static nat or pat

kolawole1 — Mon, 11 Mar 2019 16:07:12 GMT

Given the following config,

host 192.168.0.1 should only open ports 80, 5067 to the outside world and should be able to access the web on port 80 and outside smtp servers on port 25 only.

The problem is that host 192.168.0.1 allows all traffic in and out.I want the firewall to block every traffic not explicitely allowed.

When using static PAT configuration for this scenario, do i need to configure access-lists on the outside and dmz interfaces before the filtering can work ?

Thank you

Re: static nat or pat

Collin Clark — Tue, 18 Aug 2009 17:48:20 GMT

Concerning your NAT/PAT questions, you have two options. One is a full NAT translation which you already have configured. When you do that, you need an ACL to permit what you want and deny everything else. You can also do a port translation. For example,

static (dmz,outside) tcp 35.215.2.16 80192.168.0.1 80 netmask 255.255.255.255

That will translate port 80 only. You still should create an ACL to restrict traffic to 80, but since there are no translations for the other ports, they will fail. Your ACL for 80 and 5067 looks OK. Also your outbound (80 & 25) looks good.

Hope that helps.

topic static nat or pat in Network Security

static nat or pat

Re: static nat or pat