Tutorial – Cisco Router Port Forwarding (PNAT)

This is a short tutorial of basic port forwarding (PNAT) on a Cisco router without a device reboot/reload.

Performing a simple PNAT on a Cisco requires very little configuration. Firstly the PNAT entry needs to be created and then a quick check on the access control lists (ACL) to confirm the protocol and port is permitted.

[box type="info"] Just note that this documents steps were performed on a Cisco 877 router, it “should” still be valid configuration for most Cisco routers.[/box]

Step 1: Adding the Port Forward (PNAT) Entry

This step will give you example syntax to create a port forwarding entry. You will need to refer to step 2 to ensure you have the correct ACL’s setup. Also note that you don’t need to reboot/reload after adding this entry.

Connect to your router

Switch to configure mode

Enter the port forwarding (PNAT) command, for example I want to forward SSH connections from the Internet into a local server with the IP address of

…and that’s the command, obviously you would change the IP address and ports as desired. You can even map completely different ports to obfuscate your services. For example lets map our internal SSH server ( to the outside using port 2233.

Another thing to note is Dialer0. You would obviously change the interface “Dialer0″ with your interface name (FastEthernet0/1 for example), or alternatively if you are using a static public IP address you could enter it as

Step 2: Configure Access Control List (ACL’s)

Even though a map has been created the ACL’s may still prevent the traffic. We’ll need to get the access-list number for the Dialer0 interface and then modify it.

View the running configuration. Note you do not run this while in configure mode, if your prompt has “(config)#” then type “exit”.

Scroll through the output, you’ll be looking for the section titled “interface Dialer0″. Here is a trimmed down output of Dialer0 interface

Notice the line “ip access-group 101 in”, this tells us that we need to modify access-list 101 to enable port 22 inbound.

Lets get the current configuration of the access-list 101

Now lets insert a rule at the top of the ACL list to allow inbound SSH connections.

…and that’s it, you’ll now be able to SSH into your internal server on port 22. No reboot/reload required either!

If you went down the obfuscation path and you used port 2233, then rule would like

Lets have a quick look at what our access-list looks like now

Step 3: Save your config

If you are happy with your changes, save it to the startup-config

[author] [author_image timthumb='on']http://mcdee.com.au/wp-content/uploads/2012/11/photo.jpg[/author_image] [author_info]Andrew McDonald is an IT Systems Admin and all round technology junkie. Absolutely a jack-of-all-trades and not one to shy away from a challenge.

 [/author_info] [/author]