Cisco IOS NAT Port Forwarding

This topic is to discuss the following lesson:

Hi Rene

Can you please tell me why we use keyword extendable in nat forwarding, what will happens if we do not use that keyword?

Hi Boris,

You need extendable if you map an inside address to multiple outside IP addresses, like this:

ip nat inside source static 192.168.1.1 1.2.3.4 extendable
ip nat inside source static 192.168.1.1 5.6.7.8 extendable

Where 192.168.1.1 is the inside address and 1.2.3.5 / 5.6.7.8 are outside addresses. Cisco IOS will add the keyword automatically.

You also need it for port forwarding where you use the same inside and outside addresses for different port numbers:

ip nat inside source static tcp 192.168.1.1 80 1.2.3.4 80 extendable
ip nat inside source static tcp 192.168.1.1 443 1.2.3.4 443 extendable
ip nat inside source static tcp 192.168.1.2 22 1.2.3.4 22 extendable

I believe IOS always adds it automatically for you so you can’t configure it without.

Rene

3 Likes

Hi Rene

Can we use maybe route map if we need open more ports for one IP address, what is very often case for CCTV.

Regards

Hi Boris,

No need for a route-map, you can repeat this command as often as you need:

ip nat inside source static tcp 192.168.12.1 80 192.168.23.2 80 extendable

Just change the ports required and that’s it.

Rene

2 Likes

Hi,

What if I want to do static nat for multiple web servers. Let us say, we have 3 web servers with private IP address that i want to connect from a public IP. How can we do that as the port number is used once only?

Thank you for your support.

Akram

Hi Akram,

If you only have one public IP then you will have to use different port numbers. For example, let’s say you have three webservers:

192.168.1.1:80
192.168.1.2:80
192.168.1.3:80

Each of them is listening on TCP port 80.

You could forward port 80 to 192.168.1.1:80, 81 to 192.168.1.2:80 and 82 to 192.168.1.3:80

It doesn’t matter which ports you pick on the outside but it has to be a different port number.

Rene

According to what is said in the first paragraph : “A host on the outside (for example on the Internet) will connect to the outside IP address of a router that is configured for NAT. This NAT router will forward traffic to host on the inside.”

It seems more logical for me to type the command “ip nat outside source static tcp 192.168.23.2 80 192.168.12.1 80 extendable” ???

1 Like

Hello Maodo

I can understand how it may seem more logical to type outside rather than inside. However, you must keep in mind that the keywords inside and outside refer to the interfaces designated as such. Remember, that on the inside interface you should have a command like ip nat inside and a corresponding command ip nat outside on the outside interface.

So by stating ip nat inside source static tcp ... what you are saying is that all traffic originating from an outside interface towards an inside interface should be inspected and manipulated accordingly. Alternatively, if you used the command ip nat outside source static tcp ... you would be telling the router to inspect all packets originating on an inside interface towards an outside interface and manipulate accordingly.

I hope this has been helpful!

Laz

My Question is Can we use the same port for multiple IP addresses whereas outside interface is also same
For example there are two servers on the same network needs to translate on the outside interface on the same port number LAN router WAN

LAN
server 1 - 10.1.1.1/24
server-2 - 10.1.1.2/24

Router inside-NAT fa0/0 IP 10.1.1.254 /24
Router Outside-NAT fa0/1 IP 20.1.1.1

ip nat inside source static tcp 10.1.1.1 80 20.1.1.1 80
ip nat inside source static tcp 10.1.1.2 80 20.1.1.1 80

what is the work around for this solution

Thanks in Advance

Hello Naveed

It is not possible to have the same IP address and Port pair on the outside to correspond to two different internal servers. The pair must be unique for each translation. What you can do is have the following configuration:

ip nat inside source static tcp 10.1.1.1 80 20.1.1.1 80
ip nat inside source static tcp 10.1.1.2 80 20.1.1.1 8080

in this way, the external IP address port pair are unique for each internal server. Otherwise there is no way to distinguish between the servers.

I hope this has been helpful!

Laz

Hi Molenaar, why in the image i see Fa1/0 and the saved configuration we have FastEthernet0/1, could it be a typo?

1 Like

Hi Mauricio,

That’s a typo, I just fixed it. Thanks for letting me know!

Rene

My Questions:

  1. Does R2 has to run web server at port 80 for example above?
  2. what happen if R2 run webserevr at port 80? Just curious.
    Thao

Hello Thao

R2 is not running a web server. R2 will only translate the port being used on the outside IP address to the inside IP address. The actual web server that is being viewed by the client is on R1.

However, you bring up a very good point. If R2 does have a web server running on port 80, then the example will not work, because port 80 will be intercepted by the web server on R2 and will not be translated and transmitted to R1. In other words, R3, when connecting to 192.168.23.2:80 will see R2’s web server and not R1 as is desired. For this reason, port numbers should be assigned appropriately if you want both web servers to be accessible. For example, you can use port 8080 for the web server on R2 and 80 for the translated connection to R1.

I hope this has been helpful!

Laz

Testing static NAT and saw some behavior that confused me. In my setup, R5 is the router in the middle doing NAT. I am trying to telnet from R4 which is directly connected to R5 on 155.1.45.0/24 network to another router R8 which is also directly connected to R5 on the subnet 155.1.58.0/24.
In one configuration where I put R4 on the outside interface, telnet works but when I swapped the configuration so that R4 is on the inside interface, it didn’t work. R4 is going to do “telnet 155.1.45.44 8023” in both scenarios. The only place I am changing the configuration is R5.

Working configuration:

interface GigabitEthernet 0/0 (connected to R4)
 ip nat outside
! 
interface GigabitEthernet 0/1 (connected to R8)
 ip nat inside
! 
ip nat inside source static tcp 155.1.8.8 23 155.1.45.44 8023

Not working configuration:

interface GigabitEthernet 0/0
 ip nat inside
! 
interface GigabitEthernet 0/1
 ip nat outside
! 
ip nat inside source static tcp 155.1.45.44 8023 155.1.8.8 23 

Any ideas regarding this? I am able to telnet in one setup but the other I am not.

Edit: Never mind, the other direction the translate would not be on source but destination instead.

1 Like

Hello Syed

You got it. :slight_smile: Thanks for sharing your solution.

Laz

Hi Rene, repeat the command is not really scalable and more, how to do if we have non-predictable port numbers.
Is those solution still correct if we are using just the command ip nat enable on interfaces ?
Can you have a solution for NAT Port forwarding with a range of port numbers on IOS 15.7 ?
Best Regards,
Thierry

Hello Thierry

You are correct that such a command will allow you to specify only a single port. However, an alternative is to use this syntax:

ip nat inside source static 192.168.12.1 192.168.23.2 route-map MY_MAP extendable

This command references a route map. This can be defined like so:

route-map MY_MAP permit 10
match ip address 101

The route map in turn specifies an access list that indicates the required port range like so:

access-list 101 permit tcp host 192.168.12.1 range 10000 10500 any

The result is a NAT port forwarding configuration that gives you more flexibility to specify transport layer ports. You can add additional access lists to the route map if you want to specify a more complex range of ports.

When you use the ip nat enable command, you are essentially configuring the NAT Virtual Interface feature. This feature does not specify inside or outside interfaces, so this command would not work with such a configuration. You would have to replace it with something like this:

ip nat source static 192.168.12.1 192.168.23.2 route-map MY_MAP extendable

The rest of the config with the route map and the access list would remain the same. The difference here is that there is no inside keyword in the command. You can find out more about how to configure NAT Virtual Interface at the following lesson:

I hope this has been helpful!

Laz

2 Likes

Hi Laz,
Thanks for your useful insights as usual. :+1:t5:

B.R,
Thierry

1 Like