How to configure static NAT for a Cisco Router

Recently, a friend asked me how to configure static NAT for a Cisco router to allow Internet users to access the Intranet Web and email servers through a Cisco router. Obviously, this function requires NAT between the public IP address and the Intranet IP address. The following are the specific implementation methods. At present, many people access the Internet through NAT. NAT can be converted between the Intranet IP address and the Internet IP address, so that the intranet user can access the Internet directly. Most users use NAT called port address translation (PAT). Cisco calls this method NAT overload. Before starting, let's first understand what Static NAT is. Figure A is A network topology. Our goal is to convert a static IP address on the Internet to an internal IP address through a router. For a Linksys router with a Web configuration interface, this is easy to implement. However, for a Cisco router that uses the CLI mode, it is troublesome if you do not know the corresponding command. Therefore, it is necessary to collect more information before you start. For example, in our example, we need to collect the necessary information through the following methods: ◆ vro inline port E0/0: IP 10.1.1.1 ◆ vro external port S0/0: IP 63.63.63.1 ◆ Intranet IP address of the Web/mail server: 10.1.1.2 ◆ Internet IP address of the Web/mail server: 63.63.63.2 www.2cto.com there are two steps necessary to allow Internet users to access the Intranet Web/mail Server: 1. configure NAT 2. in this article, I will focus on basic static NAT configurations. However, readers should ensure that the Internet-related data can be accessed through the firewall. Whether you use ACL or Cisco IOS to configure the firewall, make sure you are familiar with the operation sequence of Cisco IOS and set the correct IP address (public network and Intranet ). In other words, you should know whether NAT works first or firewall filtering works first. After obtaining the relevant information, we began to configure static NAT. In our example, we first perform the basic configuration: interface Serial0/0ip address 63.63.63.1 255.255.255.0ip nat outside interface Ethernet0/0ip address 10.1.1.1 255.255.255.0ip nat inside we need to use NAT to convert the public IP address of the Web/mail server from bytes to 10.1.1.2 (and from 10.1.1.2 convert to 63.63.63.2 ). The following is the NAT configuration between the Intranet and the public network: router (config) # ip nat inside source static tcp 10.1.1.2 25 63.63.63.2 25 router (config) # ip nat inside source static tcp 10.1.1.2 443 63.63.63.2 443 router (config) # ip nat inside source static tcp 10.1.1.2 80 63.63.63.2 80 router (config) # ip nat inside source static tcp 10.1.1.2 110 63.63.63.2 110 The above ports are used because these ports comply with the corresponding service port. For example, port 25 corresponds to SMTP mail sending, port 443 corresponds to secure Web connection HTPS, port 80 corresponds to HTTP, and port 110 corresponds to POP3 receiving. The above configuration assumes that we have a fixed public IP address. If not, we can also use the router egress IP address (Serial 0/0 in this example). The configuration method is as follows: router (config) # ip nat inside source static tcp 10.1.1.2 25 interface serial 0/0 25 if your public IP address is an ip address allocated through the DHCP of the ISP, you can also use the preceding configuration method. In addition, we also need to register the domain names of the Web server and email server to the DNS registry on the Internet. In this way, the user can access our website by entering the domain name in the browser. For example, if you enter www.mywebserver.com, you can access 63.63.63.2. Then, our router will convert this address to 10.1.1.2. In this way, the Web server receives browser requests and responds smoothly. In addition to configuring static NAT, you may want to learn how to configure dynamic NAT at the same time, so that your intranet PC can access the Internet through dynamic NAT (such as NAT overload or PAT.