Hi Renee,
I cannot understand the last method of performing port forwarding using different IP address. 192.168.23.200 is not configured on any interface on R2. Is it because R3 has a default route to R2? Please advise. Thank you.
Hello Leon
When configuring NAT, it is possible to specify that the outside IP address used for the translation is the actual IP address that is on the interface. In the lesson, this would be the 192.168.23.2 address on the Fa1/0 interface of R2.
However, it is possible to specify a different outside address for translation. This address doesnât have to be configured on any particular interface, and it doesnât even have to be on the same subnet as the IP address on the outside interface. You could, for example, have used the 10.10.10.10 outside address on the outside interface of R2 in this lesson.
This simply indicates to the NAT process the IP address translation that should take place when traversing the NAT router. NAT doesnât care if the address is assigned to an interface or not. In essence, this means that:
- When a packet with a source IP address of 192.168.12.1 traverses the NAT router, it will exit the outside interface with the source IP address field replaced with 10.10.10.10.
- Similarly, when a packet arrives at the outside interface with a destination address of 10.10.10.10, the NAT process will replace that IP address in the destination field of the IP header with 192.168.12.1.
The only issue here is that you must make sure that the outside network, in this case, the WAN, knows that the 10.10.10.10 address should be routed to the Fa1/0 interface. If there is no routing information that lets the âoutside worldâ know that, then packets for such a translation will never take place. This is why typically, you would use the actual configured IP address of the outside interface or an address on the same subnet so that you can make sure that traffic will be able to find that outside interface of your NAT router.
I hope this has been helpful!
Laz
1 Like
This maybe a silly question but in my networking career I have not had to deal with NAT a lot. Now I am having to deal with it so I am trying to refresh my memory on it. If I have a firewall behind a router that is doing NAT would I need to do some type of port forwarding so my firewall can create an IPSEC tunnel to another site also doing NAT.
Here is a simple drawing to explain: FW-----RTR/NAT-----ISP-----RTR/NAT-----FW
Thank you for all the help,
Alan
Hello Alan
The scenario that you are describing requires that an IPSec tunnel traverse two NAT translations. In order for this to be successful, you must ensure that NAT-T or NAT-Traversal is supported on the devices in question. This Cisco documentation details the related features and configurations for IOS devices:
Similarly, you can find out more about this feature on Cisco ASA devices as well:
As you prepare your design, let us know how you are coming along!
I hope this has been helpful!
Laz
Laz,
Thank you for your response on this. Would you say that it is best practice to do build your VPNâs as close to the outside as possible to avoid any issues with NAT?
Alan
1 Like
Hello Alan
Anything that simplifies configurations is considered best practice because it makes it easier to implement, as well as to troubleshoot when something goes wrong. So I would agree with you, that building your VPNs as close to the outside as possible is a good guideline to follow. Of course, itâs not always possible, and you must weigh the pros and cons of each specific design consideration.
I hope this has been helpful!
Laz
I understand absolutely nothing about port forwarding, what is it really for; certainly my question seems to be weird please be sure to enlighten me on this.
Hello Berthol
I understand absolutely nothing about port forwarding, what is it really for; certainly my question seems to be weird please be sure to enlighten me on this
Let me try to explain. In order to understand port forwarding, you must first understand NAT. If you need a refresher on NAT, take a look at this lesson:
Imagine this setup here:
Imagine you have a web server as shown, with a private IP address found on your enterprise network. R1 is performing NAT so that your internal network which uses private addresses, can have direct access to the Internet with a public IP address.
This scenario delivers Internet access to internal hosts on your network. However, NAT on R1 will not allow any communication initiated from outside to reach any host inside your network. So H1 cannot reach the Web server in any way.
Port forwarding enables this communication by configuring the R1 router to translate and forward any packets matching a particular IP address/TCP port combination. For example, we can configure port forwarding on R1 so that any packet with a destination address of 188.168.12.1 and a TCP port of 80 will be translated and forwarded to 10.10.10.2. That way H1, will reach the Web server successfully.
I hope this has been helpful!
Laz
Thank you for the explanation, if I currently understand that I use the internet to read this course; so there is a NAT configured at my ISP?
Hello Berthol
The example in my previous post had to do with port forwarding. Port forwarding is used when a host on the Internet needs to gain access to a resource (web server for example) that exists behind a NAT router.
In the example you are describing, where you are viewing the lessons on this site, port forwarding is not involved. The web server hosting these courses has a public IP address. Actually, it has several public IP addresses. Take a look at the output of the nslookup command I just issued on my PC:
C:\Users\user>nslookup www.networklessons.com
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
Name: www.networklessons.com
Addresses: 50.19.62.128
54.226.250.107
52.20.153.59
34.233.244.105
3.221.59.106
54.211.237.250
All of these addresses are public addresses. So when you communicate with the server, no port forwarding is necessary. However, you are most likely using NAT at your ISP in order to gain access to the Internet. Your situation looks more like this:
R1 is your ISP router and it is performing NAT between our 10.10.10.0/24 private subnet and the public address assigned to your router. Once that translation happens, you can then freely communicate with the networklessons server which is on the public internet. So in this scenario, NAT takes place at R1, and no port forwarding is necessary
I hope this has been helpful!
Laz
1 Like
your explanation is very interesting , then tell me the advantage of using port forwarding and a clear example in daily life.
Hello Berthol
One very common application of port forwarding is often used for security cameras installed in small businesses or in residential applications. You have cameras on site that are connected to the internal network using private IP address ranges such as 192.168.1.0/24. You may also have a network video record (NVR) that collects the video from the cameras and stores it locally, and also controls the cameras themselves. This NVR is also within the local network on the same subnet.
Now you want to be able to view either live feeds of the cameras or recorded video from your mobile phone no matter where you are. That means that when youâre away from home or from the office, you want to be able to initiate communication from outside of the local network inward. If your home/office is using a NAT-enabled router, such as a DSL connection for example, then you must apply port forwarding to allow such communication.
I hope this has been helpful!
Laz
1 Like
and in this case the port forwarding is done on what equipment on my phone or on the ISP router (box), if it is the ISP box, and we are not empowered to make any configuration inside, how do I access the cameras being outside with, for example, my phone. I hope that my question is well posed, please a good explanation will make me happy
Hello Takam
Port forwarding must be applied on a router that performs NAT. If you have a setup where you have cameras internally on your network and you want to access them from the Internet, the port forwarding must be applied on the device at your network edge. Typically, this would be a DSL modem/router or a cable modem/router or some other routing device that the ISP will provide for you.
Now the policies of how much control you have over the configuration of that device depend upon the ISP. Some ISPs let you access that deviceâs management interface to configure port forwarding. Others may not. If you donât have control over that edge device, then you should speak with your ISP and let them know what you want to achieve, and theyâll tell you how to do it.
Typically, the edge device involved is not a Cisco device, so you wouldnât apply port forwarding in the same way as in the lesson using the CLI. Most often, these devices have a web interface where you can configure port forwarding and a whole series of other features.
I hope this has been helpful!
Laz
Hello, since you only talk about the web server on the router, how the router can become a web server, please enlighten me. I hope my question is not badly worded or silly.
Hello Takam
A router has a built-in web-server that can be enabled or disabled. This web server is used for several purposes, primarily to obtain a web interface GUI for the router to configure it and/or to view statistical and monitoring information about the device. Of course, the actual features that you are able to configure and see from that web interface depend upon the platform and the IOS version that you are using.
To enable the web server, you use one of the following commands in global configuration mode:
ip http server
ip http secure-server
The first command enables the web server using HTTP while the second enables it using HTTPS. Once this is done, you can then enter the IP address of the device (the address of any interface by default) and view the web page. An example of what it looks like can be seen below:
or
depending upon the platform and IOS. The first image is from a Cisco 2650XM switch while the second is from an ASR 1000 router.
Best practice dictates that you should disable the web server due to the fact that it can be exploited for attacks. This can be done using the following commands:
no ip http server
no ip http secure-server
So to summarize, itâs not that the router itself can become a web server, but it can run a web service so that an admin can log in and use the web interface that is made available on the device. For more information about these and related commands, take a look at the following CIsco command reference links:
I hope this has been helpful!
Laz
please i need your help i am in a big hospital and i just arrived to my surprise their architecture is very messy and i would like you to suggest me an architecture which is easy to deploy taking account of the equipment they have on site: a mikrotik router, a Cisco 1900 router (so the ISP is connected), two level 3 switches and three servers, in particular that of the domain (a few PCs are in the domain) outside the dater center we now have other swich for level 2 where are connected the pcs and the printers but also the analogical telephones.
offer me a roadmap to follow in order to convince the hierarchy of the feasibility of the project without major risk for the current operation and where to start
Hello Takam
Using just the devices you mentioned, weâre looking at a quick solution that wonât offer redundancy but will offer functionality for the network. I would suggest doing something like this:
Use one of the Layer 3 switches as your main switch where routing will take place, use the second Layer 3 switch as your server switch, and keep your layer 2 switch delivering network services to the PCs and the printer. Some configuration suggestions include:
- Set up the 1900 router to operate as a NAT router so that your internal networks can reach the Internet, and you can also do port forwarding if necessary.
- Employ routing at the Layer 3 switch so that you can separate the users (PCs) from the servers
- The servers should also be placed on their own subnet.
Now I donât know what other needs you may have, so I canât suggest anything more specific beyond this. However, you did mention analog phones. Analog phones should not take part in this at all, since they would not be connected to any switch. Unless you meant VoIP phones? If so, those would connect to the switch.
Now one issue that comes up is if you make changes to the network, either topologically or in configurations, you will have to have some downtime. To minimize the downtime, but also to do your proof of concept, I would suggest you create your topology in an emulator like GNS3 or Cisco VIRL/CML. That way you can work out any problems in your simulation beforehand, and you will also have your configs ready to copy and paste into the real devices, minimizing downtime.
I would suggest you also take a look at this lesson for more insight in network design:
Let us know how you get along!
I hope this has been helpful!
Laz
Thank you too much
Iâll Come back for your later
1 Like