Lesson Contents
NAT port forwarding is typically used to allow remote hosts to connect to a host or server on our private LAN. A host on the outside (for example on the Internet) will connect to the outside IP address of a router that is configured for NAT. This NAT router will forward traffic to host on the inside. Here’s an example:
Above we have three routers, we’ll use these to demonstrate NAT port forwarding. Imagine R1 is a HTTP server on our LAN and R3 is some host on the Internet that wants to reach our HTTP server. R2 will make sure that the HTTP server is reachable on an IP address on the outside. Let’s take a look at the configuration…
Configuration
First we will configure a static route on R1 so it knows how to reach the outside world:
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.2Now we can worry about the NAT commands. Let’s configure the inside and outside interfaces:
R2(config)#interface FastEthernet 0/0
R2(config-if)#ip nat inside
R2(config)#interface FastEthernet 1/0
R2(config-if)#ip nat outsideNow we can try some different NAT rules.
Port forwarding using the outside IP address
We will start with the most common scenario. When someone connects to TCP port 80 on the outside interface of R2 then it should be forwarded to R1. Here’s how to do it:
R2(config)#ip nat inside source static tcp 192.168.12.1 80 192.168.23.2 80 extendableThe NAT rule above is pretty straight forward. Whenever someone tries to connect on TCP port 80 with destination IP address 192.168.23.2 then it will be forwarded to 192.168.12.1. Let’s see if it works:
Hi Rene
Can you please tell me why we use keyword extendable in nat forwarding, what will happens if we do not use that keyword?
Hi Boris,
You need extendable if you map an inside address to multiple outside IP addresses, like this:
Where 192.168.1.1 is the inside address and 1.2.3.5 / 5.6.7.8 are outside addresses. Cisco IOS will add the keyword automatically.
You also need it for port forwarding where you use the same inside and outside addresses for different port numbers:
... Continue reading in our forumHi Rene
Can we use maybe route map if we need open more ports for one IP address, what is very often case for CCTV.
Regards
Hi Molenaar, why in the image i see Fa1/0 and the saved configuration we have FastEthernet0/1, could it be a typo?
Testing static NAT and saw some behavior that confused me. In my setup, R5 is the router in the middle doing NAT. I am trying to telnet from R4 which is directly connected to R5 on 155.1.45.0/24 network to another router R8 which is also directly connected to R5 on the subnet 155.1.58.0/24.
... Continue reading in our forumIn one configuration where I put R4 on the outside interface, telnet works but when I swapped the configuration so that R4 is on the inside interface, it didn’t work. R4 is going to do “telnet 155.1.45.44 8023” in both scenarios. The only place I am changing the configuratio