Static PAT (Port Forwarding)


Scenario:

You are a trainee for a large international website covering a wide range of topics on automobiles. You are using NAT and PAT for connectivity to the Internet but you also have a number of hosts on your internal network. You need to make sure that the Webserver and Mailserver are reachable from the Internet.

Goal:

  • All IP addresses have been preconfigured for you.
  • Configure router PAT so all internal devices are able to reach the Internet.
  • Configure router PAT so the Web- and Mailserver are reachable from the Internet.
  • Ensure router Internet doesn’t know about the 192.168.123.0 /24 network.

It took me 1000s of hours reading books and doing labs, making mistakes over and over again until I mastered all the protocols for CCNA.

Would you like to be a master of networking too? In a short time without having to read 900 page books or google the answers to your questions and browsing through forums?

I collected all my knowledge and created a single ebook for you that has everything you need to know to become a master of CCNA.

You will learn all the secrets about NAT, PAT, port forwarding and more.

Does this sound interesting to you? Take a look here and let me show you how to Master CCNA!

IOS:

c3640-jk9o3s-mz.124-16.bin

Topology:

Static PAT Port Forwarding

Video Solution:

Configuration Files

You need to register to download the GNS3 topology file. (Registration is free!)

Once you are logged in you will find the configuration files right here.

Opt In Image
Do you want your CCNA or CCNP Certificate?

The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.

Written by René Molenaar - CCIE #41726

You May Also Like

About the Author: Rene Molenaar

René - CCIE #41726 is the creator of GNS3Vault.com where he shares CCNA, CCNP and CCIE R&S labs. He also blogs about networking on http://networklessons.com

3 Comments

  1. Hi Rene,
    Not a big problem, but I am curious about the last task.
    [b][i]”Ensure router Internet doesn’t know about the 192.168.123.0 /24 network.”[/i][/b]

    Although the translations continue to work correctly, the Internet router can still ping the internal devices.

    Ping 192.168.123.2 (from Internet router)
    This still translates, but it allows the Internet to know the internal IP addressing.
    This is small issue, but I am curious how I might block this ability (in this scenario).

    Thanks.
    Mark

  2. Hello Mark,

    Once we configure NAT or PAT in this scenario the Internet router will only see the 192.168.45.4 IP address because of the translation. That doesn’t stop it from using a static route or something to reach the 192.168.123.0 /24 network. If you want to block this 100% you’ll just need to use an access-list.

    If this were a real network you should have an access-list on the inbound interface of the NAT/PAT router so not all traffic will be accepted. It’s even better to configure a [b]reflexive access-list[/b], it will make sure that inbound traffic from the Internet will always be dropped unless it was originated from the LAN. If you never configured a reflexive access-list before than you should take at my lab:

    http://gns3vault.com/Security/reflexive-access-list.html

    Let me know if you have more questions.

    Rene

  3. aaaaah okay. That was the answer I was looking for — Reflexive Access-Lists. I knew there was a solution.

    Thanks again for your website. FYI: I lost my CCDP, and I am starting from the beginning again (from CCNA). Your labs completely made me slow down this time, and practice more (not just trying to pass another exam).

    I am getting your CCNP book. Big Value, considering all of the free labs.

Comments are closed.