Twice (double) NAT on Cisco router

When different companies must be connected, it’s a common request that each company want a the other one present itself with a specific subnet. And usually companies don’t agree about IP ranges. A Twice NAT configuration also called double NAT) can help a lot.

In this scenario, the two companies want to be interconnected with a MPLS network for a couple of services:

  • CompanyA server ( must reach CompanyB webserver (
  • CompanyA is responsible (pay) for the connectivity
  • Because of IP address allocations:
    • CompanyA wants CompanyB present itself as
    • CompanyA wants to place ISP’s router on
    • CompanyB wants CompanyA present itself as
    • CompanyB wants to place ISP’s router on

Twice NAT topology

The following table describe who NAT what:

Source Site Source Source IP SNAT@CPB Destination Site Destination Destination IP DNAT@CPB Port Service
CompanyA ServerA CompanyB ServerB 80 http

In other words:

  • ServerA calls ServerB using
  • CPEB translate the packages so ServerA’s source is and ServerB’s destination is

Why is that useful?

On many companies I can see internal routing table messed up including external IP addresses without caring about too much. It’s obvious that:

  • sooner or later you cannot interconnect companies because of overlapping IP addresses
  • you cannot interconnect companies that force you a specific IP address as a source

Relevant Configuration

The following paragraphs show relevant configurations only.

CompanyA router:

CompanyA router want to reach CompanyB using, so a route must be configured:

ip route

CPEA router:

Because CompanyA is providing connectivity, the whole MPLS must know where CompanyA is. So a default gateway could be a good choice:

ip route
router ospf 1
 default-information originate

CPEB router:

CPEB must know where CompanyB is:

ip route

If ServerA call ServerB, the CPEB router can see a packet from to In this case the packet is flowing from the outside interface to the inside one. Following the NAT Order of Operation, the packet is routed before the translation (NAT). But (I guess) because the CPEB does’t know where is so the NAT translation cannot be completed. CPEB must also announce the network called from CompanyA (

ip route Null0
ip prefix-list STATIC-TO-OSPF permit
route-map STATIC-TO-OSPF permit 10
 match ip address prefix-list STATIC-TO-OSPF
router ospf 1
 redistribute static subnets route-map STATIC-TO-OSPF

The interface facing the customer is configured as inside, the one facing the MPLS is the outside:

interface Ethernet0/0
 ip address
 ip nat outside
interface Ethernet0/1
 ip address
 ip nat inside

Finally we want to:

  • expose the outside ServerA ( using
  • expose the inside ServerB ( using
ip nat outside source static
ip nat inside source static

CompanyB router

CompanyB router want to reach CompanyA using, so a route must be configured:

ip route


Just ping or start a connection from ServerA to ServerB using (

CPEB#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---      
---         ---                ---

Outside global (translated into outside local) call inside global (translated to inside local).