«

(this is on an 871W router)

ip nat inside source static 10.0.0.11 interface Dialer1

is a "catch all" NAT directive that will direct any incoming packets
that have not been handled by a previous nat directive to host 10.0.0.11
on the lan.



However, if I do not have such a directive, is it stricly correct that
for inbound calls, only packets to ports for which there is a NAT
directive would be allowed beyond the router ?


In other words, if I do not have an IP NAT mappings for the Microsoft
Virus ports (445, 139 etc), do I still need an access list to block those ?


In terms of the IP INSPECT command,of it detects a local host telling a
remote host "call me on port 6837 for the FTP transfer", the doc says
that it will setup a ACL entry to open this port.

However, will IP INSPECT also setup an IP NAT entry to direct those
packets to the right host on the LAN ?

Or do I need a catch-all IP NAT command to direct all other ports to the
host that has the FTP server ?