NAT and access lists and IP INSPECT

(this is on an 871W router)

ip nat inside source static interface Dialer1

is a "catch all" NAT directive that will direct any incoming packets that have not been handled by a previous nat directive to host on the lan.

However, if I do not have such a directive, is it stricly correct that for inbound calls, only packets to ports for which there is a NAT directive would be allowed beyond the router ?

In other words, if I do not have an IP NAT mappings for the Microsoft Virus ports (445, 139 etc), do I still need an access list to block those ?

In terms of the IP INSPECT command,of it detects a local host telling a remote host "call me on port 6837 for the FTP transfer", the doc says that it will setup a ACL entry to open this port.

However, will IP INSPECT also setup an IP NAT entry to direct those packets to the right host on the LAN ?

Or do I need a catch-all IP NAT command to direct all other ports to the host that has the FTP server ?

Reply to
JF Mezei
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.