| Copyright (c) 2008 Don R. Crawley | | | | inside source list 101 interface Ethernet0/1 overload" |
| Recently, a student at one of our seminars asked | | | | statement to permit all inside hosts to use E0/1 to |
| about port forwarding on a router. She wanted to | | | | connect to the Internet sharing whatever IP address is |
| allow PPTP clients to connect from the outside to a | | | | assigned to interface Ethernet E0/1. |
| VPN server on the inside. In this article, I'll explain how | | | | The "overload" statement implements PAT (Port |
| to do it along with a quick look at using static NAT to | | | | Address Translation) which makes that possible. (PAT |
| forward packets to a web server. | | | | allows multiple internal hosts to share single address on |
| Port Forwarding on a Cisco Router | | | | an external interface by appending different port |
| Sometimes we have internal resources that need to | | | | numbers to each connection.) |
| be Internet-accessible such as Web servers, mail | | | | The statement "ip nat inside source static tcp |
| servers, or VPN servers. Generally, I recommend | | | | 192.168.101.2 1723 interface Ethernet0/1 1723" takes |
| isolating those resources in a DMZ to protect your | | | | incoming port 1723 (PPTP) requests on Ethernet0/1 |
| office LAN from the bad guys, but regardless of how | | | | and forwards them to the VPN server located at |
| you choose to design it, the process involves | | | | 192.168.101.2. |
| forwarding desired packets from the router's outside | | | | You could do something similar with a Web server by |
| interface to an internal host. It's really a fairly simple | | | | changing port 1723 to port 80 or port 443. Here's what |
| process. Here's the configuration on a Cisco 2611 | | | | that would look like:interface Ethernet0/1ip address |
| router:interface Ethernet0/1ip address 12.1.2.3 | | | | 12.1.2.3 255.255.255.0ip nat outside |
| 255.255.255.0ip nat outside | | | | !interface Ethernet0/0ip address 192.168.101.1 |
| !interface Ethernet0/0ip address 192.168.101.1 | | | | 255.255.255.0ip nat inside |
| 255.255.255.0ip nat inside | | | | !ip nat inside source list 101 interface Ethernet0/1 |
| !ip nat inside source list 101 interface Ethernet0/1 | | | | overloadip nat inside source static tcp 192.168.101.2 80 |
| overloadip nat inside source static tcp 192.168.101.2 1723 | | | | interface Ethernet0/1 80 |
| interface Ethernet0/1 1723 | | | | !access-list 101 permit ip any any |
| !access-list 101 permit ip any any | | | | In this example, the web server is located at |
| In the above configuration, Ethernet 0/1 is connected to | | | | 192.168.101.2 and instead of forwarding PPTP (port |
| the public Internet with a static address of 12.1.2.3 and | | | | 1723) traffic, we're forwarding HTTP (port 80) traffic. |
| Ethernet 0/0 is connected to the inside network with a | | | | Obviously, you can configure your Cisco router in a |
| static address of 192.168.101.1. NAT outside is | | | | similar manner to forward nearly any type of traffic |
| configured on E0/1 and NAT inside is configured on E0 | | | | from an outside interface to an internal host. |
| 0. Access-list 101 works in conjunction with the "ip nat | | | | |