[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 296
  • Last Modified:

Port forwarding through several natted environments (possible?)

Alright, I have a pretty complicated network (i think anyway). It is kind of confusing, but here is a diagram


The scenario:
Ok, I bought the domain name dissolvedz.com. I will be hosting a stand alone website. And I also have an internal exchange server on a different network.  I will be pointing my MX records (for mail) to my public IP address here at home ( I will also be using A records to point "www.dissolvedz.com"  to my same public IP address here at home( for the webserver

The webserver:
No problem with the webserver. It is in the same network as my gateway (cable router So port forwarding is a easy. Just forward port 80 to it.

The problem:
My exchange server on the other hand, is buried a few networks deep. Is it going to be able to function properly?  Looks like I will have to pass port 25 through several NATTed environments (routers). Is this possible? There has to be a way, we forward ports through several routers here at work.

Thanks in advance gentlemen
  • 3
  • 2
1 Solution
Absolutely no reason why this shouldn't work. I have worked on similar setups in the past (double NAT) and most things work fine. If a protocol will work through one NAT, then it will usually work through two just as easily.

I can think of one of the sites that we manage that has an Exchange server behind an ISA server, behind a PIX firewall (PIX does NAT, ISA does NAT again) and it all works fine.
dissolvedAuthor Commented:
 So I just need to forward port 25 from the cable router and send it to 2500a (
 Where it will then get routed through the network, before finally reaching the network (where my exchange server works)

Since all ports on routers are open, I shouldnt have to do anything but forward port 25 on my cable router right?
One question, are you doing NAT on either the 2500a or 2500b ?

If not, then you would forward port 25 on the cable router to and then it would be routed to it's destination as long as the cable router has a route statement that says to send all traffic for via 2500a (

If you are doing NAT on one of your 2500 routers, then you would need to forward port 25 (from the cable router) to the IP address of whichever router is doing the NAT, then setup a static NAT on that router to get the traffic to the Exchange server.

Which solution you use may also depend on the capabilities of your cable router to port forward to a subnet it is not directly attached to.

Hopefully this is making sense ? I know you've closed the question, but if you need clarification, just ask.
dissolvedAuthor Commented:
Well NAT only happens when your translating public to private IP right?  (may be wrong on this one)

NAT is built into my cable router and I cant turn it off.
My cable router (, can only forward traffic to the subnet it is directly attached to.

I was thinking of forwarding port 25 from my cable router ( to my 2500a ( The 2500a is using RIP and knows how to get to router 2500b ( network).

Also, 2 last questions:
 1. Would I still need to do static NAT if the routing table of the 2500a has a route to the network?
2. Is static NAT (in cisco routers) the same thing as port forwarding that low end routers do?

Much appreciated, I left you positive feedback as well.
thanks for the feedback, my very first :)

NAT doesn't HAVE to translate public to private, there are many reasons why you might use NAT (including private to private translations). I worked on a project where a company moved it's main server (an AS/400) to a new data center. To save having to change the IP address that 1000's of clients connect to for the old address, we simply NAT'ed to the new address at a few key routers. This was a private to private NAT, but allowed a much quicker migration than would have been possible if all of the client machines had to have a new connection to the server configured on them.

1. Yes, you would have to do this if you are doing port forwarding to the 2500a. The reason for this is that after the port forwarding, the packet will have a destination address of If that is the destination address, then how will it eve get to your Exchange server at It often helps to create a theoretical packet for each stage of the journey and then work out what would happen to that packet based on the normal routing processes.

2. It is much the same thing, I think they just call it "port forwarding" for a couple of reasons:
a. not to confuse the masses
b. it doesn't have all of the features of proper NAT (ie. what you get from a Cisco router).

As I said, if you had a Cisco router as your cable connection, you could NAT directly to the destination IP (on a different subnet) and let the packet get routed to the server, but this way, you are forced to do double NAT.

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now