Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
231
Views
0
Helpful
1
Replies

static nat or pat

kolawole1
Level 1
Level 1

‎08-18-2009 09:05 AM - edited ‎03-11-2019 09:07 AM

Given the following config,

host 192.168.0.1 should only open ports 80, 5067 to the outside world and should be able to access the web on port 80 and outside smtp servers on port 25 only.

The problem is that host 192.168.0.1 allows all traffic in and out.I want the firewall to block every traffic not explicitely allowed.

When using static PAT configuration for this scenario, do i need to configure access-lists on the outside and dmz interfaces before the filtering can work ?

Thank you

Labels:
Preview file
3 KB
0 Helpful
1 Reply 1

Collin Clark
VIP Alumni
VIP Alumni

‎08-18-2009 10:48 AM

Concerning your NAT/PAT questions, you have two options. One is a full NAT translation which you already have configured. When you do that, you need an ACL to permit what you want and deny everything else. You can also do a port translation. For example,

static (dmz,outside) tcp 35.215.2.16 80192.168.0.1 80 netmask 255.255.255.255

That will translate port 80 only. You still should create an ACL to restrict traffic to 80, but since there are no translations for the other ports, they will fail. Your ACL for 80 and 5067 looks OK. Also your outbound (80 & 25) looks good.

Hope that helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card