Suggested prerequisite reading
»Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices

For illustration purposes, I use:
* Cisco 806 router (2 Ethernet ports)
* ISP provided static IPs
* ISP provided DNS
* PPPoE (have to put username and password to connect to ISP)

Note:
1) When your ISP doesn't use PPPoE
If your ISP does not use PPPoE, this configuration can be easily modified to suit other type of ISP connections (i.e. Static, DHCP, PPPoA). Check out other part of this forum's FAQ for such situation.
Various PPPoE/PPPoA/DHCP/Static Sample Configuration with Cisco

2) For servers other than FTP
For illustration purposes, I run FTP server behind the router. This configuration can be modified to either have web server, mail server, or just any public servers that run on specific TCP or UDP port/ports. When you run web server, you can replace the TCP port 20 and 21 with TCP port 80 (the standard web port) and possibly also with TCP port 443 (the standard secure web port). As for mail server, replace with TCP port 25 (the standard mail port). For other servers, confirm your software configuration of the TCP/UDP port it uses.

3) CLI-based sample configuration
As most of the sample configurations here in this Cisco Forum's FAQ, this FAQ also uses CLI commands to provide sample configuration and illustration. Should you be unfamiliar with CLI commands or the GUI does not work, please have yourself to review the following FAQ to guide you understanding CLI
»Cisco Forum FAQ »The most straight-forward way to configure Cisco router: Introduction to CLI

Background

Just a bit of explanation. Ethernet0 interface is for inside network (LAN interface). Ethernet1 is for outside (ISP or WAN physical interface). Dialer1 is for PPPoE (the "actual"/logical WAN interface). The 1.0.0.13 is ISP provided static IP address for the use of the server. This configuration example is for running FTP server, which uses the standard TCP port 20 and 21.

The LAN uses 10.10.10.0 network with 255.255.255.0 subnet for both servers and workstations. All servers within the LAN use static IP address. The router is configured as DHCP server to give out IP info (IP addresses, subnet mask, DNS) to workstations that are configured as DHCP client.

This sample configuration of setup your own servers behind Cisco router suggests multiple possible network design. In general, the suggested network design are either with or without port forwarding. When there is a port forwarding in place, it means there is NAT (Network Address Translation) and/or PAT (Port Address Translation) involved. When there is no port forwarding in place, it means there is no NAT/PAT involved.

Side Note:
For more info on NAT/PAT concept, check out the following FAQ
»Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices

When there is a port forwarding in place, usually all or most of the following setup are in place.
* Servers use private IP address (typically fall under 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 subnets)
* Somewhere along the line between the servers and the Internet, there is a NAT/PAT in place.

In the first part of the sample configuration, the servers use the typical Private IP address and the Cisco router performs the NAT/PAT to bridge communication between the server and the Internet.

When there is no port forwarding in place, usually all or most of the following setup are in place.
* Servers use Public Internet-routeable IP address (typically don't fall under 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 subnets)
* No NAT/PAT in place between the servers and the Internet

In the second part of the sample configuration, the servers use Public IP address directly. The Cisco router does not perform NAT/PAT at all to bridge communication between the server and the Internet since there is no reason to do such.

As best practice, it is suggested not to do NAT/PAT or port forwarding between the server and the Internet when there are multiple Public IP subnets to use or when there is a large Public IP subnet that you can subnet into smaller network. When there is only one Public IP address or small-size subnet, then in general there is no other choice but to deploy NAT/PAT or port forwarding between the server and the Internet.

First Network Design: There is NAT/PAT in place between the server and the Internet (with port forwarding)

In this first part of sample configuration, there will be two PAT in place between Public and Private IP addresses. One is dynamic PAT which uses single Public IP address for all local workstations. Another one is static PAT which uses single Public IP address for servers.

When using NAT/PAT, keep in mind that the Internet-accessible servers are seen from the Internet as their NAT/PAT-ed IP address (the Public IP address) and not the local IP address (not the Private IP address). The connection from the Internet users to the Public IP address will then be forwarded by the NAT/PAT device, which in this case is the router, according to the router's routing table. In other words, the router will (TCP/UDP) port forward connection from the Public IP address to the actual Private IP address after proper network's routing table is in place. This understanding is very important when you or someone need to test connectivity to the server and/or when you need to create filter (access list or ACL for short) to allow only certain incoming traffic from the Internet and block others.

Instruments used in this illustration are pretty much standard for running your own servers. Please note that IP addresses, username, and password are changed. However, you could always modify the configuration to suit your situation.

This sample configuration assumes that you have a block of IP addresses from ISP. There is a dedicated Public IP address for the router WAN interface (the Dialer1 interface) and another dedicated Public IP address for the server PAT IP address. In this sample configuration, typical users from 10.10.10.0/24 network are dynamically PAT-ed to the Dialer1 interface IP address when the users are going out to the Internet. When the 10.10.10.2 machine need to go out to the Internet or need to communicate with users on the Internet, then the 10.10.10.2 is statically PAT/NAT-ed to the 1.0.0.13 Public IP address.

If you only have single Public IP address for both router WAN interface and server PAT IP address instead of a block of IP addresses, there are several ways to configure the router.

One way is to use the same command as shown in sample configuration.

ip nat inside source static tcp 10.10.10.2 21 1.1.1.14 21 extendable
 

This one configuration way is suitable when you have static IP address from your ISP and you know exactly what the IP address is. In this case you have the 1.1.1.14 single static IP address for both the WAN interface and Public server IP address. Note that the command above shows the static PAT between Public IP address (the 1.1.1.14) and Private IP address (the 10.10.10.2).

When you are unsure which IP address you receive from the ISP, or when your Public IP address keep changing; then another way to configure the static PAT is following

ip nat inside source static tcp 10.10.10.2 21 interface Dialer1 21 extendable
 

With situation of dynamic IP address, at some point you still need to know the exact Public IP address you receive from your ISP for server connection testing and production time. To find out, you can issue show ip interface brief command on the router. You will then see the associated WAN interface Public IP address. Note that the command above shows the static PAT between the Dialer1 interface Public IP address (the one that shows on the show ip interface brief display) and Private IP address (the 10.10.10.2).

Between Static and Dynamic IP Address Assignment for LAN Machines

Typically, servers are having static IP addresses where regular workstations are having dynamic IP addresses. As mentioned, all LAN machines (including servers and workstations) are within 10.10.10.0/24 subnet. Let's say you dedicate 10.10.10.1 for router, 10.10.10.2 - 10.10.10.14 for servers, and the rest (10.10.10.15 - 10.10.10.254) for workstations.

This illustration assumes all workstations are receiving dynamic IP address (as DHCP client) from router which is acting as the LAN DHCP server; as indicated by the ip dhcp pool CLIENT command. Since router and servers are having static IP addresses, you exclude 10.10.10.1 - 10.10.10.14 from DHCP pool. This is where you need the ip dhcp excluded-address 10.10.10.1 10.10.10.14 command in place.

For routers that only have one Ethernet port

As mentioned, this sample configuration uses 2-Ethernet-port router. In cases that your router have one Ethernet port as LAN side and one DSL (ATM) port as WAN side, you could check out the following link:

Configuring Network Address Translation and Static Port Address Translation to Support an Internal Web Server

From the link, you can see how similar and how different the configurations are.

Tips

* You can use any computer, running any operating system with any generic FTP or other server software. There is no exclusiveness
* Make sure that the ports you plan to use are not used by other program.
* Also make sure that your ISP does not block the port you plan to use. Check out the following thread for illustration: »[HELP] can't connect on port 25, what am I doing wrong?
* You can use generic port scanner software to find out if the port you plan to use is available
* Setup the FTP software to have the FTP server to use port 21 (standard port)
* FYI, port 21 only handle the connection and data is sent over port 20. With both ports PAT'd you will be able to use both PASV & PORT connections to your FTP server
* To verify the configuration, access the server from OUTSIDE network (i.e. from the Internet) and NOT from your own LAN. For this illustration, run an Internet browser (i.e. Internet Explorer, Netscape) and open

ftp://1.0.0.13:21

The Sample Configuration

Finally, here is the "show running-config" output.

no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!
!!!!!! Configuring the router as DHCP server
ip dhcp excluded-address 10.10.10.1 10.10.10.14
!
ip dhcp pool CLIENT
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
!!!!!!
!
no ip dhcp-client network-discovery
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
!
!
!!!!!! This is the LAN side
interface Ethernet0
!!!!!! The IP address for the router
 ip address 10.10.10.1 255.255.255.0
!!!!!!
 ip nat inside
 no cdp enable
 hold-queue 32 in
!
!!!!!! Note that e1 has no IP address
interface Ethernet1
 no ip address
!!!!!!
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
!!!!!! The ISP's given IP address will be configured via d1
interface Dialer1
 ip address negotiated
!!!!!!
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname *********
 ppp chap password 7 *******
 ppp pap sent-username ******** password 7 *******
 ppp ipcp route default
!
!!!!!! This is the dynamic PAT between Dialer1 (WAN) interface IP address 
!!!!!! and local IP addresses within ACL 10
ip nat inside source list 10 interface Dialer1 overload
!
!!!!!! This is the important part:
!!!!!! The server is an FTP running generic FTP software
!!!!!! The FTP server is in inside network using IP address 10.10.10.2
!!!!!! This configuration uses PAT (Port Address Translation) which deploys
!!!!!! port 20 and 21 (standard ports for FTP)
!!!!!!
!!!!!! The "ip nat inside source static" is the actual static PAT command for
!!!!!! running servers with Cisco router where the port forwarding takes place
!!!!!! between the Public and the Private IP address on specific TCP or UDP port
!!!!!!
!!!!!! Note that the word "extendable" is automatically added by the router
!!!!!! You don't have to enter the word when you configure the router
!!!!!!
ip nat inside source static tcp 10.10.10.2 20 1.0.0.13 20 extendable
ip nat inside source static tcp 10.10.10.2 21 1.0.0.13 21 extendable
ip classless
!!!!!! This command is to make the router configurable using web browser
!!!!!! such as Internet Explorer or Netscape, which is totally optional.
!!!!!! You can turn the feature off by entering "no ip http server"
!!!!!!
ip http server
!!!!!!
!
access-list 10 remark Local IP addresses for the dynamic PAT with the Dialer1 interface IP address
access-list 10 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
 length 0
!
scheduler max-task-time 5000
end
 

Command Adjustment for Specific Needs

The above sample configuration shows how to provide FTP access to public. When you need to provide other access type such as Web or Mail, following is the command adjustment needed.

To run Public Web Server, following is the command

ip nat inside source static tcp 10.10.10.2 80 1.0.0.13 80 extendable
ip nat inside source static tcp 10.10.10.2 443 1.0.0.13 443 extendable
 

To run Public Mail Server, following is the command

ip nat inside source static tcp 10.10.10.2 25 1.0.0.13 25 extendable
 

To run both Public Web and Mail Server that resides on different LAN machines, following is the list of commands.

ip nat inside source static tcp 10.10.10.2 25 1.0.0.13 25 extendable
ip nat inside source static tcp 10.10.10.3 80 1.0.0.13 80 extendable
ip nat inside source static tcp 10.10.10.3 443 1.0.0.13 443 extendable
 

where 10.10.10.2 is the Mail Server and 10.10.10.3 is the Web Server.

To run both Public Web and Mail Server that resides on different LAN machines and each has its own Public IP address, following is the list of commands.

ip nat inside source static tcp 10.10.10.2 25 1.0.0.12 25 extendable
ip nat inside source static tcp 10.10.10.3 80 1.0.0.13 80 extendable
 

where 10.10.10.2 is the LAN Mail Server and 1.0.0.12 is the Public Mail Server. Similarly, 10.10.10.3 is the LAN Web Server and 1.0.0.13 is the Public Web Server.

If you like to dedicate 1.0.0.12 only for 10.10.10.2 machine and to dedicate 1.0.0.13 only for 10.10.10.3 machine, then you can do Static NAT instead as follows.

ip nat inside source static 10.10.10.2 1.0.0.12 extendable
ip nat inside source static 10.10.10.3 1.0.0.13 extendable
 

Some discussion

»[Config] Need help with internal server on Cisco 2821 Router
»Need Help On Allowing Telnet Access to an Interface

With such Static NAT implementation, you should have inbound ACL on the router WAN interface or some Internet firewall to regulate which inbound Internet traffic that can access those dedicated Public IP addresses for better network security. Following is a sample.

»Cisco Forum FAQ »Basic Internet Firewall for Routers without IOS image Firewall feature

Second Network Design: There is no NAT/PAT in place between the server and the Internet (without port forwarding)

In this second part of sample configuration, there will be one PAT in place between Public and Private IP addresses. The one PAT is dynamic PAT which uses single Public IP address for all local workstations. The servers use Public IP address directly. No NAT/PAT is in place between workstation and servers, and no NAT/PAT is in place between the Internet and servers.

The network setup for this sample configuration is following

Internet (ISP) --- modem --- Internet Router --- Switch --- Inside Router --- LAN
                                                    |
                                                 servers

Since the servers use the Public IP address directly, the servers and the Internet Router are part of Outside network (1.0.0.8/29). The Internet Router Dialer1 interface receives 1.0.0.14 IP address through the ISP PPP negotiation. This 1.0.0.14 IP address is also the servers' default gateway.

To simplify the route design, dynamic routing protocol is used. In this sample configuration, RIP version 2 is used as the dynamic routing protocol between Internet Router and Inside Router.

With Outside network having the Public IP address of 1.0.0.8/29 directly assigned, there are two points that are established. One is that there is no need to do NAT/PAT for Outside network since Outside machines already use Internet-routable Public IP address.

The other established point is to avoid unnecessary DNS BIND to resolve Outside server name to both Public IP and Private IP addresses. Outside server DNS name resolves to always its associated Public IP address regardless of where the incoming traffic come from, either from the Internet or from the Inside network. More info on this issue can be found in the following FAQ.

»Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices

The Inside network (LAN) is 10.0.0.0/24. Traffic between Outside and Inside networks pass as their original IP addresses (as in general, best practice), therefore there is no need to NAT Inside network to access Outside and vice versa.

There is no NAT/PAT in place for Outside network to go out to the Internet as mentioned earlier. In other words, there is no port forwarding in place between Outside network and the Internet. Since there is no NAT/PAT between Outside network and Inside network, there is no port forwarding in place between Outside network and the Inside network either. This no-port-forwarding setup is due to the network design of using the actual/original IP addresses instead of using the NAT/PAT IP addresses, as described above.

There is however NAT/PAT in place for Inside network to go out to the Internet. All Inside network machines are PAT-ed to 1.0.0.9 IP address to go out to the Internet, which is the Inside Router Outside (Ethernet1 interface) IP address.

Internet Router

no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname InternetRouter
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
bridge irb
!
no ip dhcp-client network-discovery
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
!
!
!!!!!! This is the Outside network
interface Ethernet0
 no ip address
 bridge-group 1
 hold-queue 32 in
!
!!!!!! This is facing the modem (ISP)
interface Ethernet1
 no ip address
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
!!!!!! The ISP's given IP address will be configured via d1
interface Dialer1
 ip address negotiated
!!!!!!
 ip mtu 1492
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname *********
 ppp chap password 7 *******
 ppp pap sent-username ******** password 7 *******
 ppp ipcp route default
 bridge-group 1
!
interface BVI1
 no ip address
!
router rip
 version 2
 passive-interface Dialer1
 redistribute static route-map DEFAULT_GATEWAY
 network 1.0.0.0
 no auto-summary
!
ip classless
no ip http server
!
access-list 10 remark Permitted Subnet to redistribute
access-list 10 permit 0.0.0.0
!
route-map DEFAULT_GATEWAY permit 10
match ip address 10
set metric 1
!
dialer-list 1 protocol ip permit
bridge 1 protocol ieee 
 bridge 1 route ip 
! 
no cdp run
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
 length 0
!
scheduler max-task-time 5000
end
 

Inside Router

no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname InsideRouter
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!!!!!! Configuring the router as DHCP server
ip dhcp excluded-address 10.10.10.1 10.10.10.14
!
ip dhcp pool CLIENT
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
!!!!!!
!
!!!!!! This is the LAN side 
interface Ethernet0
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
!
!!!!!! This is the Outside network
interface Ethernet1
 ip address 1.0.0.9 255.255.255.248
 ip nat outside
!
router rip
 version 2
 network 1.0.0.0
 network 10.0.0.0
 no auto-summary
!
ip nat inside source list 100 interface Ethernet1 overload
!
ip classless
no ip http server
!
access-list 100 remark Only Internet traffic is NAT/PAT-ed
access-list 100 deny ip 10.10.10.0 0.0.0.255 1.0.0.8 0.0.0.7
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
 length 0
!
 

Having Servers on DMZ

Scenario 1: NAT/PAT for both DMZ and Inside networks

Let's say there is DMZ network of 10.10.10.0/24 where the Inside network is 10.0.0.0/24. Traffic between DMZ and Inside networks pass as their original IP addresses (as in general, best practice), therefore there is no need to NAT Inside network to access DMZ and vice versa. DMZ network is only allowed to access Inside DNS server (the 10.0.0.2 IP address) and no other Inside hosts while the DMZ network is allowed to access anything Outside (the Internet). Such access is regulated by the ACL 100.

Following is the sample configuration.

no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!
!!!!!! Configuring the router as DHCP server
ip dhcp excluded-address 10.0.0.1 10.0.0.14
!
ip dhcp pool CLIENT
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.1
   dns-server 10.0.0.2
!!!!!!
!
no ip dhcp-client network-discovery
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
!
!
!!!!!! This is the LAN side
interface Ethernet0
!!!!!! The IP address for the router LAN interface
 ip address 10.0.0.1 255.255.255.0
!!!!!!
 ip nat inside
 no cdp enable
 hold-queue 32 in
!
!!!!!! Note that e1 has no IP address
interface Ethernet1
 no ip address
!!!!!!
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
!!!!!! This is the DMZ side
interface Ethernet2
!!!!!! The IP address for the router DMZ interface
 ip address 10.10.10.1 255.255.255.0
!!!!!!
 ip access-group 100 in
 ip nat inside
 no cdp enable
 hold-queue 32 in
!
!!!!!! The ISP's given IP address will be configured via d1
interface Dialer1
 ip address negotiated
!!!!!!
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname *********
 ppp chap password 7 *******
 ppp pap sent-username ******** password 7 *******
 ppp ipcp route default
!
!!!!!! This is the dynamic PAT between Dialer1 (WAN) interface IP address 
!!!!!! and local IP addresses within ACL 10
ip nat inside source list 10 interface Dialer1 overload
!
!!!!!! This is the important part:
!!!!!! The server is an FTP running generic FTP software
!!!!!! The FTP server is in DMZ network using IP address 10.10.10.2
!!!!!! This configuration uses PAT (Port Address Translation) which deploys
!!!!!! port 20 and 21 (standard ports for FTP)
!!!!!!
!!!!!! The "ip nat inside source static" is the actual static PAT command for
!!!!!! running servers with Cisco router where the port forwarding takes place
!!!!!! between the Public and the Private IP address on specific TCP or UDP port
!!!!!!
!!!!!! Note that the word "extendable" is automatically added by the router
!!!!!! You don't have to enter the word when you configure the router
!!!!!!
ip nat inside source static tcp 10.10.10.2 20 1.0.0.13 20 extendable
ip nat inside source static tcp 10.10.10.2 21 1.0.0.13 21 extendable
ip classless
!!!!!! This command is to make the router configurable using web browser
!!!!!! such as Internet Explorer or Netscape, which is totally optional.
!!!!!! You can turn the feature off by entering "no ip http server"
!!!!!!
ip http server
!!!!!!
!
access-list 10 remark Local IP addresses for the dynamic PAT with the Dialer1 interface IP address
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 100 remark Permitable Access From DMZ to Inside
access-list 100 permit udp 10.10.10.0 0.0.0.255 host 10.0.0.2 eq 53
access-list 100 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
 length 0
!
scheduler max-task-time 5000
end
 

Scenario 2: NAT/PAT only for Inside network, no NAT/PAT for DMZ network

As earlier sample configurations, this part of sample configuration also uses 1.0.0.8/29 as the NAT/PAT IP subnet. However there is an addition IP subnet of 1.0.0.0/30. The 1.0.0.0/30 is used as the NAT/PAT IP subnet for Inside network. DMZ network does not use NAT/PAT at all, instead the DMZ network uses the 1.0.0.8/29 directly.

Similar to the previous no-port-forwarding sample configuration, there are two points that are established with DMZ network having the Public IP address of 1.0.0.8/29 directly assigned. One is that there is no need to do NAT/PAT for DMZ network since DMZ machines already use Internet-routable Public IP address.

The other established point is to avoid unnecessary DNS BIND to resolve DMZ server name to both Public IP and Private IP addresses. DMZ server DNS name resolves to always its associated Public IP address regardless of where the incoming traffic come from, either from the Internet or from the Inside network.

Now let's describe the network setup. The 1.0.0.8/29 IP subnet is assigned directly to all DMZ machines. A 1.0.0.14 is used as the DMZ network default gateway, which is also the router DMZ interface IP address. The Inside network is 10.0.0.0/24. Traffic between DMZ and Inside networks pass as their original IP addresses (as in general, best practice), therefore there is no need to NAT Inside network to access DMZ and vice versa. DMZ network is only allowed to access Inside DNS server (the 10.0.0.2 IP address) and no other Inside hosts while the DMZ network is allowed to access anything Outside (the Internet). Such access is regulated by the ACL 100.

There is no NAT/PAT in place for DMZ network to go out to the Internet as mentioned earlier. In other words, there is no port forwarding in place between DMZ network and the Internet. Since there is no NAT/PAT between DMZ network and Inside network, there is no port forwarding in place between DMZ network and the Inside network either. This no-port-forwarding setup is due to the network design of using the actual/original IP addresses instead of using the NAT/PAT IP addresses, as described above.

There is however NAT/PAT in place for Inside network to go out to the Internet. All Inside network machines are PAT-ed to 1.0.0.2 IP address to go out to the Internet, which is the router WAN interface IP address.

The DMZ network still hosts FTP server, which is directly assigned 1.0.0.13 IP address. For security, there is ACL 101 to permit only necessary incoming traffic from the Internet and block others.

Following is the sample configuration.

no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!
!!!!!! Configuring the router as DHCP server
ip dhcp excluded-address 10.0.0.1 10.0.0.14
!
ip dhcp pool CLIENT
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.1
   dns-server 10.0.0.2
!!!!!!
!
no ip dhcp-client network-discovery
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
!
!
!!!!!! This is the LAN side
interface Ethernet0
!!!!!! The IP address for the router LAN interface
 ip address 10.0.0.1 255.255.255.0
!!!!!!
 ip nat inside
 no cdp enable
 hold-queue 32 in
!
!!!!!! Note that e1 has no IP address
interface Ethernet1
 no ip address
!!!!!!
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
!!!!!! This is the DMZ side
interface Ethernet2
!!!!!! The IP address for the router DMZ interface
 ip address 1.0.0.14 255.255.255.248
!!!!!!
 ip access-group 100 in
 no cdp enable
 hold-queue 32 in
!
!!!!!! The ISP's given IP address will be configured via d1
interface Dialer1
 ip address 1.0.0.2 255.255.255.252
!!!!!!
 ip mtu 1492
 ip access-group 101 in
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname *********
 ppp chap password 7 *******
 ppp pap sent-username ******** password 7 *******
 ppp ipcp route default
!
!!!!!! This is the dynamic PAT between Dialer1 (WAN) interface IP address 
!!!!!! and local IP addresses within ACL 10
ip nat inside source list 10 interface Dialer1 overload
!
ip classless
!!!!!! This command is to make the router configurable using web browser
!!!!!! such as Internet Explorer or Netscape, which is totally optional.
!!!!!! You can turn the feature off by entering "no ip http server"
!!!!!!
ip http server
!!!!!!
!
access-list 10 remark Local IP addresses for the dynamic PAT with the Dialer1 interface IP address
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 100 remark Permitted Access From DMZ to Inside
access-list 100 permit udp 1.0.0.8 0.0.0.7 host 10.0.0.2 eq 53
access-list 100 deny ip 1.0.0.8 0.0.0.7 10.0.0.0 0.0.0.255
access-list 100 permit ip 1.0.0.8 0.0.0.7 any
access-list 101 remark Permitted Access From Internet to Both DMZ and Inside
access-list 101 permit icmp any host 1.0.0.2 echo-reply
access-list 101 permit icmp any 1.0.0.8 0.0.0.7 echo-reply
access-list 101 permit icmp any host 1.0.0.2 time-exceeded
access-list 101 permit icmp any 1.0.0.8 0.0.0.7 time-exceeded
access-list 101 permit icmp any host 1.0.0.2 unreachable
access-list 101 permit icmp any 1.0.0.8 0.0.0.7 unreachable
access-list 101 permit tcp any host 1.0.0.13 range 20 21
access-list 101 permit udp any eq domain host 1.0.0.2
access-list 101 permit udp any eq domain 1.0.0.8 0.0.0.7
access-list 101 permit tcp any host 1.0.0.2 established
access-list 101 permit tcp any 1.0.0.8 0.0.0.7 established
dialer-list 1 protocol ip permit
no cdp run
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
 length 0
!
scheduler max-task-time 5000
end
 

More Sample Configuration

»Cisco Forum FAQ »Configure DMZ on routers
»Cisco Forum FAQ »Internet - Router - PIX/ASA - LAN

Troubleshooting

FTP Server related
Active FTP vs. Passive FTP, a Definitive Explanation
»FTP server doesn't work on port 21, works on other ports

Some Discussions

»Cisco IOS NAT problem

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2011-12-19 08:37:55