All, I need to setup my first real NAT statement (as opposed to just a PAT statement) and I need some help with the Access List config.
I have a T1 with 6 public IP's, with all my users nat'ing through the last 2 IP's with an ip nat pool/source list statement. The list basically blocks outgoing kazaa, netbios, and morpheus. I have my email server pat'd to another IP higher in the list and the problem I am running in to is that the mail server uses the same IP's in the nat pool statement when it sends mail out - which is causing me reverse lookup headaches. So I want to do a true nat statement for the mail server so it's sending and receiving IP's are the same and I can get a reverse lookup setup for it. If I understand IP/TCP/UDP correctly, the client establishes a connection to the service port on the remote computer and the remote computer in turn establishes a connection to some random port > 1024 on the client. Is that correct? So the issue for now becomes, how to restrict access to the mail server for just 22, (for remote management) 25, 110, and 6169 (a webmail server) and still allow the returning nat connections to the clients? This is what I picture so far. access-list 101 permit tcp any (external ip) eq 22 access-list 101 permit tcp any (external ip) eq 25 access-list 101 permit tcp any (external ip) eq 110 access-list 101 permit tcp any (external ip) eq 6169 access-list 101 deny tcp any any lt 1024 access-list 101 deny udp any any lt 1024 then I start to get a bit hazy as to the returning nat connections for the clients......perhaps access-list 101 permit tcp/upd any any range 1025-65535? I'm assuming also that this will be applied in on the Serial interface. Any help greatly appreciated!!! Stephen Hoover Dallas, Texas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44357&t=44357 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
