Showing results for 
Search instead for 
Did you mean: 

Return Path for NAT'd Traffic (857 and 877)



I have a problem with the return path of NAT'd traffic on a Cisco 877W router. Here's the network setup:

  • gatekeeper1 ( is a Cisco 857
  • gatekeeper2 ( is a Cisco 857
  • gatekeeper3 ( is a Cisco 877W

The default route is on all devices, however there are some static route defined so that traffic to certain IP addresses bounce off to and use that Internet connection instead. This new connection is designed so that traffic aimed for a certain internal IP address ( comes via this third internet connection in order to take the load off of the main line. NAT is all configured and appears to be working when .251 is the default route but as soon as I set it back to .1, the traffic appears to come in but doesn't go out again. Here's what I mean:

gatekeeper3#sh ip nat tr

Pro Inside global Inside local Outside local Outside global

--- 82.x.y.10 --- ---

tcp 82.x.y.9:80 216.x.y.246:51653 216.x.y.246:51653

--- 82.x.y.9 --- ---

As you can see here, I'm trying to connect to port 80 on 82.x.y.10 (which is internally) from 216.x.y.246 and that NAT rule seems to allow the traffic as expected plus the firewall is set to allow all traffic for the time being whilst I debug this issue. The external machine tries making the connection, the router appears to allow it but the connection never establishes. My suspicion is that the returning traffic is going out of the 'wrong' connection. How can I set this up so that the returning traffic goes out of the correct path?

Thanks in advance for any help you can offer.

Regards, Ade.

1 Reply 1

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend


I suspet you are right. The simple solution is to NAT the incoming source IPs (from the internet) to the .251 address so that the traffic is sent back to the correct router. However this isn't easy with an IOS router when you have ip nat outside on the WAN interface and ip nat inside on the LAN interface.

I'm not sure i have ever got it to work properly. Unfortunately my laptop with GNS3 on it at the moment is out of action so i can't test but you may want to have a go.

An alternative that may work (again would need testing) would be to use PBR on the router ie.

access-list 101 permit ip any

route-map PBR permit 10

match ip address 101

set ip next-hop


ip addresss

ip policy route-map PBR

the above would redirect traffic from to the router LAN interface. Couple of notes -

1) using PBR to send the traffic back out the interface it was received on - haven't tested this before but it should work

2) it assumes all traffic from shoud use the connection even traffic that originates from that server. You can be more specific with the acl and use tcp and port 80 to only send http traffic to the .251 router.

Apologies for not being able to give a definitive reply but this may help. Must get my GNS3 laptop fixed


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: