NAT with two outside interfaces

If you are connected to two ISPs and looking to use NAT, you might have discovered that with the “ip nat inside source” command you can only specify one outgoing interface. Since you have two outgoing interfaces, you’ll need to use a route-map to get this working. I will show you how to do this using the following topology:

NAT Two Outside Interfaces

Above we have a ‘host’ router that will be our client on the internal network. NAT is of course our NAT/PAT router and on the right we have two ISPs.


Let’s configure the host first:

Host(config)#no ip routing 
Host(config)#ip default-gateway

First I will disable ip routing so it becomes an ordinary host device. We’ll configure the NAT router as the default gateway. Now we can configure the NAT router:

NAT(config)#ip route
NAT(config)#ip route

I will create two equal static routes, one for ISP1 and another one for ISP2. This allows us to do load balancing.

To make your default routes reliable, I can highly recommend you to configure object tracking and IP SLA.

These two static routes will allow us to perform load-balancing:

NAT#show ip route static 
S* [1/0] via
               [1/0] via

With our routing operational, we can continue to configure NAT. First I’ll configure the correct inside and outside interfaces:

NAT(config)#interface fastEthernet 0/0
NAT(config-if)#ip nat inside

NAT(config)#interface fastEthernet 0/1
NAT(config-if)#ip nat outside            

NAT(config)#interface fastEthernet 1/0
NAT(config-if)#ip nat outside

Next step is to configure an access-list to determine what hosts should be NATed. I’ll make sure that the entire will be translated:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

536 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Hi Rene,
    NAT inside source Process, the routing is processed first then NAT.
    in the example i think we do not need the route Map. because every packet pass through the interface will be translated. the following will work.
    please correct me if wrong

    NAT(config)#ip nat inside source list 1  int fa 0/1 overload  
    NAT(config)#ip nat inside source list 1  int fa 1/0 overload 

  2. Hello Mahmoud!

    Your logic makes sense, however, it wouldn’t work as it should. If you insert the second command you have above, the first one will be overwritten. You require a route map in order to determine: which addresses will be NATed, which outside interface these addresses will be routed from and which NAT translation will occur.

    For a proper NAT load balancing configuration with optimized edge routing, take a look at this Cisco support document:

    I hope this has been helpful!


  3. Hi Laz,
    Yes its clear and thanks for the explanation.


  4. Hi there, I have a question what to do if I have subinterfaces (Vlans) on inside site and there is no IP address for physical interface, just the default gateway for each Vlan. Thank you very much for the answer. That picture with subinterfaces (sh ip int brief) is from SoDR1. Thank you for any help :-).

    ... Continue reading in our forum

  5. Hi guys,

    I really dont get it. Depends where i ping from and the message for the ping that i get, the packet go for one route or another, this is right or i did something wrong?

    NAT inside & Route map config

    ip nat inside source route-map ISP1 interface Ethernet0/1 overload
    ip nat inside source route-map ISP2 interface Ethernet0/2 overload
    ip route
    ip route
    access-list 1 permit
    route-map ISP2 permit 10
     match ip address 1
     set interface Ethernet0/2
    route-map ISP1 permit 10
    ... Continue reading in our forum

13 more replies! Ask a question or join the discussion by visiting our Community Forum