Cisco IOS NAT Port Forwarding

Hi Renee,

I cannot understand the last method of performing port forwarding using different IP address. 192.168.23.200 is not configured on any interface on R2. Is it because R3 has a default route to R2? Please advise. Thank you.

Hello Leon

When configuring NAT, it is possible to specify that the outside IP address used for the translation is the actual IP address that is on the interface. In the lesson, this would be the 192.168.23.2 address on the Fa1/0 interface of R2.

However, it is possible to specify a different outside address for translation. This address doesn’t have to be configured on any particular interface, and it doesn’t even have to be on the same subnet as the IP address on the outside interface. You could, for example, have used the 10.10.10.10 outside address on the outside interface of R2 in this lesson.

This simply indicates to the NAT process the IP address translation that should take place when traversing the NAT router. NAT doesn’t care if the address is assigned to an interface or not. In essence, this means that:

  • When a packet with a source IP address of 192.168.12.1 traverses the NAT router, it will exit the outside interface with the source IP address field replaced with 10.10.10.10.
  • Similarly, when a packet arrives at the outside interface with a destination address of 10.10.10.10, the NAT process will replace that IP address in the destination field of the IP header with 192.168.12.1.

The only issue here is that you must make sure that the outside network, in this case, the WAN, knows that the 10.10.10.10 address should be routed to the Fa1/0 interface. If there is no routing information that lets the “outside world” know that, then packets for such a translation will never take place. This is why typically, you would use the actual configured IP address of the outside interface or an address on the same subnet so that you can make sure that traffic will be able to find that outside interface of your NAT router.

I hope this has been helpful!

Laz

1 Like

This maybe a silly question but in my networking career I have not had to deal with NAT a lot. Now I am having to deal with it so I am trying to refresh my memory on it. If I have a firewall behind a router that is doing NAT would I need to do some type of port forwarding so my firewall can create an IPSEC tunnel to another site also doing NAT.

Here is a simple drawing to explain: FW-----RTR/NAT-----ISP-----RTR/NAT-----FW

Thank you for all the help,
Alan

Hello Alan

The scenario that you are describing requires that an IPSec tunnel traverse two NAT translations. In order for this to be successful, you must ensure that NAT-T or NAT-Traversal is supported on the devices in question. This Cisco documentation details the related features and configurations for IOS devices:

Similarly, you can find out more about this feature on Cisco ASA devices as well:

As you prepare your design, let us know how you are coming along!

I hope this has been helpful!

Laz

Laz,

Thank you for your response on this. Would you say that it is best practice to do build your VPN’s as close to the outside as possible to avoid any issues with NAT?

Alan

Hello Alan

Anything that simplifies configurations is considered best practice because it makes it easier to implement, as well as to troubleshoot when something goes wrong. So I would agree with you, that building your VPNs as close to the outside as possible is a good guideline to follow. Of course, it’s not always possible, and you must weigh the pros and cons of each specific design consideration.

I hope this has been helpful!

Laz

je ne comprends absolument rien sur la redirection de port, à quoi ça sert vraiment ;certes ma question semble être bizarre svp veillez m’éclaissir là dessus

Hello Berthol

I understand absolutely nothing about port forwarding, what is it really for; certainly my question seems to be weird please be sure to enlighten me on this

Let me try to explain. In order to understand port forwarding, you must first understand NAT. If you need a refresher on NAT, take a look at this lesson:

Imagine this setup here:

Imagine you have a web server as shown, with a private IP address found on your enterprise network. R1 is performing NAT so that your internal network which uses private addresses, can have direct access to the Internet with a public IP address.

This scenario delivers Internet access to internal hosts on your network. However, NAT on R1 will not allow any communication initiated from outside to reach any host inside your network. So H1 cannot reach the Web server in any way.

Port forwarding enables this communication by configuring the R1 router to translate and forward any packets matching a particular IP address/TCP port combination. For example, we can configure port forwarding on R1 so that any packet with a destination address of 188.168.12.1 and a TCP port of 80 will be translated and forwarded to 10.10.10.2. That way H1, will reach the Web server successfully.

I hope this has been helpful!

Laz

merci pour l’explication , si je comprends bien actuellement que j’utilise internet pour lire ce cours ; il y’a donc un NAT configuré chez mon FAI afin que je puisse vous joindre ou que vous me joignez ?

Hello Berthol

The example in my previous post had to do with port forwarding. Port forwarding is used when a host on the Internet needs to gain access to a resource (web server for example) that exists behind a NAT router.

In the example you are describing, where you are viewing the lessons on this site, port forwarding is not involved. The web server hosting these courses has a public IP address. Actually, it has several public IP addresses. Take a look at the output of the nslookup command I just issued on my PC:

C:\Users\user>nslookup www.networklessons.com
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    www.networklessons.com
Addresses:  50.19.62.128
          54.226.250.107
          52.20.153.59
          34.233.244.105
          3.221.59.106
          54.211.237.250

All of these addresses are public addresses. So when you communicate with the server, no port forwarding is necessary. However, you are most likely using NAT at your ISP in order to gain access to the Internet. Your situation looks more like this:

R1 is your ISP router and it is performing NAT between our 10.10.10.0/24 private subnet and the public address assigned to your router. Once that translation happens, you can then freely communicate with the networklessons server which is on the public internet. So in this scenario, NAT takes place at R1, and no port forwarding is necessary

I hope this has been helpful!

Laz

1 Like

votre explication est très intéressante , dites moi alors l’avantage de l’utilisation de la redirection des ports et un exemple claire dans la vie quotidienne

Hello Berthol

One very common application of port forwarding is often used for security cameras installed in small businesses or in residential applications. You have cameras on site that are connected to the internal network using private IP address ranges such as 192.168.1.0/24. You may also have a network video record (NVR) that collects the video from the cameras and stores it locally, and also controls the cameras themselves. This NVR is also within the local network on the same subnet.

Now you want to be able to view either live feeds of the cameras or recorded video from your mobile phone no matter where you are. That means that when you’re away from home or from the office, you want to be able to initiate communication from outside of the local network inward. If your home/office is using a NAT-enabled router, such as a DSL connection for example, then you must apply port forwarding to allow such communication.

I hope this has been helpful!

Laz