Showing results for 
Search instead for 
Did you mean: 

Open Subj:SNAT on CISCO ROUTER(change source IP)





I opening again the subject because nobody answere on my question.This time i attached a sample made in Packet Tracer with my problem.

So do not add route on routers or change/add gateway  ...... use only nat.

In Linux i made this using DNAT (PREROUTING) and SNAT (POSTROUTING) in ios cannot resolve so pls help me.

The objective: Access from URL with and from there redirect to web server and back.Just it

If anybody think can do that using router (no Packet tracer) i hope show me how he did it.

I have a router C850 and he has NVI(NAT) so...give me a solution



11 Replies 11

Roberto Kippins

Hi if i got this correct the web server is at on the lan and you want to do a static nat translation of for it to be accesses externally ? if so here is how the nat mapping is done on the router:


ip nat inside source static tcp 80 8080

Do you see attached file?  my router has this command ...

Hi no it says your file is incompatable with my packe tracer its ben a long time since I used that try gns 3 you will get better functionality since many features are limited on PT.

thank you i found the solution, Jon Marshall  help me.I use PT2.6.

u have right about GNS3 i will try.But i think i need image IOS for GNS3 do i?

Yes you do need an IOS image to work with GNS3 and unfortunately Cisco don't provide free IOS images to use in a lab.

So unless you have access to download IOS images from Cisco you can't really use GNS3.


Jon Marshall
Hall of Fame
Hall of Fame

so...give me a solution

I think the word you are looking for is "please".

Do you see attached file? 

Roberto is just trying to help in his free time and most of us don't use PT so posting a PT file is useless.

Okay, that said if it is just one router it should work without changing the source IP because of proxy arp.

However assuming you do want to change the source IP I checked your other post and you are almost there. The reason it doesn't work is because of the order of operations with IOS. So what happens is your NAT statement from the other post is doing what it is meant do eg. -

ip nat outside source static

will translate to It's what happens when the packet is sent back to the router from the NVR device and there are two issues -

1) firstly don't use the router interface IP ie. because then the router thinks the packet is for it. So you need to pick an unused IP in the 192.168.9.x subnet

2) if you do that the next problem is IOS order of operation. From inside to outside routing is done before NAT. So what happens if you do this -

ip nat outside source static

is the router receives the return packet from your NVR device and the destination IP is It then does a route lookup and because the IP is from the same subnet as it's inside interface it does not route it to the outside interface so the packet is dropped.

If your router supports the "add-route" option you can use that ie.

ip nat outside source static add-route

what this does is put a host specific route in the IP routing table for with the next hop IP of ie.

this means when the router does the route lookup for it sees the next hop IP as being reachable via the interface connected to the network  and so can then forward it and do the necessary NAT on the IP addresses.

If you don't have the "add-route" command you can try adding your own static route on the router to do the same thing and see if that works.


I read first phrase from your comment and u right.

I'm sorry  but when i opening this thread again i was hurry and angry, and i forgot "please" and you right.

I'm really sorry..i swear!


I tried your solution and it's work!..i'm happy...really happy!!!! :) because that problem buzzing me for long time (1 month).I asked many people but nobody help me.

I use day by day Linux and under Linux the problem resolve very easy(dnat/snat , 2 instruction using ROUTER INTERFACE,  !!!..and that's all).

Under IOS very strange the solution.

The router cannot nat the packet if i use his!why?i understand your explication..but why?so.. every time i must reserve a free IP for that type of nat?

Please :) can u explain more details about that think.I finished last month CCNA (1 and 2) and i asked my tutor the problem and he doesn't know about that type of solution.He told me... Try NVI ! it will work

..thank you , thank you..and thank you again




No problem, I understand, sometimes I can post a response when I'm irritated and it can come across wrong.

Totally understand.

Okay you cannot use the router interface IP because you could never have a host specific route in the routing table that would override that because the router interface is directly connected.

So the IP routing table (on the IOS version I am using) has a route for and a host route for the actual router interface and both are directly connected.

You can't override a directly connected route with a static for the same prefix and subnet mask.

Which means you cannot add a route for pointing to the outside because the router already has a host specific route for this IP.

But you can add a more specific host route for any other unused IP on that subnet because the router only has a entry.

Remember the longest match always wins in the routing table.

So yes if the source device eg. your was different each time you would need another unused IP in the 192.168.9.x subnet per source device because it adds a host specific route for the 192.168.9.x IP back to the source device IP.

Note I assume this is just a lab because in production your clients would have default gateways.

It's also worth pointing out that it will work if your clients don't have gateways and you do not NAT the IP because of proxy arp running on the router (assuming it hasn't  been turned off).

But only if both subnets ie. and are connected to the same router. If there were multiple routers between you would need the NAT solution again.

I just assumed this was an exercise so you wanted to NAT the 10.10.10.x IP as well.

Hope that makes sense and if you have any more queries please feel free to ask.


Thank's for everything.I have a question (strange but not imposible :) )

If everybody from wants have access (254 users) in what can i do if i don't have 254 free ip ? or maybe someday  an user wants connect and i'm on vacation

In linux when i made SNAT i can refer entire network. to access.

-A POSTROUTING -t nat -o eth0 -s -d (...etc) SNAT--to-source

(all out eth0- interface router with source subnet and destination server) will have source So access will have source without problem.One oinstruction for entire subnet.




If everybody from wants have access (254 users) in what can i do if i don't have 254 free ip ? or maybe someday  an user wants connect and i'm on vacation

Well you could always make the subnet bigger by changing the subnet mask.

The thing is you are talking more about lab scenarios. You wouldn't set up your network like this in production so it really isn't an issue.

For a start your clients would have a default gateway of the router. And if they did then you could use a different subnet altogether for the NAT ie. it wouldn't have to be any more.

Cisco and Linux are different so being able to do one thing with one doesn't mean you can automatically do it with another.

What you are asking is more theoretical than anything you would actually setup and if you did set it up like that you should probably be rethinking the design.


Thank you very much i understand entire your post.Thank you again :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: