Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

Traffic redirect using NAT?

I am seeking for idea of setting up a traffic redirect solution in a routed environment. (no firewall involved)

The requirement comes that customer wants us to setup a virtual IP to give out to outside vendor. There are two servers sitting behind the VIP serving traffic. Please note this is NOT a load balancing deployment because only one server is up at a time. Development team wants the freedom of switching between servers without outside vendor's awareness. The interesting part here is that two servers are on different IP subnet in a routed environment. Is it possible to configure NAT where outside IP and inside IP are neither on a router's interface? If no, how can I accomplish this? Thanks in advance.


Accepted Solutions

Hi Jack

Absolutely and that will work with both NVI and inside/outside domains.

View solution in original post



If I an understanding your requirements correctly, then the answer to "Is it possible to configure NAT where outside IP and inside IP are neither on a router's interface" is yes. As long as the VIP you are using traverses the device doing the NAT then you just add you NAT statement. An example using NVI :-


Router "outside Address"

Router "inside Address"

So, does not on any router and I traslate that address to which also does not exist on any router.

Config of router doing NAT


interface FastEthernet0/0

ip address

ip nat enable

duplex full

interface FastEthernet1/0

ip address

ip nat enable

duplex full

speed 100

ip route

ip route

ip route

ip nat source static


ping from an outside device :-


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 100 percent (5/5), round-trip min/avg/max = 64/117/196 ms

Output of NVI translation :-

R1#sh ip nat nvi translations

Pro Source global Source local Destin local Destin global

--- --- ---


I think that is what you are after, if not sorry :-s

Thank you very much for your in-depth explanation. NVI solution is a lot easlier than traditional NAT. Can you tell me when I should use NVI instead or legacy NAT when IOS supports both?

You are very welcome, that is what this forum is all about right.

So, in my opinion, both methods have their place but unless you do not know for sure which way the traffic will flow through the router (it can happen) and need to force the inside outside translation, then use NVI. People seem to struggle with inside/outside and if it will be source NAT or destination NAT based on the flow of traffic through the domains, I have attached a very useful NAT link below that describes the order of operation. I have used NVI very successfully within VRF's and the global routing table on a single device where inside/outside failed me due to the fact that the inside and outside interfaces where not in the same VRF, NVI does not care. Because NVI has no knowledge of inside or outside, a statement such as ip nat source static x.x.x.x x.x.x.x could match if the source can from interface 1 or interface 2, this is not the case with inside / outside domains.

So, in a nut shell, if your IOS supports it and you do not need to force a uni directional translation, the use NVI.

Useful NAT links

NAT Order of operation link

How NAT works

Dont forget to rate links and mark as complete if your happy ;-)

Hi adamclarkuk,

I have an additional question here. What if the translated IP and the IP being translated(VIP) were in the same subnet? Use the example you gave above, can I make the VIP to be NAT'ed to I know it is very rare case but a lot times user wants a VIP from the same network as the real server. Of course the traffic is coming from outside, through the NAT router.

Hi Jack

Absolutely and that will work with both NVI and inside/outside domains.

View solution in original post