NAT and access lists and IP INSPECT
(this is on an 871W router)
ip nat inside source static 10.0.0.11 interface Dialer1
is a "catch all" NAT directive that will direct any incoming packets
that have not been handled by a previous nat directive to host 10.0.0.11
on the lan.
However, if I do not have such a directive, is it stricly correct that
for inbound calls, only packets to ports for which there is a NAT
directive would be allowed beyond the router ?
In other words, if I do not have an IP NAT mappings for the Microsoft
Virus ports (445, 139 etc), do I still need an access list to block those ?
In terms of the IP INSPECT command,of it detects a local host telling a
remote host "call me on port 6837 for the FTP transfer", the doc says
that it will setup a ACL entry to open this port.
However, will IP INSPECT also setup an IP NAT entry to direct those
packets to the right host on the LAN ?
Or do I need a catch-all IP NAT command to direct all other ports to the
host that has the FTP server ?
|All times are GMT. The time now is 05:36 PM.|
Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.