Wednesday, May 7, 2008

Static NAT and PAT (port forwarding)

Static NAT and PAT (port forwarding)

NOTE: This particular config was done on a Cisco 877 ADSL / DSL router however its known to work on the Cisco 800 series routers in general including the Cisco 827 Cisco 837 Cisco 877W the Cisco 1720 Cisco 1721 Cisco 1750 series and the CIsco 1600 series


Right so you have setup your Cisco DSL (or you only have one IP address from your ISP) and you have setup your DynDNS so that you can connect to the router. But now you what’s next?

Well the usual next step, and probably the whole reason you did this in the first place is so that you can connect to the server from the outside world for a web server or a mail server. or some thing similar.

The basic principal is that the connection is made in from the dialer interface (the external address) and passed to the internal address on a matching port.

There is a limitation to this though, if you have two web servers both listing for traffic on port 80 but only one external address you are going to run into a problem you would have to change the port numbers that the server listens on for instance from 80 to 8080 on the second server.

However you can have multiple servers doing different things in the example below there are 2 servers one (10.0.0.2) is a mail and web server and the other is VPN box running pptp

ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
!


router# conf t
router (config)#ip nat inside source static tcp 10.0.0.2 25 interface dialer 1 25
router (config)#ip nat inside source static tcp 10.0.0.2 21 interface dialer 1 21
router (config)#ip nat inside source static tcp 10.0.0.2 443 interface dialer 1 443
router (config)#ip nat inside source static tcp 10.0.0.2 80 interface dialer 1 80
router (config)#ip nat inside source static tcp 10.0.0.2 110 interface dialer 1 110
router (config)#ip nat inside source static tcp 10.0.0.3 1723 interface dialer 1 1723
router (config)#ip nat inside source static udp 10.0.0.3 1723 interface dialer 1 1723
router (config)#exit
router #wr
Building configuration...





Once you have done this, you can easily test this by connecting from the outside to your mailserver

telnet my-test-thing.dyndns.org 25
Trying 200.200.200.200...
Connected to my-test-thing.dyndns.org.
Escape character is '^]'.
220 Mail Server Ready

The exact same thing can be used with a Static IP address some providers like to assign a /31 address which will leave you with one usable IP so instead of using "interface Dialer 1" you can use the static address

ip nat inside source static tcp 10.0.0.2 3389 196.200.200.5 3389 extendable
ip nat inside source static tcp 10.0.0.2 443 196.200.200.5 443 extendable
ip nat inside source static tcp 10.0.0.2 21 196.200.200.5 21 extendable

This will obviously not work for a dynamically assigned address for that you would have to use the first example

I hope this helps someone.

1 comment:

David said...

Hi,

Thanks for this post, it was quite useful. I'm trying to set up a cisco 877 as well and I've some trouble with the redirection of my dialer interface to the web server from the LAN. From outside, everything work fine, but from inside, the redirection doesn't occur.

Here is my conf :


ip nat inside source list 10 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.3 80 interface Dialer1 80

(web server is 192.168.1.3)

When I'm accessing my web ip from outside throw http://downforeveryoneorjustme.com it show it works, but when I try locally (from the LAN) to open the IP given by the provider, the browser open the page of the cisco http server, so obsiously, the redirection is not done from the lan, but only for the web.

Would you have a suggestion to solve this matter.

Thanks a lot for your help,
Regards,
David

Joe's Store