NAT / Port Forwarding

Unanswered Question
Oct 31st, 2007

Hi all,

I try to transfer Cisco NAT terms to what students are used from their experience with Linksys home routers.

On the small machines, you have a LAN interface and a WAN interface, let's say with the LAN sporting and the WAN getting a dynamic IP from the provider, let's say

So far so good.

The LAN IP is an inside local address, while the WAN IP is an inside global address.

So when any client from the 'LAN connects to, its IP Address (which is inside local, too) gets translated to the inside global address of the router (=the WAN address, The return packets are retranslated and everything is fine.

This can be done by static NAT, but then you get two drawbacks:

1. You are limited to a single host in the LAN

2. This host is fully exposed to the internet, unless you place some ACLs.

Now what is normally done is dynamic NAT with 1 WAN (=inside global) address, i.e. overloading.

There you have a bunch of LAN clients being translated to that single WAN address. Return packets will arrive at the clients, since the sessions are separated by the router by different port numbers.

But now you can't connect from the Internet to the LAN-addresses, unless you specify some sort of portforwarding on the router:

"If there are incoming packets at the WAN interface with destination port tcp:8080, send them to LAN" On that machine, there is the webserver you want to make available from the outside.

How would this scenario be realized with an IOS router ?

My first guess was something like "ip nat outside destination ..." but that's no valid expression.

Thanks in advance,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
keller.oliver Wed, 10/31/2007 - 09:04

Hi Adam,

thanks for the input, it seems to do what I wanted to achieve.

The only thing that's hard to teach is : If I build such a rule to forward requests from the outside to the webserver in my private LAN, why isn't called "ip nat outside destination" , because that's what happens : Packets that arrive on the outside get their destination address altered so that it matches an internal address.

In class I will start with static NAT (ip nat inside source), then show the obvious effects (source gets altered) plus the side effects (it works in the opposite direction, too). From there it should be possible to get from the general translation (all ports of an IP address) to the restricted translation (just this tcp/udp port of that IP address).

Problem solved !

Thanks again,


a.cruea1980 Thu, 11/01/2007 - 06:10

It can be hard to teach, but to make it simple, just say which side of the interface you're NAT'ing. If you need to NAT the WAN side, you'll be using the outside; if you need to NAT on the LAN side, you'll use inside.

Think of it like this; say you're trying to connect 2 networks with the same IP addressing scheme; Obviously, you can't connect them, because you'll have IP address conflicts. However, if you use IP NAT outside, you can NAT the WAN interface to a common address to avoid conflicts.

But with a server on the inside, you have to tell the router where on the inside the traffic needs to go.

Make sense?

keller.oliver Thu, 11/01/2007 - 08:32

Hi Adam,

makes perfect sense so far, but what I still don't get is :

When doing inside nat, I can do source or destination address translation.

When doing outside nat, I can do only source address translation.

Ok, as far as inside source natting is concerned, a static source mapping is automatically bidirectional, i.e. inside source static does "outside destination static" as well (which is never called that way nor does it exist in IOS ;)).

It's just confusing why there is source/destination for inside natting only.

The rest of the topic seems clear for now ^^ but I will run some tests in the lab in the next days. Although this is beyond CCNA, I just think it's good to know in order to answer my students questions :).




This Discussion