PAT question

benjamingarcia · ‎01-18-2004

If I have the following configuration below which port translate 10.10.10.1 to 172.16.131.154 on port 25.

************

ip nat inside source list 7 interface serial 0 overload

ip nat inside source static tcp 10.10.10.1 25 172.16.131.254 25

interface e 0

ip address 10.10.10.254 255.255.255.0

ip nat inside

interface s 0

ip address 172.16.131.254 255.255.255.0

ip nat outside

access-list 7 deny host 10.10.10.1

access-list 7 permit 10.10.10.0 0.0.0.255

**************

Question:

- is the ACL 7 denying the 10.10.10.1 is still require?

- if you have it, is that mean that the server is allowed to go out on port 25 only and will that be allowed to use the S0 IP address?

- if i remove the ACL 7, is the server will use the S0 ip address when accessing outside using ports aside port 25?

Thanks in advnace

fmachoka · ‎01-19-2004

Access list 7 prevents host 10.10.10.1 from being dynamically NATed. Denying host 10.10.10.1 is not required when doing static NAT. The IOS already has the host statically mapped.

With the current configuration, host 10.10.10.1 can only be NATED through port 25. All other ports will not be be NATed.

If you removed the access list 7, only the statically NATed host 10.10.10.1 will be able to route to the outside throught interface S0. Dynamic NATing of other hosts permitted by the access list will fail.

The access list is 7 needed for Dynamic NAT (or PAT), but not needed for static NAT.

The following links will be useful in understanding NAT:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094422.shtml