Double Nat (inside and Outside)

Hi everyone,


Server has no default gateway assigned to it and can only reach to same subnet via ARP.


My question is , is it possible to do double nat on the test router so the traffic is changed to one dummy ip , then again NAT it an IP in the server range so the server can respond?

I'm taking Gi1/0 & 0/1 as outside and Gi0/0 as Inside (Something like this):

ip nat outside source static (10.251.242.x or

ip nat inside source staic


So if we target , router dos double nat and finds the destination.


is such thing possible?








  • Hi,

       it's not possible to do a double NAT of the source or the destination, unless you hairpin the traffic to the router, which is not recommended. You can NAT both the source and the destination, but you cannot NAT the source twice with a regular setup. Traffic has to flow inside-outside or outside-inside and you NAT once; afterwards through routing you send the packet  out and back in the router (you need both a dedicated physical loop and at least one VRF configured); packet enters rhe router again and you do NAT again. 

     But based on what it seems to me you want to achieve, i don't undersatnd whay you need to double NAT. Explain better what you're tyng to achieve, so we may end up with a better solution.

      Btw, this is  more a security topic, than RS.



  • ssg14ssg14 ✭✭

    Thanks Cristian for your reply,


    The issue is while the server doesn't have a default GW configured , I cannot route to the server whiel the Server doesn;t have a GW configured. This is why I need to NAT to an IP in the server range first then push it to the Server subnet. So the server respond to a local subnet IP.

    I cannot directly nat to an IP in subnet while I'll lose the destination , I'm thinking that I require NAT twice but don;t know how [:(]


    If the flow is 10.251.242.x  ------> and the server has no GW configured , what's the best way to approach it?



    Thanks Mate

  • Hi,

      Ok, so the server doesnot have a default gateway, which means is more than enough to do only one NAT, of the and into an IP address from subnet where the server resides which is; if you want connections to be initiated both ways, you need static NAT, otherwise PAT is good enough.



  • Reference this INE blog post for details on being able to talk to a host without a gateway/routing configured, while the source is on a diff subnet:


    Note that the example shown in the blog post will not work exactly as described  on newer versions of code. Instead of manually additing the route:

    ip route
    You can do the following:
    ip nat outside source static add-route

    You can also get away with adding the route manually, but you would need to add the following keyword  
    to the nat statement (only if you add the route manually)
    ip nat outside source static no-alias 

    Hope this helps!
  • ssg14ssg14 ✭✭

    Thanks alot mate , will give it a try today

Sign In or Register to comment.