Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT and Access List

Please can somone explain the following...

why do some people define a service for example 3389 or http  in there static  NAT rule?

Is it not easier to use serivce IP and then define what you want through  an access list?

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

NAT and Access List

Hi,

I guess you are asking why some people configure Static PAT (Port Forward) rather than Static NAT?

In some cases that I have seen I would say using Static PAT is just a mistake in the configuration format by the user. What I mean is that I think the users think that this is how its supposed to be done and end up with a messy NAT configuration as each port requires its own "nat" configuration.

In some cases naturally the user might not have any other public IP addresses other than the one configured on their external interface and then the only option is to use Static PAT.

If you got free IP addresses at your disposal then I would suggest going with Static NAT instead of Static PAT and controlling the allowed ports with the ACL as you mentioned.

Hope this helps

- Jouni

2 REPLIES
Super Bronze

NAT and Access List

Hi,

I guess you are asking why some people configure Static PAT (Port Forward) rather than Static NAT?

In some cases that I have seen I would say using Static PAT is just a mistake in the configuration format by the user. What I mean is that I think the users think that this is how its supposed to be done and end up with a messy NAT configuration as each port requires its own "nat" configuration.

In some cases naturally the user might not have any other public IP addresses other than the one configured on their external interface and then the only option is to use Static PAT.

If you got free IP addresses at your disposal then I would suggest going with Static NAT instead of Static PAT and controlling the allowed ports with the ACL as you mentioned.

Hope this helps

- Jouni

New Member

Re: NAT and Access List

The only thing i can see it used for is in case you need a mapped port to a real port.

Is that what it's called static PAT? i have attached an exmaple which is not using the outisde interface just a public that is

available.

I will change the service to use IP and define the ports that allowed through on the access list.

Thanks

James.

152
Views
0
Helpful
2
Replies
CreatePlease login to create content