Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

static nat or pat

Given the following config,

host 192.168.0.1 should only open ports 80, 5067 to the outside world and should be able to access the web on port 80 and outside smtp servers on port 25 only.

The problem is that host 192.168.0.1 allows all traffic in and out.I want the firewall to block every traffic not explicitely allowed.

When using static PAT configuration for this scenario, do i need to configure access-lists on the outside and dmz interfaces before the filtering can work ?

Thank you

1 REPLY

Re: static nat or pat

Concerning your NAT/PAT questions, you have two options. One is a full NAT translation which you already have configured. When you do that, you need an ACL to permit what you want and deny everything else. You can also do a port translation. For example,

static (dmz,outside) tcp 35.215.2.16 80192.168.0.1 80 netmask 255.255.255.255

That will translate port 80 only. You still should create an ACL to restrict traffic to 80, but since there are no translations for the other ports, they will fail. Your ACL for 80 and 5067 looks OK. Also your outbound (80 & 25) looks good.

Hope that helps.

125
Views
0
Helpful
1
Replies
CreatePlease to create content