NAT Inbound Mapping

While NAT is most commonly looked at as a way to allow internal clients to gain access to the Internet, it can also be used to allow external Internet hosts to gain access to resources on a private network. Recall that by default, a NAT server will drop all packets that are not replies to requests that were originated from the internal private network. However, it is also possible that your company has servers on its internal privately addressed network that need to be accessible from the Internet – both mail and web servers are good examples. In order to accomplish this, companies will most commonly use what is known as an inbound static mapping. This technique takes requests that are made to a certain ports on the external public interface of the NAT router, and statically maps them to an address and port number on the private network. If multiple public IP addresses are available, individual public addresses can be mapped to internal private addresses on a one-to-one basis.

Imagine that a company wishes to host its web server internally. In order for Internet clients to access our server, it will need to be accessible using a public IP address. In this example, the web server has a private address,, and is waiting for connections on the default HTTP port, TCP 80. This is illustrated in the figure below.

Figure: A web server hosted on the internal private network can be accessed from the Internet if an inbound static mapping is defined.

In order to allow Internet hosts to access the HTTP server, we will need to create an inbound static mapping. This will involve configuring NAT such that when it receives a request on the router’s public interface that is destined for TCP port 80, it will forward the request to the web server at, port 80. To the outside world, it appears as though our web server can be found at the public address. In reality, these requests are being translated by NAT and forwarded to the designated address and port on the internal network. This allows us to host services on the internal network, without external clients being any the wiser as to the true location of a server.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.