Home > CISCO > Port Forwarding using Static NAT

Port Forwarding using Static NAT

November 25th, 2009

I was recently asked a question about port numbers on web servers. This answer will apply to any DMZ host, whether http, ftp, telnet or ssh.

The question as phrased was:

If you decided to use a different port for your web server (say port 8080), how would a user make requests to your web server?

If your internal private address for the web server was and your outside (ISP allocated) router address (serial 0/0 lets say) was, you could use PAT to make a one-to-one mapping between the outside address ad port number to the inside address and port number:

ip nat inside source static tcp 8080 80 extendable

The only visible IP address for public Internet users to reach the Web server is Therefore, the NAT router is configured to perform a one-to-one mapping between IP address port 80 and port 8080.

This mapping allows Internet users on the public side to have access to the internal Web server.


interface s0/0
ip address
ip nat outside
ip nat inside source list 1 interface s0/0 overload
access-list 1 permit

The overload keyword enables multiple concurrent sessions. The NAT table will maintain mapping of ports for each session. All source IPs will be unique, e.g:

Two sessions:

Router#show ip nat translation
Pro Inside global Inside local Outside local Outside global
tcp — —
tcp — —

Oh, and before anyone asks, if another outside global address happened to choose the same randomly generated source port number (e.g. 12640), the NAT table will just use the next available (say, 12641)

Categories: CISCO Tags: ,
Comments are closed.