Forwarding a Port to a LAN Machine

Unanswered Question
Mar 4th, 2010


I have a 1711 router with IOS v. 12.3, and I need to place a web server in the

same LAN where users' PCs are connected to the internet and forward the ports

80 and 1433 from internet to the web server (address

FastEthernet0 has an address and is connected to the internet.
FastEthernet1 is tied to vlan10 and has an address It is

connected to the LAN.

I have this NAT configuration for th LAN PCs to access the internet, and it

works ok:

access-list 1 permit
ip nat pool overld1 prefix-length 24
ip nat inside source list 1 pool overld1 overload
ip route

This is how I tried to forward port 80 but it had no effect:

ip nat inside source static tcp 80 80 extendable

I read somewhere that when there are access lists, they should include the

port to forward. I tried to do that but either my syntax was wrong or I don't

still understand how it works.

So, how do I forward a port to a LAN machine when there are already other user

PCs in the same LAN using an internet connection?

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 03/04/2010 - 13:17


The syntax for the command is correct:

ip nat inside source static tcp 80 80 extendable

This means that all traffic that comes on port 80 to IP is going to be forwarded to the internal IP

My question is:

Is this public IP part of your public IP address space?

I ask you this because I see the public NAT range is a total different one.

So, the syntax is correct, and if you try from a computer on the Internet to telnet 80, assuming your router knows how to handle this IP.

The only other thing is to make sure that if there's an ACL applied to the interfaces on the router, it should allow the traffic to pass through.


WeidmannsHeil Thu, 03/04/2010 - 14:48

Thank you, Federico, for the reply.

Yes, the address beginning with 79 is the actual address...

I just wanted to replace it with 99 everywhere for reasons of security but failed to in one place.

As concerns the ACL, that's exactly the part I wanted to ask you. I only have what I posted here and I don't know how to extend the ACL (or add another?) so that it not only permits all hosts in the LAN to access internet but also permits all hosts from internet acess on port 80. A NAT statement for it alone doesn't work. Somehow the existing ACL interferes with it.

Federico Coto F... Thu, 03/04/2010 - 15:03

You only need an ACL, if you already have an ACL applied to the outside interface of the Router.

If there's no ACL, by default the router permits all traffic thorugh it.

What is the result from doing the following from the command promtp:

telnet 80

If it does not work and there's no ACL applied to the outside interface, as a test do the following:

access-list 199 permit tcp any host eq 80

access-list 199 permit ip any any

interface outside

ip access-group 199 in

Then check the hitcounts, doing a ''sh access-list 199'' to make sure the hitcounts on the first line is incrementing.....

This will let us know if the traffic is indeed reaching the router.


WeidmannsHeil Thu, 03/04/2010 - 15:29

1. telnet seems to work: it blanks

the screen and does not complain about anythin

g. But I cannot actually browse the web page at the server

I connected to the inside address.

2. The ACL that refers to 99... address is the actual ACL I have but it's for LAN PCs connecting to the internet.

3. I tried what you suggested as the test. I could enter:

access-list 199 permit tcp any host eq 80

access-list 199 permit ip any any


interface outside

ip access-group 199 in

was rejected as incorrect syntax. And nothing really changed.

WeidmannsHeil Fri, 03/05/2010 - 05:48

Ok, I found a confirmation that static and dynamic NATs really have to

work simultaneously, i.e., I can use an ACL and a static NAT simultaneously, and I don't have to change anything to the ACL:

So I checked once more all the cables, walked through the configuration, removed anything that I did not need, and now it works. Thank you, Federico, for the support.


This Discussion

Related Content