My Cisco simulator won't do 'ip nat inside source static tcp ...' so I figured I'd ask here how this will behave.
ip address 184.108.40.206 255.255.255.0
ip nat outside
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat inside source list 10 interface ethernet0 overload
ip nat pool MYPOOL1 220.127.116.11 18.104.22.168 netmask 255.255.255.0
ip nat inside source static tcp 192.168.1.10 25 22.214.171.124 25 extendable
ip nat inside source static tcp 192.168.1.60 25 126.96.36.199 25 extendable
access-list 10 permit 192.168.1.0 0.0.0.31
Now, I figure I have the following correct. Only 192.168.1.0-.32 will be allowed to translate their source to the ethernet0 interface. So, they will be able to browse the internet and their source address will appear as 188.8.131.52.
My questions are:
1. do I need to define my nat pool with the line 'ip nat pool MYPOOL1 184.108.40.206 220.127.116.11 netmask 255.255.255.0' before I can use 'ip nat inside source static tcp 192.168.1.10 25 18.104.22.168 25 extendable'?
2. Will host 192.168.1.20 be able to access the mail server on 192.168.1.10 using the external address of 22.214.171.124?
3. Will host 192.168.1.50 be able to access the mail server on 192.168.1.10 using the external address of 126.96.36.199?
4. Will host 192.168.1.60 be able to function properly as a mail server when someone externally hits it from 188.8.131.52 even though it's not allowed outbound by access-list 10? (I'm pretty sure it will but I want to be sure)
5. Is the 'extendable' keyword needed?
I will try to do my best to answer these, but don't shoot me if I am not 100% as I am doing this from memory and not actually testing it.
1. no the pool is not needed for this to work
2. no, the packet needs to pass between the outside and inside interfaces for the nat to take place, and that won't happen with this config.
3. This is on the same subnet as for the previous question , so the same answer.
4. Yes, you are correct. The access list is not filtering traffic, it is being used to say what addresses have hteir source address natted when going from the inside to outside. For this to filter the traffic it would need to be applied to the interface with an 'access-group 10 in' command.
5. no :-) Never fully understood this one myself. Doesn't seem to cause any problems, but not needed on a 1-to-1 nat as far as I can tell.
Hope this helps.