PPTP and HTTP Port Forwarding with Static NAT on a Cisco router

Recently, a student in one of our seminars called port forwarding on a router. He wanted to allow clients to connect from the outside to a PPTP VPN server inside. This article will explain how to do it with a quick look at using static NAT to forward packets to a web server.

Port Forwarding on a Cisco Router

Sometimes we have internal resources that should be accessible from the Internet, like Web server, mail server or VPN server. In general, I recommend isolating those resources in a DMZ to protect your office LAN from the bad guys, but no matter how you choose to design, the process involves forwarding desired packets from router's external interface to a host inside. It 's really a fairly simple process. Here's the configuration on a Cisco 2611 router:

Interface Ethernet0 / 1

ip address 12.1.2.3 255.255.255.0

ip nat outside

!

Interface Ethernet0 / 0

ip address 192.168.101.1 255.255.255.0

ip nat inside

!

ip nat inside source list 101 interface Ethernet0 / 1 overload

ip nat inside source static TCP 1723 192.168.101.2 interface Ethernet0 / 1 1723

!

access-list 101 permit ip any any

In the above configuration, Ethernet 0/1 is connected to the Internet public with a static address of 12.1.2.3 and Ethernet 0/0 is connected to the internal network with a static address of 192.168.101.1. Outside NAT is configured on E0 / 1 and NAT inside is configured E0 / 0. Access-list 101 works in conjunction with the "ip nat inside source list 101 interface Ethernet0 / 1 overload" statement to allow all inside hosts to use E0 / 1 to connect to the Internet sharing whatever IP address is assigned to the Ethernet interface E0 / 1.

The statement "overload" implements PAT (Port Address Translation), which makes it possible. (PAT allows multiple internal hosts to share single address on an interface by adding external port numbers for each connection.)

The statement "ip nat inside source static tcp 192.168.101.2 1723 interface Ethernet0 / 1 1723" is inbound port 1723 (PPTP) requests on Ethernet0 / 1 and submit them to the VPN server located at 192.168.101.2.

You could do something similar with a Web server by changing port 1723 to port 80 or 443. Here's what that looks like this:

Interface Ethernet0 / 1

ip address 12.1.2.3 255.255.255.0

ip nat outside

!

Interface Ethernet0 / 0

ip address 192.168.101.1 255.255.255.0

ip nat inside

!

ip nat inside source list 101 interface Ethernet0 / 1 overload

ip nat inside source static tcp 192.168.101.2 interface Ethernet0 80/1 80

!

access-list 101 permit ip any any

In this example, the Web server located at 192.168.101.2 and instead of forwarding PPTP (port 1723), the traffic, we are forwarding HTTP (port 80) traffic.

Obviously, you can configure the Cisco router in a similar way to convey almost any type of traffic from external interface to an internal host.

Copyright (c) 2008 Don R. Crawley ......