Skip to main content

Static NAT and PAT (port forwarding)

Static NAT and PAT (port forwarding)

NOTE: This particular config was done on a Cisco 877 ADSL / DSL router however its known to work on the Cisco 800 series routers in general including the Cisco 827 Cisco 837 Cisco 877W the Cisco 1720 Cisco 1721 Cisco 1750 series and the CIsco 1600 series


Right so you have setup your Cisco DSL (or you only have one IP address from your ISP) and you have setup your DynDNS so that you can connect to the router. But now you what’s next?

Well the usual next step, and probably the whole reason you did this in the first place is so that you can connect to the server from the outside world for a web server or a mail server. or some thing similar.

The basic principal is that the connection is made in from the dialer interface (the external address) and passed to the internal address on a matching port.

There is a limitation to this though, if you have two web servers both listing for traffic on port 80 but only one external address you are going to run into a problem you would have to change the port numbers that the server listens on for instance from 80 to 8080 on the second server.

However you can have multiple servers doing different things in the example below there are 2 servers one (10.0.0.2) is a mail and web server and the other is VPN box running pptp

ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
!


router# conf t
router (config)#ip nat inside source static tcp 10.0.0.2 25 interface dialer 1 25
router (config)#ip nat inside source static tcp 10.0.0.2 21 interface dialer 1 21
router (config)#ip nat inside source static tcp 10.0.0.2 443 interface dialer 1 443
router (config)#ip nat inside source static tcp 10.0.0.2 80 interface dialer 1 80
router (config)#ip nat inside source static tcp 10.0.0.2 110 interface dialer 1 110
router (config)#ip nat inside source static tcp 10.0.0.3 1723 interface dialer 1 1723
router (config)#ip nat inside source static udp 10.0.0.3 1723 interface dialer 1 1723
router (config)#exit
router #wr
Building configuration...





Once you have done this, you can easily test this by connecting from the outside to your mailserver

telnet my-test-thing.dyndns.org 25
Trying 200.200.200.200...
Connected to my-test-thing.dyndns.org.
Escape character is '^]'.
220 Mail Server Ready

The exact same thing can be used with a Static IP address some providers like to assign a /31 address which will leave you with one usable IP so instead of using "interface Dialer 1" you can use the static address

ip nat inside source static tcp 10.0.0.2 3389 196.200.200.5 3389 extendable
ip nat inside source static tcp 10.0.0.2 443 196.200.200.5 443 extendable
ip nat inside source static tcp 10.0.0.2 21 196.200.200.5 21 extendable

This will obviously not work for a dynamically assigned address for that you would have to use the first example

I hope this helps someone.

Comments

Unknown said…
Hi,

Thanks for this post, it was quite useful. I'm trying to set up a cisco 877 as well and I've some trouble with the redirection of my dialer interface to the web server from the LAN. From outside, everything work fine, but from inside, the redirection doesn't occur.

Here is my conf :


ip nat inside source list 10 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.3 80 interface Dialer1 80

(web server is 192.168.1.3)

When I'm accessing my web ip from outside throw http://downforeveryoneorjustme.com it show it works, but when I try locally (from the LAN) to open the IP given by the provider, the browser open the page of the cisco http server, so obsiously, the redirection is not done from the lan, but only for the web.

Would you have a suggestion to solve this matter.

Thanks a lot for your help,
Regards,
David

Popular posts from this blog

Setting up and Installing Rancid on FreeBSD for Cisco Products

Setting up and Installing Rancid on FreeBSD for Cisco Products What is Rancid? Rancid is an application that monitors a devices configuration including software and hardware. The configuration is then stored in a Concurrent Version System or CVS. Most of the time it is used to back up router, switch and firewall configurations, as well as notify you when a configuration has changed, i.e a firewall rule or a routers IP address or access list change. here is an example of the output =================================================================== retrieving revision 1.29 diff -u -4 -r1.29 mpls-jhb-pe1 @@ -288,9 +288,9 @@ ! interface Serial0/0 description Link to Client X bandwidth 2048 - ip address 192.168.1.244 255.255.255.254 + ip address 192.168.1.234 255.255.255.254 ip route-cache flow ip tcp header-compression iphc-format ip tcp compression-connections 256 ! ip ospf message-digest-key 1 md5 the - symbol represents what was removed the + symbol represents what was added The abo...

Tacacs+ Install and Config Guide

Tacacs+ Install and Config Guide What is TACACS As per wikipedia Terminal access controller access control system (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. Installing Tacacs on FreeBSD This guide is intended to be a basic implementation of TACACS+, so although there are may features I am just going to document what I generally use. Please note that tac_plus is also available from Shrubbery Networks if you would like to install and configure on another platform. You may also want to check out my Rancid How-To Once again its in your ports directory. cd to /usr/ports/net/tac_plus4/ run a "make install clean" Once installed vi /usr/local/etc/rc.d/tac_plus.sh Then Change the following line from NO to YES tac_plus_enable=$ Save the file, then vi /e...

FreeBSD, Postfix, Mailscanner and Mailwatch Installation

Installing postfix, mailscanner and mailwatch on FreeBSD I have setup a number of servers using mailscanner and postfix to do antispam and antivirus checking. This particular example will show you how to set the server up as a mail gateway. i.e. all inbound and outbound mail will go via this server. You can also use the server as a pop3/imap4 server and doing so, does make life a little easier as you don't have to worry about the transport and relay_hosts files. At a later stage I will show that info too..... when I get a chance. This my seem strange but as there is quite a bit involved in installing and configuring I am splitting this into two How-To's this one, The install How-To and the configuration How-To First off its probably best to start on a new install of FreeBSD. Once you have done the initial portsnap fetch and portsnap extract Right here we go. Two things you might want to do is force your NIC to 100MB full duplex and install lsof Type in ifconfig and check if the...