Copyright (c) 2008 Don R. Crawley />
Recently a student asked one of our seminars about port forwarding on a router. Her aim was to PPTP clients from outside connect to a VPN server name. In this article I'll explain how you want to send it with a look at the use of static NAT packets to a webserver.

Port Forwarding on a Cisco router

Sometimes we have internal resources that need to be accessible over the Internet such as Web servers, mail servers or VPN servers. In general, I recommend isolating those resources in a DMZ to your LAN to protect against the evil, but no matter how you understand, choose, the process of transmission of packets the desired interface outside router is connected to an internal host. It is really a fairly simple process. Here is the configuration on a Cisco 2611:

/ 1 interface Ethernet0
IP address 12.1.2.3 255.255.255.0
ip nat outside

!
/ 0 interface Ethernet0
IP address 192.168.101.1 255.255.255.0
ip nat inside

!
ip nat inside source list 101 interface Ethernet0 / 1 />
ip nat inside source static TCP 192.168.101.2 1723 interface Ethernet0 / January 1723

!
access-list 101 permit IP any />

In the above configuration is Ethernet 0 / 1 is connected to the Internet with a static address of 12.1.2.3 and Ethernet 0 / 0 connected to the inside with a static address 192.168.101.1. NAT is on the outside of E0 / 1 and NAT configured configured on the inside E0 / 0. Access-list 101 works in conjunction with the "ip nat inside source list 101 interface Ethernet0 / 1 overload" statement so that all hosts in use E0 / 1 connect independently to the Internet from the content distribution of the IP address on the Interface / 1 E0 Ethernet assigned.

The “overload” statement implements PAT (Port Address Translation) which makes this possible. (PAT allows multiple internal hosts to a single address to an external interface by different port numbers to share for each connection.)

The “ip nat inside source static TCP 192.168.101.2 1723 interface Ethernet0 / 1 1723″ statement takes the incoming port 1723 (PPTP) requests on Ethernet0 / 1 and forwards it to the VPN server is on 192.168.101.2.

It could be something similar with a Web server by using port 1723 to port 80 or port to do 443rd Here’s what it would look like this:

/ 1 interface Ethernet0
IP address 12.1.2.3 255.255.255.0
ip nat outside

!
/ 0 interface Ethernet0
IP address 192.168.101.1 255.255.255.0
ip nat inside

!
ip nat inside source list 101 interface Ethernet0 / 1 />
ip nat inside source static TCP 192.168.101.2 80 interface Ethernet0 / January 1980

!
access-list 101 permit IP any />

In this example, the Web server 192.168.101.2 and instead of forwarding PPTP (port 1723) traffic, we are sending HTTP (port 80) traffic.

Of course, you can configure your Cisco router in a similar way to the front of any type of traffic over an external interface to an internal host.


Cisco router