static nat or pat

Unanswered Question
Aug 18th, 2009

Given the following config,

host should only open ports 80, 5067 to the outside world and should be able to access the web on port 80 and outside smtp servers on port 25 only.

The problem is that host allows all traffic in and out.I want the firewall to block every traffic not explicitely allowed.

When using static PAT configuration for this scenario, do i need to configure access-lists on the outside and dmz interfaces before the filtering can work ?

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Tue, 08/18/2009 - 10:48

Concerning your NAT/PAT questions, you have two options. One is a full NAT translation which you already have configured. When you do that, you need an ACL to permit what you want and deny everything else. You can also do a port translation. For example,

static (dmz,outside) tcp 80192.168.0.1 80 netmask

That will translate port 80 only. You still should create an ACL to restrict traffic to 80, but since there are no translations for the other ports, they will fail. Your ACL for 80 and 5067 looks OK. Also your outbound (80 & 25) looks good.

Hope that helps.


This Discussion