We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • [geot exclude_region="No Trial" ] Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career![/geot]
  • Full Access to our 541 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


303 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Notable Replies

  1. Rene,

    Your scenario explains forwarding traffic to port 22 for SSH, but further down in your configuration example you are using port 25 for SMTP. Any reason for the change between the scenario and the example configuration??

  2. Hi Ralph,

    That was a typo, I just changed port 25 to 22. Thanks for letting me know!


  3. Hi Taslim,

    Hmm why would you want to do this? :slight_smile: We use PAT in this example so that someone on the Internet is able to connect to a public IP address on the outside so that we can reach our DMZ servers with private IP addresses.

    Our DMZ servers can reach the Internet by using "regular" NAT.


  4. Rene,

    Hi Rene... For some reason when trying to telnet from my outside router to my http server I keep getting error message "Connection refused by remote host" I was able to successfully ssh into my ssh server. Also I am able to telnet from ssh server to http server so I know the configuration is correct any idea ?

    Thanks in advance.

    interface GigabitEthernet0
    nameif DMZ
    security-level 50
    ip address
    interface GigabitEthernet1
    nameif OUTSIDE
    security-level 0
    ip address
    object network WEB_SERVER
    object network SSH_SERVER
    access-list DMZ_SERVERS extended permit tcp any host eq www
    access-list DMZ_SERVERS extended permit tcp any host eq ssh
    object network WEB_SERVER
    nat (DMZ,OUTSIDE) static interface service tcp www www
    object network SSH_SERVER
    nat (DMZ,OUTSIDE) static interface service tcp ssh ssh
    access-group DMZ_SERVERS in interface OUTSIDE
    class-map icmp
    match default-inspection-traffic
    policy-map icmp_policy
    class icmp
    inspect icmp
    inspect http
    service-policy icmp_policy global
  5. Thanks for the example. I have been working on a similar case for ip cameras. This is port forwarding for two services to one inside host.

    Part of the config works, part doesn't.

    Essentially, need port tcp 80 and port udp 37777 forwarded to the same inside host. The port 80 works, but only on the "inside", not on the outside, and packet tracer says my port 37777 is failing.

    object network CCTV-dvr                                                    
    object service 37777_udp                                                   
     service udp destination eq 37777
    access-list outside-to-inside extended permit tcp any4 host eq www                                                                        
    access-list outside-to-inside extended permit udp any4 host eq 37777
    nat (any,outside) source static CCTV-dvr interface service 37777_udp 37777_udp  
    object network CCTV-dvr                                                    
     nat (any,outside) static interface service tcp www www

Continue the discussion forum.networklessons.com

19 more replies