Question about Cisco Static-PAT

Hi Guys,

I'm confused about the static-pat.

I have a very simply setup.

Non-cisco IPsec endpoint ( ----- (Cisco Router) ---Non-cisco IPsec endpoint (


interface GigabitEthernet0/0
 ip address
 ip nat outside

interface GigabitEthernet0/1
 ip address
 ip nat inside

ip nat inside source static udp 500 interface GigabitEthernet0/0 501


Can someone help me to understant the NAT statement. I thought this will change the Dst port from 500 to 501, however i debug found my src-port been changed to 501.


Jul 30 02:00:45.363: NAT*: i: udp (, 500) -> (, 500) [10690]
Jul 30 02:00:45.363: NAT*: i: udp (, 500) -> (, 500) [10690]
Jul 30 02:00:45.363: NAT*: UDP s=500->501, d=500
Jul 30 02:00:45.363: NAT*: s=>, d= [10690]





  • NAT translation table will have single inside global address mapped to many inside local addresses.  Inside local source port numbers could be all identical.  Translating these ports to something is a necessity.

    For example the following done on cisco ios 12.4(15)T using dynamic PAT.

    R1_GW1#show ip nat translation

    Pro Inside global      Inside local       Outside local      Outside global




    Two inside local entries using same inside local udp port number.  Inside global address identical.  Must change inside global source port numbers to get sepatate entries for return traffic.

    For static pat, at the cli you determine what this port translation will be.  Is my understanding.

    Hey experts chime in.  RB
  • Hi Randy,

    thanks for your answer, however i'm not talking about the dynamic pat (overlaod).

    below from cisco doc:


    ip nat inside source static tcp 8080 80

    !--- Static NAT command that states any packet received in the inside
    !--- interface with a source IP address of is
    !--- translated to


    Note that the configuration description for the static NAT command
    indicates any packet received in the inside interface with a source address of is translated to This also implies that any
    packet received on the outside interface with a destination address of has the destination translated to


    ip nat inside source static tcp 80 80 extendable

    !--- This statement performs the static address translation for the Web server.
    !--- With this statement, users that try to reach port 80 (www) are
    !--- automatically redirected to port 80 (www). In this case
    !--- it is the Web server.


    So i think the 8080 and 80 is talking about Dst-port.
  • Right you are.  You've answered your question./cheers


  • haha... no my debug output shows the scr-port been changed

  • Interesting.  I must be misreading the debug.  My understanding of PAT is that source ports are to be translated.   Static PAT is just a predetermination of what that port translation will be.  What does show ip nat translation reveal?

  • it looks normal, i'm out of office cannot share it right now. will post when i go back next week.

    thanks !

  • nyx01. The output is correct. Let me explain using a different example. Imagine you had this line of config instead.

    ip nat inside source static

    It means that when the internal IP tries to reach ANY IP address, the router will re-map the source IP to before sending the traffic to the destination.


    So now let's change that line of code to include port info too.

    ip nat inside source static udp 2002 50002

    This means that when host initiates a connection to any IP
    using the port 2002, the router will re-map the source IP to and port to 50002. FYI the ports here are source ports, but only when the traffic is initated from the internal ip and sent to a random destination (these turn into destination ports when traffic comes from the other direction. I will explain this below).


    So let's do these examples again for traffic actually initiated from the web this time. Let's assume we have rolled back to the config below.

    ip nat inside source static

    It means that if someone on the web from ANY ip address wants to reach your internal host, that they would have to go to right? It doesn't mean that only the IP can reach It means that anyone from any IP who wants to connect to must connect to, and then the router re-maps the traffic towards

    So let's continue this example to include port information, as shown below.

    ip nat inside source static udp 2002 50002

    Assume someone from any IP wants to connect to your internal host on port 2002, they must actually go to on port 50002. And THEN the router re-maps the traffic to reach the internal host on port 2002. In this scenario the port information is for destination ports.


    The reason why people always assume the ports in the NAT config are always destination ports is because 99% of the time you create static NAT or PAT rules so that external traffic can arrive towards an internal host. In this case the ports are always destination ports.


    I hope this clears up your confusion.

  • Hi SG4RB0,

    Thanks for your explanation ! make sense to me and match my test output.

    Just wonder if you can provide me any official doc as I may need it for a report.

    And, I didn't find any similar explanation from cisco, even from Cisco Press - Comparing, Designing and Deploying VPNs it says the static pat is used for vpn initiate IKE from outside to inside.






    Thank !!!

  • Hi All,

    thank you for posting and fine explanation.//cheers

  • Well I don't know any official documents for it currently. I learned it when running into problems for customers years ago. I will try and find something official for you though.

  • Hi sg4rb0,


    Thank you bro !



  • Hey, I couldn't find anything about the PAT port direction. The only thing  I could find was Cisco talking about PAT from the intiiation of connections from the internet (which technically 99% of the traffic would be initiated from anyways if you were to create a rule like this).  See the link below.



  • thans again. I saw some similar doc.

    I will follow up if i got chance to open a TAC ticket or talk to cisco guys.


  • By thinking on the reason NAT was invented, in order to NAT RFC1918 addresses and get Internet access, it means NAT was designed to do source NAT, not destination NAT (although nowadays you can do both); however, if you have a static NAT/PAT entry, because traffic can be initiated both ways, the traffic flow will actually determine if the router will do source NAT or destination NAT.

    The command "ip nat inside source static tcp 8080 80" , by reading left to right, says that as you receive IPv4 traffic on your inside NAT interface, do a source NAT of type static for TCP port 8080 to TCP port 80; by swapping the traffic direction the command states as you receive traffic inbound in your outside NAT interface, do a destination NAT of type static for TCP port 80 to TCP port 8080.

Sign In or Register to comment.