Cisco IOS NAT Port Forwarding

Hello Naveed

It is not possible to have the same IP address and Port pair on the outside to correspond to two different internal servers. The pair must be unique for each translation. What you can do is have the following configuration:

ip nat inside source static tcp 10.1.1.1 80 20.1.1.1 80
ip nat inside source static tcp 10.1.1.2 80 20.1.1.1 8080

in this way, the external IP address port pair are unique for each internal server. Otherwise there is no way to distinguish between the servers.

I hope this has been helpful!

Laz

Hi Molenaar, why in the image i see Fa1/0 and the saved configuration we have FastEthernet0/1, could it be a typo?

1 Like

Hi Mauricio,

That’s a typo, I just fixed it. Thanks for letting me know!

Rene

My Questions:

  1. Does R2 has to run web server at port 80 for example above?
  2. what happen if R2 run webserevr at port 80? Just curious.
    Thao

Hello Thao

R2 is not running a web server. R2 will only translate the port being used on the outside IP address to the inside IP address. The actual web server that is being viewed by the client is on R1.

However, you bring up a very good point. If R2 does have a web server running on port 80, then the example will not work, because port 80 will be intercepted by the web server on R2 and will not be translated and transmitted to R1. In other words, R3, when connecting to 192.168.23.2:80 will see R2’s web server and not R1 as is desired. For this reason, port numbers should be assigned appropriately if you want both web servers to be accessible. For example, you can use port 8080 for the web server on R2 and 80 for the translated connection to R1.

I hope this has been helpful!

Laz

Testing static NAT and saw some behavior that confused me. In my setup, R5 is the router in the middle doing NAT. I am trying to telnet from R4 which is directly connected to R5 on 155.1.45.0/24 network to another router R8 which is also directly connected to R5 on the subnet 155.1.58.0/24.
In one configuration where I put R4 on the outside interface, telnet works but when I swapped the configuration so that R4 is on the inside interface, it didn’t work. R4 is going to do “telnet 155.1.45.44 8023” in both scenarios. The only place I am changing the configuration is R5.

Working configuration:

interface GigabitEthernet 0/0 (connected to R4)
 ip nat outside
! 
interface GigabitEthernet 0/1 (connected to R8)
 ip nat inside
! 
ip nat inside source static tcp 155.1.8.8 23 155.1.45.44 8023

Not working configuration:

interface GigabitEthernet 0/0
 ip nat inside
! 
interface GigabitEthernet 0/1
 ip nat outside
! 
ip nat inside source static tcp 155.1.45.44 8023 155.1.8.8 23 

Any ideas regarding this? I am able to telnet in one setup but the other I am not.

Edit: Never mind, the other direction the translate would not be on source but destination instead.

1 Like

Hello Syed

You got it. :slight_smile: Thanks for sharing your solution.

Laz

Hi Rene, repeat the command is not really scalable and more, how to do if we have non-predictable port numbers.
Is those solution still correct if we are using just the command ip nat enable on interfaces ?
Can you have a solution for NAT Port forwarding with a range of port numbers on IOS 15.7 ?
Best Regards,
Thierry

Hello Thierry

You are correct that such a command will allow you to specify only a single port. However, an alternative is to use this syntax:

ip nat inside source static 192.168.12.1 192.168.23.2 route-map MY_MAP extendable

This command references a route map. This can be defined like so:

route-map MY_MAP permit 10
match ip address 101

The route map in turn specifies an access list that indicates the required port range like so:

access-list 101 permit tcp host 192.168.12.1 range 10000 10500 any

The result is a NAT port forwarding configuration that gives you more flexibility to specify transport layer ports. You can add additional access lists to the route map if you want to specify a more complex range of ports.

When you use the ip nat enable command, you are essentially configuring the NAT Virtual Interface feature. This feature does not specify inside or outside interfaces, so this command would not work with such a configuration. You would have to replace it with something like this:

ip nat source static 192.168.12.1 192.168.23.2 route-map MY_MAP extendable

The rest of the config with the route map and the access list would remain the same. The difference here is that there is no inside keyword in the command. You can find out more about how to configure NAT Virtual Interface at the following lesson:

I hope this has been helpful!

Laz

2 Likes

Hi Laz,
Thanks for your useful insights as usual. :+1:t5:

B.R,
Thierry

1 Like

Hi Renee,

I cannot understand the last method of performing port forwarding using different IP address. 192.168.23.200 is not configured on any interface on R2. Is it because R3 has a default route to R2? Please advise. Thank you.

Hello Leon

When configuring NAT, it is possible to specify that the outside IP address used for the translation is the actual IP address that is on the interface. In the lesson, this would be the 192.168.23.2 address on the Fa1/0 interface of R2.

However, it is possible to specify a different outside address for translation. This address doesn’t have to be configured on any particular interface, and it doesn’t even have to be on the same subnet as the IP address on the outside interface. You could, for example, have used the 10.10.10.10 outside address on the outside interface of R2 in this lesson.

This simply indicates to the NAT process the IP address translation that should take place when traversing the NAT router. NAT doesn’t care if the address is assigned to an interface or not. In essence, this means that:

  • When a packet with a source IP address of 192.168.12.1 traverses the NAT router, it will exit the outside interface with the source IP address field replaced with 10.10.10.10.
  • Similarly, when a packet arrives at the outside interface with a destination address of 10.10.10.10, the NAT process will replace that IP address in the destination field of the IP header with 192.168.12.1.

The only issue here is that you must make sure that the outside network, in this case, the WAN, knows that the 10.10.10.10 address should be routed to the Fa1/0 interface. If there is no routing information that lets the “outside world” know that, then packets for such a translation will never take place. This is why typically, you would use the actual configured IP address of the outside interface or an address on the same subnet so that you can make sure that traffic will be able to find that outside interface of your NAT router.

I hope this has been helpful!

Laz

1 Like

This maybe a silly question but in my networking career I have not had to deal with NAT a lot. Now I am having to deal with it so I am trying to refresh my memory on it. If I have a firewall behind a router that is doing NAT would I need to do some type of port forwarding so my firewall can create an IPSEC tunnel to another site also doing NAT.

Here is a simple drawing to explain: FW-----RTR/NAT-----ISP-----RTR/NAT-----FW

Thank you for all the help,
Alan

Hello Alan

The scenario that you are describing requires that an IPSec tunnel traverse two NAT translations. In order for this to be successful, you must ensure that NAT-T or NAT-Traversal is supported on the devices in question. This Cisco documentation details the related features and configurations for IOS devices:

Similarly, you can find out more about this feature on Cisco ASA devices as well:

As you prepare your design, let us know how you are coming along!

I hope this has been helpful!

Laz

Laz,

Thank you for your response on this. Would you say that it is best practice to do build your VPN’s as close to the outside as possible to avoid any issues with NAT?

Alan

1 Like

Hello Alan

Anything that simplifies configurations is considered best practice because it makes it easier to implement, as well as to troubleshoot when something goes wrong. So I would agree with you, that building your VPNs as close to the outside as possible is a good guideline to follow. Of course, it’s not always possible, and you must weigh the pros and cons of each specific design consideration.

I hope this has been helpful!

Laz

I understand absolutely nothing about port forwarding, what is it really for; certainly my question seems to be weird please be sure to enlighten me on this.

Hello Berthol

I understand absolutely nothing about port forwarding, what is it really for; certainly my question seems to be weird please be sure to enlighten me on this

Let me try to explain. In order to understand port forwarding, you must first understand NAT. If you need a refresher on NAT, take a look at this lesson:

Imagine this setup here:

Imagine you have a web server as shown, with a private IP address found on your enterprise network. R1 is performing NAT so that your internal network which uses private addresses, can have direct access to the Internet with a public IP address.

This scenario delivers Internet access to internal hosts on your network. However, NAT on R1 will not allow any communication initiated from outside to reach any host inside your network. So H1 cannot reach the Web server in any way.

Port forwarding enables this communication by configuring the R1 router to translate and forward any packets matching a particular IP address/TCP port combination. For example, we can configure port forwarding on R1 so that any packet with a destination address of 188.168.12.1 and a TCP port of 80 will be translated and forwarded to 10.10.10.2. That way H1, will reach the Web server successfully.

I hope this has been helpful!

Laz

Thank you for the explanation, if I currently understand that I use the internet to read this course; so there is a NAT configured at my ISP?

Hello Berthol

The example in my previous post had to do with port forwarding. Port forwarding is used when a host on the Internet needs to gain access to a resource (web server for example) that exists behind a NAT router.

In the example you are describing, where you are viewing the lessons on this site, port forwarding is not involved. The web server hosting these courses has a public IP address. Actually, it has several public IP addresses. Take a look at the output of the nslookup command I just issued on my PC:

C:\Users\user>nslookup www.networklessons.com
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    www.networklessons.com
Addresses:  50.19.62.128
          54.226.250.107
          52.20.153.59
          34.233.244.105
          3.221.59.106
          54.211.237.250

All of these addresses are public addresses. So when you communicate with the server, no port forwarding is necessary. However, you are most likely using NAT at your ISP in order to gain access to the Internet. Your situation looks more like this:

R1 is your ISP router and it is performing NAT between our 10.10.10.0/24 private subnet and the public address assigned to your router. Once that translation happens, you can then freely communicate with the networklessons server which is on the public internet. So in this scenario, NAT takes place at R1, and no port forwarding is necessary

I hope this has been helpful!

Laz

1 Like