NAT port forwarding is typically used to allow remote hosts to connect to a host or server on our private LAN. A host on the outside (for example on the Internet) will connect to the outside IP address of a router that is configured for NAT. This NAT router will forward traffic to host on the inside. Here’s an example:
Above we have three routers, we’ll use these to demonstrate NAT port forwarding. Imagine R1 is a HTTP server on our LAN and R3 is some host on the Internet that wants to reach our HTTP server. R2 will make sure that the HTTP server is reachable on an IP address on the outside. Let’s take a look at the configuration…
First we will configure a static route on R1 so it knows how to reach the outside world:
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.2
Now we can worry about the NAT commands. Let’s configure the inside and outside interfaces:
R2(config)#interface FastEthernet 0/0 R2(config-if)#ip nat inside R2(config)#interface FastEthernet 1/0 R2(config-if)#ip nat outside
Now we can try some different NAT rules.
Port forwarding using the outside IP address
We will start with the most common scenario. When someone connects to TCP port 80 on the outside interface of R2 then it should be forwarded to R1. Here’s how to do it:
R2(config)#ip nat inside source static tcp 192.168.12.1 80 192.168.23.2 80 extendable
The NAT rule above is pretty straight forward. Whenever someone tries to connect on TCP port 80 with destination IP address 192.168.23.2 then it will be forwarded to 192.168.12.1. Let’s see if it works:
Can you please tell me why we use keyword extendable in nat forwarding, what will happens if we do not use that keyword?
You need extendable if you map an inside address to multiple outside IP addresses, like this:
Where 192.168.1.1 is the inside address and 220.127.116.11 / 18.104.22.168 are outside addresses. Cisco IOS will add the keyword automatically.
You also need it for port forwarding where you use the same inside and outside addresses for different port numbers:... Continue reading in our forum
Can we use maybe route map if we need open more ports for one IP address, what is very often case for CCTV.
No need for a route-map, you can repeat this command as often as you need:
ip nat inside source static tcp 192.168.12.1 80 192.168.23.2 80 extendable
Just change the ports required and that’s it.
What if I want to do static nat for multiple web servers. Let us say, we have 3 web servers with private IP address that i want to connect from a public IP. How can we do that as the port number is used once only?
Thank you for your support.