Networks Training

You are here: Home / Cisco Routers / How to Configure Port Forwarding on Cisco Router (With Examples)

How to Configure Port Forwarding on Cisco Router (With Examples)

Written By

Imagine the following situation: You are a network engineer and your boss or a customer wants you to build a cheap and easy solution to host a publicly accessible server (such as Webserver, Email server, VPN server etc) using only a regular Cisco router.

network diagram of cisco router with port nat

In most network designs, you will see that the usual and “proper” way to protect publicly accessible servers is to place them behind a network firewall such as Cisco ASA, Fortigate, Checkpoint, Palo Alto etc.

In this article however we will discuss and explain how to achieve the above requirement using port forwarding with a Cisco router.

This option is good in low-budget networks, in remote offices, or in SMB networks that don’t have high requirements in terms of security etc.

Port Forwarding is a feature that can be used to provide access from the Internet to internal servers in a Local Network.

Port Forwarding is based on static NAT whereby the public IP address assigned to the outside WAN interface of the router is translated to an internal private IP address and port assigned to an internal server.

Let’s see the following basic network diagram to understand our scenario better. The following is also the most common topology found in real-world networks.

Network Scenario 1

nat forward traffic to single server

As shown from the network above, we have a LAN Network (192.168.1.0/24) with several users’ computers and also a Web Server.

I know that the above is not a good practice in terms of security because you should avoid placing a publicly-accessible server inside your internal LAN network. However, for the sake of explaining port forwarding, let’s assume we have the above setup.

We want to allow access from the Internet towards the Web Server (192.168.1.10) at port 80.

I know again that this is not a good practice because regular HTTP at port 80 is not encrypted and you should always use HTTPs at port 443.

For the sake of simplicity though let’s assume we have a Web Server listening at port 80.

Another requirement is to configure PAT (NAT overload or Port Address Translation) for allowing Outgoing traffic from the LAN network towards the Internet.

MORE READING:  Configuring High Availability using HSRP and Boolean Object Tracking

So, the router will have two different NAT types:

  1. NAT Overload (PAT) for translating all source IPs (192.168.1.x) for Outgoing traffic using the public WAN IP (50.50.50.1) assigned to Interface Ge0/0 of the router.
  2. Port Forwarding which will translate the destination IP and port 80 of Incoming traffic from the Internet into the private IP and port 80 of the Web Server. This means that incoming traffic hitting 50.50.50.1 at port 80 will be translated to destination IP 192.168.1.10 at port 80 (which is the Web Server address).

  Let’s see how to configure the above.

Port Forwarding Configuration 1

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface gigabitEthernet 0/0
R1(config-if)#ip address 50.50.50.1 255.255.255.0
R1(config-if)#ip nat outside   <– Configure the WAN as NAT outside interface
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#

R1(config)#interface gigabitEthernet 0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#ip nat inside <– Configure the LAN as NAT inside interface
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#

R1(config)#ip route 0.0.0.0 0.0.0.0 50.50.50.2  <– Configure default route

R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255 <– Configure ACL to be used for PAT

R1(config)#ip nat inside source list 1 interface GigabitEthernet0/0 overload <– Configure PAT (NAT overload)

R1(config)#ip nat inside source static tcp 192.168.1.10 80 50.50.50.1 80 <– Configure Port Forwarding

R1(config)#end
R1#wr

NOTE:

The command which configures port forwarding has the following format:

ip nat inside source static { tcp | udp } local-ip local-port global-ip global-port [extendable]

So, from the configuration example above, the global-ip (WAN IP) 50.50.50.1 and port 80 will be translated to local-ip 192.168.1.10 port 80.

Verification

Let’s verify the port forwarding by observing the nat translations table:

R1#show ip nat translations

Pro  Inside global     Inside local       Outside local      Outside global
tcp 50.50.50.1:80      192.168.1.10:80    —                —
tcp 50.50.50.1:80      192.168.1.10:80    60.60.60.2:1026    60.60.60.2:1026

The NAT table above shows that the Global IP 50.50.50.1 port 80 is mapped (translated) to Inside local 192.168.1.10:80.

Also, the table above shows that an Internet host (60.60.60.2) shown as Outside global has already accessed the Web server and created a NAT entry in the table.

Network Scenario 2

Let’s now see a slightly different topology with using port forwarding:

MORE READING:  Lan-to-Lan IPSEC VPN Between Cisco Routers - Configuration Example

two internal servers web and smtp

In the network above, we have two internal servers that we need to access from the Internet. The original Web Server (192.168.1.10) we have seen in the previous example and a new SMTP Server (192.168.1.11).

We will configure port forwarding on the Cisco router so that traffic hitting the public IP 50.50.50.1 at port 80 will be forwarded to the Web server and traffic hitting the WAN IP at port 25 (for SMTP) will be forwarded to the SMTP server.

Port Forwarding Configuration 2

The initial configuration of IP addresses, PAT, etc is the same as the previous example. Let’s only see how to configure Port Forwarding for the two internal servers.

R1(config)#ip nat inside source static tcp 192.168.1.10 80 50.50.50.1 80 <– Port Forwarding for Web Server

R1(config)#ip nat inside source static tcp 192.168.1.11 25 50.50.50.1 25 <– Port Forwarding for SMTP Server

Verification

Let’s verify again the port forwarding by observing the nat translations table:

R1#show ip nat translations

Pro  Inside global     Inside local       Outside local      Outside global
tcp 50.50.50.1:25      192.168.1.11:25    —                —
tcp 50.50.50.1:25      192.168.1.11:25    65.12.60.10:1028   65.12.60.10:1028
tcp 50.50.50.1:80      192.168.1.10:80    —                —
tcp 50.50.50.1:80      192.168.1.10:80    60.60.60.2:1026    60.60.60.2:1026

As shown from the output above, we have NAT entries for 50.50.50.1 port 25 translated to 192.168.1.11 port 25.

Also, address 50.50.50.1 port 80 is translated to 192.168.1.10 port 80.

Other Configuration Options

Another configuration option with port forwarding is to have a different external port forwarded to a different internal port on the server.

R1(config)#ip nat inside source static tcp 192.168.1.10 80 50.50.50.1 8080

The above shows that traffic hitting the public IP 50.50.50.1 at port 8080 will be translated to the private IP 192.168.1.10 at port 80.

Another option would be to have two different public ports forwarded to two different ports on the same internal server:

R1(config)#ip nat inside source static tcp 192.168.1.10 80 50.50.50.1 80
R1(config)#ip nat inside source static tcp 192.168.1.10 22 50.50.50.1 22

The option above is useful when the same internal server (192.168.1.10) runs two different services, e.g a Web server (port 80) and an SSH server (port 22).

Clearing the NAT Translations Table

If you want to clear the NAT translations table, then use the following:

R1#clear ip nat translation *

Related Posts

Filed Under: Cisco Routers

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  5. Sylvain JEANNEAUX says

    Thanks a lot Harris, for all the informations, tips an tricks you give !

    Applause from France

    Sylvain

  7. Cna says

    what if an internal client want’s to access the webserver using the public ip address?

  9. wamique ali says

    Hi Harris,
    Can you suggest one of your book, simplifying the configuration for switches,router and firewall.

  10. Harris Andrea says

    Hello, the CCNA 200-301 lab guide book (https://www.networkstraining.com/ccna-lab-guide/) will help you in the practical aspects of configuring Cisco routers and switches. Although it is for people studying for CCNA, it is also helpful for other professionals who just start out in the field.

    Now for the Cisco ASA firewalls, this book https://www.networkstraining.com/ciscoasaebook.php has been loved my thousands of people so it will be a very good resource for you as well.

    Harris

  13. Niru says

    This is a very well done write up. Thanks so much for taking the time to put this together. I found it very useful as a tool to get a new Data Center up and running remotely over the Internet with no Public IP address space available to us initially, other than the provider Uplink. I do need some guidance though. We have a WTI console server that I need to be able to SSH to from outside, however, when I try to configure port forwarding for SSH on port 22 on the router it tells me that “port 22 is being used by the system”. The command I used is identical to yours from above, i.e. ip nat inside source static tcp 192.168.1.10 22 50.50.50.1 22

  14. Harris Andrea says

    Niru

    You will need to configure a different global (outside) port for SSH, lets say 2222 instead of 22.
    So the command will be:

    ip nat inside source static tcp 192.168.1.10 22 50.50.50.1 2222

    Then from outside you will need to SSH to 50.50.50.1 at port 2222

    Harris

  15. Rich says

    Does port forwarding only allow access to a router from the net. So it isn’t possible to connect from a router over the internet to another machine with the local IP/or network IP on the net.

    So I can’t connect to another system remotely.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx