Daren Matthews

I was recently asked a question about port numbers on web servers. This answer will apply to any DMZ host, whether http, ftp, telnet or ssh.

The question as phrased was:

If you decided to use a different port for your web server (say port 8080), how would a user make requests to your web server?

If your internal private address for the web server was 192.168.0.5 and your outside (ISP allocated) router address (serial 0/0 lets say) was 171.68.1.1, you could use PAT to make a one-to-one mapping between the outside address ad port number to the inside address and port number:

ip nat inside source static tcp 192.168.0.5 8080 171.68.1.1 80 extendable

The only visible IP address for public Internet users to reach the Web server is 171.68.1.1. Therefore, the NAT router is configured to perform a one-to-one mapping between IP address 171.68.1.1 port 80 and 192.168.0.5 port 8080.

This mapping allows Internet users on the public side to have access to the internal Web server.

e.g.

interface s0/0
ip address 171.68.1.1 255.255.255.240
ip nat outside
!
ip nat inside source list 1 interface s0/0 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255

The overload keyword enables multiple concurrent sessions. The NAT table will maintain mapping of ports for each session. All source IPs will be unique, e.g:

Two sessions:

Router#show ip nat translation
Pro Inside global Inside local Outside local Outside global
tcp 171.68.1.1:80 192.168.0.5:8080 — —
tcp 171.68.1.1:80 192.168.0.5:8080 198.133.219.1:11000 198.133.219.1:11000
tcp 171.68.1.1:80 192.168.0.5:8080 — —
tcp 171.68.1.1:80 192.168.0.5:8080 198.160.100.1:12640 198.160.100.1:12640

Oh, and before anyone asks, if another outside global address happened to choose the same randomly generated source port number (e.g. 12640), the NAT table will just use the next available (say, 12641)