Networks Training

You are here: Home / Cisco Routers / How to Configure Port Forwarding on Cisco Router (With Examples)

How to Configure Port Forwarding on Cisco Router (With Examples)

Edited By

Imagine the following situation: You are a network engineer and your boss or a customer wants you to build a cheap and easy solution to host a publicly accessible server (such as Webserver, Email server, VPN server etc) using only a regular Cisco router.

network diagram of cisco router with port nat

In most network designs, you will see that the usual and “proper” way to protect publicly accessible servers is to place them behind a network firewall such as Cisco ASA, Fortigate, Checkpoint, Palo Alto etc.

In this article however we will discuss and explain how to achieve the above requirement using port forwarding with a Cisco router.

This option is good in low-budget networks, in remote offices, or in SMB networks that don’t have high requirements in terms of security etc.

Port Forwarding is a feature that can be used to provide access from the Internet to internal servers in a Local Network.

Port Forwarding is based on static NAT whereby the public IP address assigned to the outside WAN interface of the router is translated to an internal private IP address and port assigned to an internal server.

Let’s see the following basic network diagram to understand our scenario better. The following is also the most common topology found in real-world networks.

Network Scenario 1

nat forward traffic to single server

As shown from the network above, we have a LAN Network (192.168.1.0/24) with several users’ computers and also a Web Server.

I know that the above is not a good practice in terms of security because you should avoid placing a publicly-accessible server inside your internal LAN network. However, for the sake of explaining port forwarding, let’s assume we have the above setup.

We want to allow access from the Internet towards the Web Server (192.168.1.10) at port 80.

I know again that this is not a good practice because regular HTTP at port 80 is not encrypted and you should always use HTTPs at port 443.

For the sake of simplicity though let’s assume we have a Web Server listening at port 80.

Another requirement is to configure PAT (NAT overload or Port Address Translation) for allowing Outgoing traffic from the LAN network towards the Internet.

So, the router will have two different NAT types:

  1. NAT Overload (PAT) for translating all source IPs (192.168.1.x) for Outgoing traffic using the public WAN IP (50.50.50.1) assigned to Interface Ge0/0 of the router.
  2. Port Forwarding which will translate the destination IP and port 80 of Incoming traffic from the Internet into the private IP and port 80 of the Web Server. This means that incoming traffic hitting 50.50.50.1 at port 80 will be translated to destination IP 192.168.1.10 at port 80 (which is the Web Server address).
MORE READING:  Using TCP Intercept to mitigate DoS SYN Attacks

  Let’s see how to configure the above.

Port Forwarding Configuration 1

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface gigabitEthernet 0/0
R1(config-if)#ip address 50.50.50.1 255.255.255.0
R1(config-if)#ip nat outside   <– Configure the WAN as NAT outside interface
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#

R1(config)#interface gigabitEthernet 0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#ip nat inside <– Configure the LAN as NAT inside interface
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#

R1(config)#ip route 0.0.0.0 0.0.0.0 50.50.50.2  <– Configure default route

R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255 <– Configure ACL to be used for PAT

R1(config)#ip nat inside source list 1 interface GigabitEthernet0/0 overload <– Configure PAT (NAT overload)

R1(config)#ip nat inside source static tcp 192.168.1.10 80 50.50.50.1 80 <– Configure Port Forwarding

R1(config)#end
R1#wr

NOTE:

The command which configures port forwarding has the following format:

ip nat inside source static { tcp | udp } local-ip local-port global-ip global-port [extendable]

So, from the configuration example above, the global-ip (WAN IP) 50.50.50.1 and port 80 will be translated to local-ip 192.168.1.10 port 80.

Verification

Let’s verify the port forwarding by observing the nat translations table:

R1#show ip nat translations

Pro  Inside global     Inside local       Outside local      Outside global
tcp 50.50.50.1:80      192.168.1.10:80    —                —
tcp 50.50.50.1:80      192.168.1.10:80    60.60.60.2:1026    60.60.60.2:1026

The NAT table above shows that the Global IP 50.50.50.1 port 80 is mapped (translated) to Inside local 192.168.1.10:80.

Also, the table above shows that an Internet host (60.60.60.2) shown as Outside global has already accessed the Web server and created a NAT entry in the table.

Network Scenario 2

Let’s now see a slightly different topology with using port forwarding:

two internal servers web and smtp

In the network above, we have two internal servers that we need to access from the Internet. The original Web Server (192.168.1.10) we have seen in the previous example and a new SMTP Server (192.168.1.11).

We will configure port forwarding on the Cisco router so that traffic hitting the public IP 50.50.50.1 at port 80 will be forwarded to the Web server and traffic hitting the WAN IP at port 25 (for SMTP) will be forwarded to the SMTP server.

Port Forwarding Configuration 2

The initial configuration of IP addresses, PAT, etc is the same as the previous example. Let’s only see how to configure Port Forwarding for the two internal servers.

R1(config)#ip nat inside source static tcp 192.168.1.10 80 50.50.50.1 80 <– Port Forwarding for Web Server

R1(config)#ip nat inside source static tcp 192.168.1.11 25 50.50.50.1 25 <– Port Forwarding for SMTP Server

Verification

Let’s verify again the port forwarding by observing the nat translations table:

R1#show ip nat translations

Pro  Inside global     Inside local       Outside local      Outside global
tcp 50.50.50.1:25      192.168.1.11:25    —                —
tcp 50.50.50.1:25      192.168.1.11:25    65.12.60.10:1028   65.12.60.10:1028
tcp 50.50.50.1:80      192.168.1.10:80    —                —
tcp 50.50.50.1:80      192.168.1.10:80    60.60.60.2:1026    60.60.60.2:1026

As shown from the output above, we have NAT entries for 50.50.50.1 port 25 translated to 192.168.1.11 port 25.

MORE READING:  Configuring EasyVPN Between Cisco Routers

Also, address 50.50.50.1 port 80 is translated to 192.168.1.10 port 80.

Other Configuration Options

Another configuration option with port forwarding is to have a different external port forwarded to a different internal port on the server.

R1(config)#ip nat inside source static tcp 192.168.1.10 80 50.50.50.1 8080

The above shows that traffic hitting the public IP 50.50.50.1 at port 8080 will be translated to the private IP 192.168.1.10 at port 80.

Another option would be to have two different public ports forwarded to two different ports on the same internal server:

R1(config)#ip nat inside source static tcp 192.168.1.10 80 50.50.50.1 80
R1(config)#ip nat inside source static tcp 192.168.1.10 22 50.50.50.1 22

The option above is useful when the same internal server (192.168.1.10) runs two different services, e.g a Web server (port 80) and an SSH server (port 22).

Clearing the NAT Translations Table

If you want to clear the NAT translations table, then use the following:

R1#clear ip nat translation *

Security Considerations

Use Network Firewall Instead of Router

As we mentioned in this article, there are several security issues which need to be considered. First, it is strongly suggested to use an actual network firewall in front of publicly exposed servers (such as a Web Server, SMTP server etc).

A network firewall uses stateful inspection of traffic compared to no-inspection at all from a normal router. Moreover, the network firewall will implement also security traffic rules which will allow only the required traffic to pass (e.g port 80, 443, 25 and nothing else). 

A normal router (as our examples above) allow all traffic to pass which imposes security risks. We can implement Access Control List on the router to allow only required traffic. See example config below:

ip access-list extended ALLOW_TRUSTED
permit tcp host 60.60.60.1 any eq 25
deny ip any any

Then apply this ACL to the WAN interface at the inbound direction.

Use Non-Standard External Ports for Sensitive Services

For services like SSH, RDP, or database access, avoid using default ports in port forwarding. Use an uncommon external port to reduce exposure to automated scans and attacks.

For example, hackers know that all Linux servers on the internet listen by default to port 22 for allowing SSH access to the server over the internet.

Therefore, they develop automated scanning tools to find open ports 22 on a range of public IP addresses in order to start using login attempts (such as “brute-force”, “password spraying” etc) to gain access to the server.

A good security practice is to use a non-standard external port (e.g port 2222 for SSH instead of 22) so that automated scanning tools will not look for this port.

Example:

ip nat inside source static tcp 192.168.1.10 22 50.50.50.1 2222

Then we should tell our external users to connect to port 2222 which will be port-forwarded to internal port 22 on our internal server.

Spread the love

Related Posts

Filed Under: Cisco Routers

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

By subscribing to our email list you will be receiving technical tutorials and industry news from time-to-time. You can unsubscribe at any time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  5. Sylvain JEANNEAUX says

    Thanks a lot Harris, for all the informations, tips an tricks you give !

    Applause from France

    Sylvain

  7. Cna says

    what if an internal client want’s to access the webserver using the public ip address?

  9. wamique ali says

    Hi Harris,
    Can you suggest one of your book, simplifying the configuration for switches,router and firewall.

  10. Harris Andrea says

    Hello, the CCNA 200-301 lab guide book (https://www.networkstraining.com/ccna-lab-guide/) will help you in the practical aspects of configuring Cisco routers and switches. Although it is for people studying for CCNA, it is also helpful for other professionals who just start out in the field.

    Now for the Cisco ASA firewalls, this book https://www.networkstraining.com/ciscoasaebook.php has been loved my thousands of people so it will be a very good resource for you as well.

    Harris

  13. Niru says

    This is a very well done write up. Thanks so much for taking the time to put this together. I found it very useful as a tool to get a new Data Center up and running remotely over the Internet with no Public IP address space available to us initially, other than the provider Uplink. I do need some guidance though. We have a WTI console server that I need to be able to SSH to from outside, however, when I try to configure port forwarding for SSH on port 22 on the router it tells me that “port 22 is being used by the system”. The command I used is identical to yours from above, i.e. ip nat inside source static tcp 192.168.1.10 22 50.50.50.1 22

  14. Harris Andrea says

    Niru

    You will need to configure a different global (outside) port for SSH, lets say 2222 instead of 22.
    So the command will be:

    ip nat inside source static tcp 192.168.1.10 22 50.50.50.1 2222

    Then from outside you will need to SSH to 50.50.50.1 at port 2222

    Harris

  15. Rich says

    Does port forwarding only allow access to a router from the net. So it isn’t possible to connect from a router over the internet to another machine with the local IP/or network IP on the net.

    So I can’t connect to another system remotely.

  18. Mzito says

    Hello, thanks for this guide. However, I wish you would split the steps into distinct for (1) NAT and (2) PAT. Am new to cisco but with such tutorials I know it’s a matter of time. I have LAN with local ips 10.10.10x and connected to a cisco router that has fibre connected on WAN with public ips (192.168.1.x). How will i configure cisco to forward local smtp requests from 10.10.10.x computer through the WAN to external mail servers such as gmail.(PAT)? (I don’t need to do any NAT.)

  19. Harris Andrea says

    Hello Mzito

    For all traffic going from 10.10.10 to the Internet, you can just configure PAT. This will cover also outgoing SMTP requests to external gmail as you want.

    I hope this helps

    Harris

  20. Brian Stuart says

    Thanks for this tutorial. It works great if I explicitly set the global IP address, but what if the IP address on the outside interface is obtained by DHCP? Is there a way to specify the equivalent of ‘any’ for the global-ip in the ip nat … command?

    Thanks,

  21. Harris Andrea says

    Brian, try to use the keyword “interface” instead of the actual Global IP address.

  22. Brian Stuart says

    That did the trick. Thanks much. For anyone who is following along, note that the interface keyword is followed by the name of the interface you want to specify.

    Thanks again, Harris.

  24. Michal says

    Hi Harris,
    I hope you can answer this question for me, because I’m looking for a special solution that robs me of sleep. Let us use your topology for this. The only difference is, imagine you also have to NAT the global outside IP address on the Ge0/1 inetrface so that the LAN network is not reached by a connection that has the IP address (60.60.60.2) as the source address but the private LAN address 192.168.1.1 as the source. As you can guess, the reason for all this razzle-dazzle is that I can’t route properly on the LAN network, but that’s another problem that I won’t discuss here.

    So, to summarize, I want to connect from the public network with destination address 50.50.50.1 on port 80 then be forwarded to the local network, but be natted on the way on the interface Ge0/1 to 192.168.1.1 and reach 192.168.1.10 on port 80.

    As an addition: I don’t assume that if this above would all work, additionally I wanted to initiate a connection with a public IP address from within the local network, because then I really wouldn’t know how to do it. But you are welcome to speak out about it! Is something like that even common?

    What do you think, can you help me?

  25. Harris Andrea says

    @Michal
    I did not fully understand what you need to achieve.

    Quoting your words:

    So, to summarize, I want to connect from the public network with destination address 50.50.50.1 on port 80 then be forwarded to the local network, but be natted on the way on the interface Ge0/1 to 192.168.1.1 and reach 192.168.1.10 on port 80

    The above is simply achieved by the static NAT translation rule:

    ip nat inside source static tcp 192.168.1.10 80 50.50.50.1 80

    Any packet that hits IP 50.50.50.1 at port 80 will be translated (destination IP) to 192.168.10.1.

    Maybe you want to do source IP translation instead of destination IP translation ?

  26. Michal says

    Hi Harris,
    with this configuration:
    “ip nat inside source static tcp 192.168.1.10 80 50.50.50.1 80”
    any connection that is destined for 50.50.50.1 80 will be translated to destination 192.168.1.10 (to the web server ip address). Yes.
    But now imagine that additionally on the way to 192.168.1.10 you want to make another translation, as you mentioned it, a source translation, from 60.60.60.2, to 192.168.1.1 – the ip address of the Ge0/1 interface. So web server says: “hello 192.168.1.1 here is your html” and sends it back to 192.168.1.1 to the source port, and then 192.168.1.1 to 50.50.50.1, and 50.50.50.1 to 60.60.60.2.

  27. Harris Andrea says

    Michal, honestly I have never seen anything like this before (if I understand it correctly).
    I wonder why you need to do all this :)

  28. Michal says

    HI Harris,
    because if my local host would respond to any ip address other than the local one’s, it would send the connection to the physical default gateway, and this is not what I want. It should send the connection to another local host, where the connection is also sourced from. And no, unfortunately it is not possible to change that.

    In the end, it is the configuration like this:

    ! Configure interfaces
    interface F1/0
    ip address 192.168.1.2 255.255.255.0
    ip nat inside

    interface F0/0
    ip address 192.168.2.1 255.255.255.0
    ip nat outside

    ! Define ACL for PAT
    ip access-list standard NAT-ACL
    permit 192.168.1.0 0.0.0.255

    ! Configure PAT
    ip nat inside source list NAT-ACL interface F0/0 overload

    ! Configure port forwarding
    ip nat inside source static tcp 192.168.2.2 1234 192.168.1.2 5678

    But that is not working. I don’t know why.. NAT order? Or is it because you cannot NAT a connection twice?

    https://www.linkedin.com/pulse/how-double-nat-router-anton-izov
    I think this might the solution. It is not the shortest way, but sound promising.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx