Step 6: Port Forwarding with NAT

This section shows an example of a single inbound Network Address Translation (NAT) port forward, also known as NAT pinholes or port mapping, to access an internal web host.

Although VPN connections are preferred, sometimes it is desired, or necessary, to provide direct access to an internal networked device.

Use good judgement AND action when permitting access to the network connected device from the outside.

Good practices on internet accessible devices:

  • Change all default passwords

  • Only provide access to needed ports

  • Update firmware to latest and periodicly

  • Include source addresses in your ACLs (access control lists) rules whenever possible

  • Don’t use low grade-dog-food networked products - if the vendor does not put their name on the product, definitely avoid it

With due diligence (see above), NAT port forwarding can be used to provide specific outside access to inside networked devices.

In this recipe, we setup NAT port forwarding to an internal system with a web interface to provide remote access to a support technician.

NAT Port Forwarding

Define NAT port forwarding rule:

nat static mapping tcp local 172.21.89.12 8443 external outside 8443

Permit Port Forward Traffic with ACL

Traffic that is port forwarded by NAT must also be permitted by the outside access control list (ACL). The ACL is created and applied to input queue access-list on the outside interface.

acl http-outside
  rule 10
    desc Permit from Corp to TCP-8443
    action permit
    ip-version ipv4
    source address 198.51.100.0/24
    protocol tcp
    destination port 8443
    exit
  exit
#
# Apply ACL to interface Access-List
interface outside
  access-list input acl http-outside sequence 101
  exit

The internal web host is should now be accessible from permitted IP addresses. Test to confirm that the configuration is correct.