NAT Question

[StarTAC]

hi guys..

i was wondering.. Cisco recommends that when using dynamic and static NAT simultaneously, u setup an access list to deny the hosts that already have static NAT entries on the router...

i have setup dynamic NAT on a leased line for Internet access.. but i have setup a static NAT rule so that the client's mail server, part of the internal network, can be globally accessible.. but the client also wants to use this machine running the mail server to surf the Internet... won't the deny statement in the access list prevent him from doing that, since the NAT rule is only specific to the port 25 [SMTP] of this internal machine..?..

all help appreciated.. thanks..

 

[ChrisAC]

Hey StarTaC, haven't seen your name on these boards for a while!

Anyway, I've always found that it's okay to have a static nat that's also part of the dynamic pool for outgoing connections. Like you the static NAT statement is usually port specific and for incoming connections, ie. Map incoming connection to this address on this port to this internal address on this port. However, that internal machine can still be part of the pool of internal address that is NATed on outgoing communications. I've done this for a machine that needed RDP inbound for remote access, but could still get on the net using the dynamic NAT pool address.

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[StarTAC]

hey Chris.. yah, u're right, haven't been on the forum for a while now.. it's good to be back though..

thanx for that tip.. i just wanted to be sure i wasn't the only who had the same thought as u.. i'll work this way then... thanks for the re-assurance..