topic NAT and Access List in Network Security

NAT and Access List

James Hoggard — Tue, 12 Mar 2019 03:16:10 GMT

Please can somone explain the following...

why do some people define a service for example 3389 or http in there static NAT rule?

Is it not easier to use serivce IP and then define what you want through an access list?

NAT and Access List

Jouni Forss — Wed, 11 Dec 2013 12:12:40 GMT

Hi,

I guess you are asking why some people configure Static PAT (Port Forward) rather than Static NAT?

In some cases that I have seen I would say using Static PAT is just a mistake in the configuration format by the user. What I mean is that I think the users think that this is how its supposed to be done and end up with a messy NAT configuration as each port requires its own "nat" configuration.

In some cases naturally the user might not have any other public IP addresses other than the one configured on their external interface and then the only option is to use Static PAT.

If you got free IP addresses at your disposal then I would suggest going with Static NAT instead of Static PAT and controlling the allowed ports with the ACL as you mentioned.

Hope this helps

- Jouni

Re: NAT and Access List

James Hoggard — Wed, 11 Dec 2013 14:59:58 GMT

The only thing i can see it used for is in case you need a mapped port to a real port.

Is that what it's called static PAT? i have attached an exmaple which is not using the outisde interface just a public that is

available.

I will change the service to use IP and define the ports that allowed through on the access list.

Thanks

James.