Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

port forwarding within a subnet


I am somewhat green with switch configuration so please bear with me.

I am trying to set up port forwarding within a particular subnet and to limit it in that subnet.

The subnet is subnet mask

We recently had three catalyst 2960 installed to replace the 3com swicthes.

We have a vendor setting up a camera surveillance system that would be accessed from an application console on a pC over the network. They would like to have ports 999 and 995 forwarded to the address and ports 998 and 994 to ip I assume this is so that if the application uses these ports and would then be directed to the devices at these static ip numbers.

With some research I have found that I first have to create the appropriate access list entries to permit the traffic - this is what I have so


1) access list 101 permit tcp 999 999

2) access list 102 permit tcp 995 999

3) access list 103 permit tcp 998 998

4) access list 104 permit tcp 994 994

(The intention with the above for items is to permit for those ports within that subnet only. Fell free to correct if wrong and explain as much as possible).

I gather that now I have to set up the corresponding port forwarding commands - this is where I am stuck. I think I have to create a port forwarding rule for each of the access lists I created above. An example of what I am playing with;

1) ip nat inside source static tcp 999


1) The ports all seem to be in spanning-tree mode (on all three switches) which I understand to be a "self-discovery" mode - are the access lists alone sufficient? Does spanning-tree mode negate the need for port forwarding?

1) How would I set up the port forwarding rules to forward all traffic for the ports listed to the listed ip/port destinations?

2) the "ip nat" command has an "extendable" option that I have seen used in some examples online. What does it mean?

3) Th switch does not have an internal or external connection declared in the config file shown above. Do I still have to declare the "inside"

and 'outside" points on each switch?

4) I have tried to find documentation on a template to the running-config and startup-config files with no success. I would like to see where acess-list commands would be inserted and port forwarding commands would be inserted. If anyone can point me to one or send me one I would appreciate.

Thank you.

Hall of Fame Super Bronze

Re: port forwarding within a subnet

1a. Spanning-Tree is designed to avoid Layer2 loops in your network. It's not going to affect any NAT translation which is Layer3.


1b. If you are planning to re-use the same IP address on different ports, you need to extendable option on the NAT.


2. see #1b.


3. What type of switch are you working with ?

Only 6500 supports NAT. Lower-end switches do not support NAT, you need a router.


4. What kind of templates are you looking for ?

Re: port forwarding within a subnet

You seem to have done quite some research on the subject!

Still you must have been mislead by the terminology. Port forwarding is only applicable in situations where NAT or PAT is used. This always requires a router. You will not be able to use port forwarding on a single subnet. In fact there is little use for it also. Just connect the equipment and give it a go!