Step 6: Port Forwarding with NAT¶
This section shows an example of a single inbound Network Address Translation (NAT) port forward, also known as NAT pinholes or port mapping, to access an internal web host.
Although VPN connections are preferred, sometimes it is desired, or necessary, to provide direct access to an internal networked device.
Use good judgement AND action when permitting access to the network connected device from the outside.
Good practices on internet accessible devices:
Change all default passwords
Only provide access to needed ports
Update firmware to latest and periodicly
Include source addresses in ACLs (access control lists) rules whenever possible
Don’t use low grade-dog-food networked products - if the vendor does not put their name on the product, definitely avoid it
With due diligence (see above), NAT port forwarding can be used to provide specific outside access to inside networked devices.
In this recipe, we setup NAT port forwarding to an internal system with a web interface to provide remote access to a support technician.
NAT Port Forwarding¶
Define NAT port forwarding rule:
nat static mapping tcp local 172.21.89.12 8443 external WAN 8443
Permit Port Forward Traffic with ACL¶
Traffic that is port forwarded by NAT must also be permitted by the WAN access control list (ACL). The ACL is created and applied to input queue access-list on the WAN interface.
acl http-WAN rule 10 desc Permit from Corp to TCP-8443 action permit ip-version ipv4 source address 198.51.100.0/24 protocol tcp destination port 8443 exit exit # # Apply ACL to interface Access-List interface WAN access-list input acl http-WAN sequence 101 exit
The internal web host is should now be accessible from permitted IP addresses. Test to confirm that the configuration is correct.