for and to the Router ISP and over to the Client router where you want to perform the NAT ?

and you want to nat some private servers IP to the IP range of from the LAN ?

if this is right ? can you change the IP address of interface between the core switch and the client router to anything private ?

once you confirm the above then we can work a solution for your case