(this is on an 871W router)
ip nat inside source static 10.0.0.11 interface Dialer1
is a "catch all" NAT directive that will direct any incoming packets that have not been handled by a previous nat directive to host 10.0.0.11 on the lan.
However, if I do not have such a directive, is it stricly correct that for inbound calls, only packets to ports for which there is a NAT directive would be allowed beyond the router ?
In other words, if I do not have an IP NAT mappings for the Microsoft Virus ports (445, 139 etc), do I still need an access list to block those ?
In terms of the IP INSPECT command,of it detects a local host telling a remote host "call me on port 6837 for the FTP transfer", the doc says that it will setup a ACL entry to open this port.
However, will IP INSPECT also setup an IP NAT entry to direct those packets to the right host on the LAN ?
Or do I need a catch-all IP NAT command to direct all other ports to the host that has the FTP server ?