NAT - inside source static

Discussion in 'Cisco' started by cool_runn@hotmail.com, Dec 6, 2004.

  1. Guest

    Hi,

    I've some questions about NAT.

    1. is there a big difference between

    ip nat inside source static <local ip> <global ip>

    and

    ip nat inside source static tcp <local ip> <port> <global ip> <port>

    ?

    I mean except the fact that you can trigger/change inside and outside
    ports, is there an advantage of mapping every port which needs to be
    used (security considerations ?) or is it the same as mapping the
    addresses 1:1 ?

    Here is my case: I've a server (EMail, Ftp, SQL, DNS) on a local
    network (192.168.1.x) which needs to be mapped to a global address
    (a.b.c.d)

    The access-list will permit only the needed ports (20, 21, 25, 53, 110,
    143, 1433) for this address, but does it make a difference if I
    configure a nat entry for every port

    ip nat inside source static tcp 192.168.1.x 20 a.b.c.d 20
    ip nat inside source static tcp 192.168.1.x 21 a.b.c.d 21
    ip nat inside source static tcp 192.168.1.x 25 a.b.c.d 25
    ....

    or
    if I just use

    ip nat inside source static 192.168.1.x a.b.c.d

    ?


    2. If the access-list contains

    access-list 102 permit icmp any any

    and you ping the inside-global address from outside, the router sends
    an answer, although the mapped machine might not be present.

    At least, so far I've tested it, it happens when you use

    ip nat inside source static tcp <local ip> <port> <global ip> <port>

    When I use

    ip nat inside source static <local ip> <global ip>

    and the machine on the local ip is not present, ping does not answer
    from outside.

    Why does it behave this way ?

    Is it possible to change this behaviour ?

    3. What ports are open on a Cisco 2651 IOS 12.2-17 by default except
    the telnet port? I mean if I want to have an administrative access to
    the router from outside, but also want to be sure that nobody breaks
    into the router, does it make sense to close all ports of the
    interface's global IP except the telnet port or is there nothing which
    can be attacked?


    Thanks in advance.


    Best regards

    Alexej Buchholz
     
    , Dec 6, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. [iMpLoDe]

    'nat inside source static' question

    [iMpLoDe], Feb 2, 2004, in forum: Cisco
    Replies:
    5
    Views:
    849
    [iMpLoDe]
    Feb 6, 2004
  2. rnorred
    Replies:
    4
    Views:
    2,981
    Walter Roberson
    Apr 18, 2005
  3. Replies:
    2
    Views:
    1,491
  4. Jim Willsher
    Replies:
    23
    Views:
    15,032
    kjems
    Apr 23, 2008
  5. Jonathan Wright

    Inside to Inside NAT

    Jonathan Wright, Apr 11, 2007, in forum: Cisco
    Replies:
    2
    Views:
    627
    Rod Dorman
    Apr 16, 2007
Loading...

Share This Page