Port Forwarding & DNS with a Cisco Router (WWW, DNS, FTP, etc.)


Two basic parts that go hand in hand.

Unfortunately our CCNA training didn't cover running public services behind a router, etc.  I am attempting to run a Web Server behind a Cisco 806 Router at home.  I would like to forward the web traffic obviously.  In particular, I am looking for commands that would push port 80 destinations to the specific internal static address.  I've seen NAT, PAT and filters throw around information, however I am looking for the instructions that the router receives that causes it to forward that port.  I can see how the filters let it through, but it the incoming port 80 packet guided to the WS via NAT?  It's not clicking for some reason.  Need some definitive information.

Another note, and I am willing to share points with this other half;
DNS!  I presume that I set my www name to point to my DNS server in the "DMZ" area which then points to my internal IP for the WS in the DMZ as well.  My understanding is that the DNS inquiry gets shot over to my DNS server from the big DNS guys (after a user outside the LAN asks for my www name IP) and then is pushed through my Cisco Router via a "port forwarding" concept, then returns the requested www name-to-IP (public) to the inquirer.  Then they throw the port 80 traffic to the (in this case) same IP as the DNS came through, only to be pushed through to the web server by the router once again.  If this is correct then why is NOBODY asking how to get their web names directed to a self-hosted DNS server and they ask just how to push http through?  Anyone else notice that?  Where is the DNS process taking place?  When I registered my www name to the interic, it wants DNS servers.  Is the router or something else performing DNS?  I've got a server ready for DNS and a web server.

So to recap;
1.)"Port Forwarding" concepts for a recent Cisco IOS
2.)Where the heck does DNS fit into my DMZ or inside ranges?

I can REALLY further clarify this if need be.  If you don't believe me about people ONLY asking for port 80 manipulation, then do a search for it.  You'll see what I mean.

I would like to award points based on a good, solid conceptual answer with a practical solution or an idea.  Please bear in mind that there is no open-source software or OS involved in my network.  Haven't picked that up yet.

Much thanks in advance!

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Shall I assume that you've got a static outside IP address since you plan on hosting public services?

So, even if you're overloading(PAT) your outside public address, you can statically map outside address/ports to inside address/ports. So, to the world, its' this world routa ble entity.

So, the static NAT translations that you would do would look like this(assuming is your inside network and is your outside one -,

ip nat inside source static tcp 80 80 extendable
ip nat inside source static udp 53 53 extendable

With this arrangement, you'll register your dns server as the outside address as you would your webserver.

It actually gets interesting at this point. You might want 'external' dns and 'internal' dns.

i.e. see if your service provider will host dns for your external domain and you can host your internal dns internally.

Externally, you'll want A records pointing to your outside address for www, dns and presumably your MX(or other services for that matter). Internally, you don't want to resolve to the external address, but the internal one. You kinda need to do something like this because if you use your internal webserver as a resource(for example), you don't really want it to resolve to the outside address of your router. Make sense?

ARavothAuthor Commented:
Sorry about the delay, and the answer is excellent.  I do need a small bit of clarification;

1.) I'm not using PAT currently, I don't think I need to but I'm not sure why it would be important to use in my situation.

2.) I've seen the statements warning about internal resolution to the outside (DMZ) www area being a security threat.  How, then, can I make my internal nodes see my web site?  It doesn't make sence to me to have an internal site that is replicated.  Would that mean I have to replicate the site for the inside people too?  Not sure if I am understanding that part.

3.) Also, I'm not sure if you're using a DMZ type of thing here.  If my internal is the 10. network and my DMZ is the 172. network and my outside router IP is, are you originally assuming that my WS and MX, etc. are actually on the inside?  

I'm REALLY sorry if I am overloading you.  If you believe that I am over-doing this question, then please answer what is pertaining to my issue here.  I really appreciate your help.

ARavothAuthor Commented:
Oh yes;

1.) Yes, I have a static IP
2.) No, they won't do my DNS stuff.  I'm pretty much on my own with that.

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

What kind of routing and switching platforms do you use? It will help in making sound recommendations.

1) So do you have a separate block of routable addresses for your www/smtp/etc... boxes? If so, why bother with NAT at all? If you are going to use NAT, I tend to overload (PAT) to conserve routable addresses, except in cases where you have services that aren't port-aware (like GRE or ESP). Just addressing your webservers in routable address space will make things like DNS a whole lot easier and eliminate the possibility of NAT bugs causing outages.

2) I guess one could make an argument that dns resolution can be a security threat...but in general, folks on the internet are gonna have an interesting time resolving rfc1918 space hosts. I also think that it's a bunch a crap though because mapping names to addresses(or the lack thereof) isn't where security issues lie. It lies in what services you permit people to access and keeping current with the patch levels of those services. I mean, who cares if they can resolve the name of your internal printers...It may be prudent not to call your accounting servers things like wherewekeepourfinancialinfo.company.com, but that's not rocket science.

3) Yeah...i'm kinda making assumptions about your physical topology. Maybe you could do a little line drawing of where your networks lie, equipment you have available and a config or two. Maybe you have a true DMZ, or maybe it's just a bastion host LAN...dunno. Let us know :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ip nat inside source static zzz x.x.x.x yyy int qq yyy

zzz = 'tcp' or 'udp'
x.x.x.x = ip address of server (address to which the port is forwarded, a.k.a. inside local address)
yyy = the port number you want to forward
qq = name of the wan interface ('e1' or 'e0' or something, a.k.a. inside global)

try that out
No comment has been added lately (29 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Award points to pedrow

Please leave any comments here within 7 days.



EE Cleanup Volunteer
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points. http://www.experts-exchange.com/Community_Support/
Use your web interface at  There is no DMZ for this model by the way.  You can use pat in the web interface to setup local to public addresses.  If using the CLI then try something like this;

 ip address
 ip nat inside
 no ip mroute-cache
 no cdp enable
 hold-queue 32 in
 hold-queue 100 out
interface Ethernet1
 ip address
 ip nat outside
 ip inspect myfw out
 no ip mroute-cache
 no cdp enable
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static tcp 80 interface Ethernet1 80
ip classless
ip route
ip http server
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.