From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Fri Jun 23 2006 - 04:56:44 ART
I don't think it's really necessary to deny the host.
The tasks require you to map some ports statically, and provide
dynamic translation for a subnet.
If you don't deny .5.100 in dynamic NAT acl, that won't hurt static
translations, so why bother? :) And maybe folks from 5.100
want to access internet too, after all ;)
HTH
2006/6/23, Leo Leung <leoleung_yh@yahoo.com>:
>
> Hi Group,
>
> Just for some clarification for question 11.1 we need
> a dynamic NAT and for 11.2 we need a static NAT;
> However the web/email server IP 173.1.5.100 is
> translated in both dynamic and static NAT
> simultaneously,
>
> ip nat inside source list 7 interface Ethernet0/0
> overload
>
> ip nat inside source static tcp 173.1.5.100 80
> 192.10.1.5 80 extendable
> ip nat inside source static tcp 173.1.5.100 25
> 192.10.1.5 25 extendable
> ip nat inside source static tcp 173.1.5.100 110
> 192.10.1.5 110 extendable
> ip nat inside source static tcp 173.1.5.100 443
> 192.10.1.5 443 extendable
>
> does it need to deny host IP 173.1.5.100 in the
> access-list like
>
> access-list 7 deny 173.1.5.100
> access-list 7 permit 173.1.0.0 0.0.255.255
> access-list 7 permit 150.1.0.0 0.0.15.255
>
> This would prevent packets sourced from inside local
> address 173.1.5.100 being able to generate NAT
> dynamically. Is it necessary or just as the answer
> goes without denying it?
>
> Regards,
> Leo
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:33 ART