Question on NAT command - static

tj6512 · ‎10-13-2002

Dear Administrator,

As usual, I will like to seek your enlightenment on a question related to NAT.

Fact:

192.168.4.4 = DiGi GPRS DNS1 server (Primary)

192.168.4.5 = DiGi GPRS DNS2 server (Secondary)

Current Setup:

Now, we have the following so that external parties can initiate DNS queries to the above 2 GPRS DNS servers -->

static (gprs,outside) 64.124.233.9 192.168.4.4 netmask 255.255.255.255 0 0 (NAT for primary DNS server: DNS1)

static (gprs,outside) 64.124.233.10 192.168.4.5 netmask 255.255.255.255 0 0 (NAT for seconday DNS server: DNS2)

However, we had not defined any "NAT" command translation rules so that the 192.168.4.x hosts can start an outbound connection (ie DNS query) to the external parties. This is because, I thought that we need to use the "NAT" command so that, only then the internal 192.168.4.x hosts needs to be translated to global addresses (64.124.233.x) before they can initiate DNS query to the external party.

However, according to my observation, the current 192.168.4.x hosts can PING to the outside world, as the PING results to Aicent's DNS servers and other GPRS roaming partners's DNS servers are successful.

Why ? Is there something wrong with my understanding in using the "static" or "NAT" command ? Please help enlighten me on this. Thanks ! :-)

Nairi Adamian · ‎10-13-2002

The static command would allow connections initiated from inside to outside also. In fact is has precedence over the nat statement for outbound connections.

If you need to deny connections outbound, define an ACL and apply to inside interface inbound.

Hope this helps.

-Nairi

tj6512 · ‎10-14-2002

Thank you ! You are the man ! :-)

Nairi Adamian · ‎10-14-2002

thanks, but in this case "the woman"!!!!