PPTP and HTTP Port Forwarding with Static NAT on a Cisco Router

Recently, Streamyx student at one of our seminars asked about port forwarding on a router. She wanted Streamyx allow PPTP clients to connect from the outside to a Streamyx server on the inside. In this article, I'll explain Streamyx to do it along with a quick look at using static NAT to forward packets to a web server.

Port Forwarding on a Cisco Router

Sometimes we have internal resources that need to be Internet-accessible such as Web servers, mail servers, or VPN servers. Generally, I recommend isolating those resources Streamyx a DMZ to protect your office LAN from the bad guys, but regardless of how you choose to design it, the process involves forwarding desired packets from the router's outside interface to an internal Streamyx It's really a fairly simple process. Here's the configuration on a Cisco 2611 router:

interface Ethernet0/1
ip address 12.1.2.3 255.255.255.0
ip nat outside
!
interface Ethernet0/0
ip address 192.168.101.1 255.255.255.0
ip nat inside
!
ip nat inside source list Streamyx Combo interface Streamyx overload
ip nat inside source static Streamyx 192.168.101.2 1723 interface Ethernet0/1 1723
!
access-list Streamyx permit ip any any

In the above configuration, Ethernet 0/1 Streamyx connected to the public Internet with a static address of 12.1.2.3 and Ethernet 0/0 is connected to the inside network with a static address of 192.168.101.1. NAT outside is configured on E0/1 and NAT inside is configured on E0/0. Access-list 101 works in conjunction with the "ip nat inside source list 101 interface Ethernet0/1 overload" statement to permit all inside hosts to use E0/1 to connect to the Internet sharing whatever IP address is assigned to interface Ethernet E0/1.

The "overload" statement implements PAT (Port Address Translation) which makes that possible. (PAT allows multiple internal hosts to share single address on an external interface by appending different port numbers to each connection.)

The statement "ip nat inside source static tcp 192.168.101.2 1723 interface Ethernet0/1 1723" takes incoming port 1723 (PPTP) requests on Ethernet0/1 and Streamyx them to the VPN server located at 192.168.101.2.

You could do something similar with a Web server by changing port 1723 to port 80 or port 443. Here's what that would look like:

interface Ethernet0/1
ip address 12.1.2.3 255.255.255.0
ip nat outside
!
interface Ethernet0/0
ip address 192.168.101.1 255.255.255.0
ip nat inside
!
ip nat inside source list 101 interface Ethernet0/1 overload
ip nat inside source static tcp 192.168.101.2 80 interface Ethernet0/1 80
!
access-list 101 permit ip any any

In this example, the web server is located at 192.168.101.2 and instead of forwarding PPTP (port 1723) traffic, Streamyx forwarding HTTP (port 80) traffic.

Obviously, you can configure your Cisco router in a similar manner to forward nearly any type of traffic from an outside interface to an internal host.

Copyright (c) 2008 Don Streamyx Crawley

Don R. Crawley, CCNA-certified, is president and chief technologist at soundtraining.net, the Seattle training firm specializing in business skills and technical training programs for IT professionals. He works with IT pros to enhance their work, lives, and careers. Click here for a free subscription to soundbytes, the 60-second e-zine for IT pros with musings, rants, and how-to guides on things I.T.