Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allow external user access to internal without static NAT

Hi all

I can configure router to allow external access to internal server by static NAT. Are there any way to configure without static NAT, and we can use ACL to prevent them from some services?

Thanks for all your advise

Here is the example configuration:

Current Configuration:
version 12.1
service timestamps debug uptime
service timestamps log uptime
ip subnet-zero
no ip domain-lookup
bridge irb
interface Ethernet0
ip address
ip nat inside!--- This is the inside local IP address and it is a private IP address. !
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5snap
dsl operating-mode auto 
bridge-group 1
interface BVI1
ip address
ip nat outside!--- This is the inside global IP address.
!--- This is your public IP address and it is provided to you by your ISP.!
ip nat inside source list 1 interface BVI1 overload!--- This statement makes the router perform PAT for all the 
!--- End Stations behind the Ethernet interface that  uses 
!--- private IP addresses defined in access list #1.ip nat inside source static tcp 80 80 extendable !--- This statement performs the static address translation for the Web server. 
!--- With this statement, users  that try to reach port 80 (www)  are 
!--- automatically redirected to port 80 (www). In this case 
!--- it is the Web server.ip classless
ip route
!--- IP address is the next hop IP address, also
!--- called the default gateway.
!--- Your ISP can tell you what IP address to configure as the next hop address.!
access-list 1 permit!--- This access list defines the private network 
!--- that  is network address translated. bridge 1 protocol ieee 
bridge 1 route ip 

Re:Allow external user access to internal without static NAT


Nat provides ip.translation but its doesnt any real security to.the server you prohibit access via either ios fw features( cbac zbfw,extended acls etc) or via a designated fwl

To answer your question

Yes you can
You can position it in a dmz with a.public ip address and use port forwarding/filtering etc up specifc ports to the server


Sent from Cisco Technical Support Android App

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Allow external user access to internal without static NAT

Thanks for your reply

1/ I use router for accessing the internet

2/ I use IP PBX inside NAT router, therefore if I do not add static NAT pointing to IP PBX address, it cannot register with VoIP provider.

3/ Are there any way to access from internet to IP PBX without static NAT?

Please show me the example configuration