Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Cisco Routers / How to Configure Port Forwarding on Cisco Router (With Examples)

How to Configure Port Forwarding on Cisco Router (With Examples)

Written By Harris Andrea

Imagine the following situation: You are a network engineer and your boss or a customer wants you to build a cheap and easy solution to host a publicly accessible server (such as Webserver, Email server, VPN server etc) using only a regular Cisco router.

network diagram of cisco router with port nat

In most network designs, you will see that the usual and “proper” way to protect publicly accessible servers is to place them behind a network firewall such as Cisco ASA, Fortigate, Checkpoint, Palo Alto etc.

In this article however we will discuss and explain how to achieve the above requirement using port forwarding with a Cisco router.

This option is good in low-budget networks, in remote offices, or in SMB networks that don’t have high requirements in terms of security etc.

Port Forwarding is a feature that can be used to provide access from the Internet to internal servers in a Local Network.

Port Forwarding is based on static NAT whereby the public IP address assigned to the outside WAN interface of the router is translated to an internal private IP address and port assigned to an internal server.

Let’s see the following basic network diagram to understand our scenario better. The following is also the most common topology found in real-world networks.

Table of Contents

  • Network Scenario 1
    • Port Forwarding Configuration 1
  • Network Scenario 2
    • Port Forwarding Configuration 2
  • Other Configuration Options
  • Clearing the NAT Translations Table
    • Related Posts

Network Scenario 1

nat forward traffic to single server

As shown from the network above, we have a LAN Network (192.168.1.0/24) with several users’ computers and also a Web Server.

I know that the above is not a good practice in terms of security because you should avoid placing a publicly-accessible server inside your internal LAN network. However, for the sake of explaining port forwarding, let’s assume we have the above setup.

We want to allow access from the Internet towards the Web Server (192.168.1.10) at port 80.

I know again that this is not a good practice because regular HTTP at port 80 is not encrypted and you should always use HTTPs at port 443.

For the sake of simplicity though let’s assume we have a Web Server listening at port 80.

Another requirement is to configure PAT (NAT overload or Port Address Translation) for allowing Outgoing traffic from the LAN network towards the Internet.

MORE READING:  BlackHat 2009 Router Exploitation Presentation

So, the router will have two different NAT types:

  1. NAT Overload (PAT) for translating all source IPs (192.168.1.x) for Outgoing traffic using the public WAN IP (50.50.50.1) assigned to Interface Ge0/0 of the router.
  2. Port Forwarding which will translate the destination IP and port 80 of Incoming traffic from the Internet into the private IP and port 80 of the Web Server. This means that incoming traffic hitting 50.50.50.1 at port 80 will be translated to destination IP 192.168.1.10 at port 80 (which is the Web Server address).

  Let’s see how to configure the above.

Port Forwarding Configuration 1

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface gigabitEthernet 0/0
R1(config-if)#ip address 50.50.50.1 255.255.255.0
R1(config-if)#ip nat outside   <– Configure the WAN as NAT outside interface
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#

R1(config)#interface gigabitEthernet 0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#ip nat inside <– Configure the LAN as NAT inside interface
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#

R1(config)#ip route 0.0.0.0 0.0.0.0 50.50.50.2  <– Configure default route

R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255 <– Configure ACL to be used for PAT

R1(config)#ip nat inside source list 1 interface GigabitEthernet0/0 overload <– Configure PAT (NAT overload)

R1(config)#ip nat inside source static tcp 192.168.1.10 80 50.50.50.1 80 <– Configure Port Forwarding

R1(config)#end
R1#wr

NOTE:

The command which configures port forwarding has the following format:

ip nat inside source static { tcp | udp } local-ip local-port global-ip global-port [extendable]

So, from the configuration example above, the global-ip (WAN IP) 50.50.50.1 and port 80 will be translated to local-ip 192.168.1.10 port 80.

Verification

Let’s verify the port forwarding by observing the nat translations table:

R1#show ip nat translations

Pro  Inside global     Inside local       Outside local      Outside global
tcp 50.50.50.1:80      192.168.1.10:80    —                —
tcp 50.50.50.1:80      192.168.1.10:80    60.60.60.2:1026    60.60.60.2:1026

The NAT table above shows that the Global IP 50.50.50.1 port 80 is mapped (translated) to Inside local 192.168.1.10:80.

Also, the table above shows that an Internet host (60.60.60.2) shown as Outside global has already accessed the Web server and created a NAT entry in the table.

Network Scenario 2

Let’s now see a slightly different topology with using port forwarding:

two internal servers web and smtp

In the network above, we have two internal servers that we need to access from the Internet. The original Web Server (192.168.1.10) we have seen in the previous example and a new SMTP Server (192.168.1.11).

MORE READING:  Redistribution Between Cisco EIGRP into OSPF and Vice Versa (Example)

We will configure port forwarding on the Cisco router so that traffic hitting the public IP 50.50.50.1 at port 80 will be forwarded to the Web server and traffic hitting the WAN IP at port 25 (for SMTP) will be forwarded to the SMTP server.

Port Forwarding Configuration 2

The initial configuration of IP addresses, PAT, etc is the same as the previous example. Let’s only see how to configure Port Forwarding for the two internal servers.

R1(config)#ip nat inside source static tcp 192.168.1.10 80 50.50.50.1 80 <– Port Forwarding for Web Server

R1(config)#ip nat inside source static tcp 192.168.1.11 25 50.50.50.1 25 <– Port Forwarding for SMTP Server

Verification

Let’s verify again the port forwarding by observing the nat translations table:

R1#show ip nat translations

Pro  Inside global     Inside local       Outside local      Outside global
tcp 50.50.50.1:25      192.168.1.11:25    —                —
tcp 50.50.50.1:25      192.168.1.11:25    65.12.60.10:1028   65.12.60.10:1028
tcp 50.50.50.1:80      192.168.1.10:80    —                —
tcp 50.50.50.1:80      192.168.1.10:80    60.60.60.2:1026    60.60.60.2:1026

As shown from the output above, we have NAT entries for 50.50.50.1 port 25 translated to 192.168.1.11 port 25.

Also, address 50.50.50.1 port 80 is translated to 192.168.1.10 port 80.

Other Configuration Options

Another configuration option with port forwarding is to have a different external port forwarded to a different internal port on the server.

R1(config)#ip nat inside source static tcp 192.168.1.10 80 50.50.50.1 8080

The above shows that traffic hitting the public IP 50.50.50.1 at port 8080 will be translated to the private IP 192.168.1.10 at port 80.

Another option would be to have two different public ports forwarded to two different ports on the same internal server:

R1(config)#ip nat inside source static tcp 192.168.1.10 80 50.50.50.1 80
R1(config)#ip nat inside source static tcp 192.168.1.10 22 50.50.50.1 22

The option above is useful when the same internal server (192.168.1.10) runs two different services, e.g a Web server (port 80) and an SSH server (port 22).

Clearing the NAT Translations Table

If you want to clear the NAT translations table, then use the following:

R1#clear ip nat translation *

Related Posts

  • How to Configure a Loopback Interface on Cisco Router & Switch
  • Comparison of Static vs Dynamic Routing in TCP/IP Networks
  • Cisco OSPF DR-BDR Election in Broadcast Networks – Configuration Example
  • Adjusting MSS and MTU on Cisco 800 routers for PPPoE over DSL
  • The Most Important Cisco Show Commands You Must Know (Cheat Sheet)

Filed Under: Cisco Routers

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Vincent Marshall Sr says

    February 23, 2021 at 12:07 am

    Thanks Harris. Nice tutorial.

  2. Ochira Paul says

    February 23, 2021 at 5:45 am

    Great network scenario

  3. Harris Andrea says

    February 23, 2021 at 8:13 am

    Thanks a lot Vincent. I’m glad you liked it.

    Harris

  4. Harris Andrea says

    February 23, 2021 at 8:14 am

    Thanks Paul, I appreciate your feedback.

    Harris

  5. Sylvain JEANNEAUX says

    February 24, 2021 at 11:00 am

    Thanks a lot Harris, for all the informations, tips an tricks you give !

    Applause from France

    Sylvain

  6. Harris Andrea says

    February 24, 2021 at 11:56 am

    Thank Sylvain for commenting on this and for the feedback.

    Have a nice day

    Harris

  7. Cna says

    July 9, 2021 at 2:28 am

    what if an internal client want’s to access the webserver using the public ip address?

  8. Harris Andrea says

    July 9, 2021 at 1:24 pm

    You need to see DNS Doctoring for this:

    https://community.cisco.com/t5/networking-documents/dns-doctoring-on-routers/ta-p/3113728

  9. wamique ali says

    May 16, 2022 at 5:56 pm

    Hi Harris,
    Can you suggest one of your book, simplifying the configuration for switches,router and firewall.

  10. Harris Andrea says

    May 17, 2022 at 6:31 am

    Hello, the CCNA 200-301 lab guide book (https://www.networkstraining.com/ccna-lab-guide/) will help you in the practical aspects of configuring Cisco routers and switches. Although it is for people studying for CCNA, it is also helpful for other professionals who just start out in the field.

    Now for the Cisco ASA firewalls, this book https://www.networkstraining.com/ciscoasaebook.php has been loved my thousands of people so it will be a very good resource for you as well.

    Harris

  11. Umang says

    January 31, 2023 at 7:11 am

    Can you please give the pka file to this demo?

  12. Harris Andrea says

    January 31, 2023 at 11:07 am

    Sorry I don’t have it. The demo was done on real devices.

    Harris

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2023 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

30 shares