From: dszarmach (dszarmach@comhs.org)
Date: Tue Nov 07 2006 - 02:02:29 ART
Nah, I just tested this on a router with only the 'outside' command on
the incoming interface of the telnet - the loopback in my case.
The goal is not to successfully create a working NAT, so it doesn't
really matter that it never crosses an 'inside' interface - hitting an
'outside' seems to be all that is needed to trigger the xlate.
Doug Szarmach
Sr. Network Engineer
Community Foundation of Northwest Indiana, Inc.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Rodrigo Paes
Sent: Monday, November 06, 2006 10:45 PM
To: security@groupstudy.com; ccielab@groupstudy.com
Subject: Re: Denying telnet to port 23 on VTY
On Mon, 6 Nov 2006 22:27:01 -0600
"dszarmach" <dszarmach@comhs.org> wrote:
> You should be able to do a static NAT without using an access list:
>
> Ip nat inside source static tcp 1.1.1.1 23 2.2.2.2 22222
>
> That would blackhole the traffic, assuming nothing at 2.2.2.2 is
> listening on 22222.
>
I guess you'll need two nats right ? one for the inside and one for the
outside ?
[]s
rodrigo
--=========================================
\ .-. +++ Rodrigo Paes +++ \
/ /v\ CCIE #14054 (R&S and SP) /
\ // \\ LPIC2 #19753 \
/ /( )\ Linux User #324449 /
\ ^^-^^ \
/ jabber: panfleto@jabber.org /
\ gtalk : rodp43s@gmail.com \
==========================================
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART