port forwarding

Unanswered Question

I have a Cisco 800 series router. I have several external IP's to use and I need to open port 443 for two internal servers. I can only configure PAT for one server which makes sense, however, I need to SSL for a second server. For example I have a Citrix machine needing to receive SSL and I have OWA and RPC over HTTP that needs to be received on the exchange machine. How can I configure one of my unused external IP's to forward to one of the internal machines while leaving the eternal IP on the external side of the firewall pointed to the other through PAT? I would appreciate any help. I have not configured any access lists or anything besides PAT.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Sun, 11/18/2007 - 23:45
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Kevin

Could you give a few more details. You mention a firewall , is that 800 router or a separate device. A quick topology of the network together with the IP addressing would help us.


Yes the Cisco 800 series router is also our firewall. We currently use PAT for port forwarding. We have a Citrix server that requires HTTPS access. We also have OWA and RPC over HTTP which (best practices) requires HTTPS access on our exchange server. All of this has worked beautifully for years until we recently changed our Cisco 800 series router/firewall. We lost our configuration and had to begin all over. Citrix is currently working over HTTPS however, I can't make another entry for HTTPS (port 443) in PAT to allow or forward RPC over HTTP request to a different Server. I'm using the exact same model of Cisco router/firewall as I did before so I know it has the capability. I just don't know the command. Here are some examples of our IP scheme

public IPS.

internal on firewall



If is on the external side of the firewall, how do I take the next ip .81 and forward it to the exchange server

Jon Marshall Mon, 11/19/2007 - 06:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


ip nat inside source static

this is assuming you have

1) "ip nat inside" on your internal interface

2) "ip nat outside" on your external interface

You can then lock down with an access-list the port that is allowed to the internal server.



Hi, have a look at this config it may help you, also check out the link at the bottom.

If you perform NAT on both interfaces, keep in mind the addresses that are visible to a given interface. In Figure 13-3, an outside server uses static NAT so that a translated address appears on the inside network.

Figure 13-3 IP Addresses in Access Lists: NAT used for Source and Destination Addresses

See the following commands for this example:

hostname(config)# access-list INSIDE extended permit ip host

hostname(config)# access-group INSIDE in interface inside



This Discussion