In the previous lesson, we learned how to configure basic Static NAT to permanently map an internal address to a public IP so that external users can access it. That configuration allowed all ports to pass through to the inside host.
In this lesson, we take that concept further by applying port-specific static NAT so that only a single service — in this case, HTTP on TCP port 80 — is reachable from the internet. This provides more control over what is exposed while still giving outside users access to the intended service.
Web Server: 192.168.1.100 should be reachable from the internet at 200.1.1.100 but only for HTTP.
Router:
Inside (LAN) interface: FastEthernet0/0 — 192.168.1.1/24
Outside (WAN) interface: FastEthernet0/1 — 200.1.1.1/24
Network Topology
Marks the LAN-facing interface as ip nat inside and the WAN-facing interface as ip nat outside so the router knows which direction translations apply.
Creates a one-to-one mapping for only TCP port 80 from 200.1.1.100 to 192.168.1.100. All other ports to this public IP are ignored by NAT.
1. Check NAT Translations
R1# show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 200.1.1.100:80 192.168.1.100:80 --- ---
Confirms the static NAT entry exists and is restricted to TCP port 80.
2. Check NAT Statistics
R1# show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic)
Outside interfaces:
FastEthernet0/1
Inside interfaces:
FastEthernet0/0
Hits: 0 Misses: 0
Shows that NAT is active and currently tracking one static entry.
| Mistake | Symptom | Solution |
|---|---|---|
| Forgetting to use protocol and port in static NAT | All ports open to the server | Use port-specific syntax |
| Incorrect NAT role assignment on interfaces | NAT doesn’t work | Verify ip nat inside and ip nat outside are correct |
| Using the router’s own public IP for static mapping | Server unreachable | Assign a separate public IP for the server |
If you wanted to allow full access to an internal FTP server:
This maps all ports from 200.1.1.101 to 192.168.1.101. Use with caution, as all services on that host become accessible from the internet (just like the previous lesson). If you want just FTP access, restrict it to only the FTP service on port 21:
You may have noticed that while this NAT configuration only translates port 80 for the web server, other traffic from the internet can still reach the router or other inside resources if NAT or routing allows it. This is because NAT is not a firewall — it simply translates addresses and ports.
In a real network, you would typically have a separate firewall device. In our scenario, we can simulate adding an inbound ACL on the outside interface to block all unwanted traffic. For example:
This allows only HTTP requests to the web server’s public IP and blocks all other inbound packets.
Refer to the previous ACL lesson to review extended ACL syntax and placement rules before applying this in the lab.
The lab is available for download from this link. Try recreating the sample lab above using the provided IP addressing scheme.