Cisco NAT

This recipe shows how to configure a Cisco router to forward traffic received on one IP address and port to another IP address and port. On DSL routers in New Zealand this process is commonly known as port forwarding. The process is also sometimes described as NAT or PAT.

To cut a long story short, this is the process you want to use if you have a Cisco DSL router, and have an internal mail or WWW server.

WARNING: This should not be attempted by people not experienced with Cisco IOS. If you don't understand something here, get a professional to help you.

There are two steps to getting the port forwarding to work:

1. Allow the desired traffic into the router.

In the cookbooks on this WWW site, access-list 101 is usually used to control what is allowed into the router from the Internet. You need to add an entry for your traffic just above the current permit entries. A modified access-list to allow SMTP (tcp port 25) and HTTP traffic (tcp port 80) might look like:

interface Dialer0 
 ... 
 ip access-group 101 in 
 ... 

access-list 101 remark Traffic allowed to enter the router from Internet 
access-list 101 deny ip 10.0.0.0 0.255.255.255 any 
access-list 101 deny ip 172.16.0.0 0.15.255.255 any 
access-list 101 deny ip 192.168.0.0 0.0.255.255 any 
access-list 101 deny ip any host 255.255.255.255 
! This allows inbound SMTP traffic.
access-list 101 permit tcp any any eq 25
! This allows inbound HTTP traffic.
access-list 101 permit tcp any any eq 80
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 101 permit tcp any any eq 1723

2. Tell the router where to forward the traffic to.

Substitute <inside ip address> for the IP address of your server.

! Forward SMTP traffic.
ip nat inside source static tcp <inside ip address> 25 interface dialer0 25
! Forward HTTP traffic.
ip nat inside source static tcp <inside ip address> 80 interface dialer0 80