Block port on nat1nat



  • i create 1to1 nat for one public address .
    same local 192.168.1.12  public 20.20.20.18
    now i like block port 1433 on this 1to1 nat
    the user from wan cant access 20.20.20.18 by port 1433

    plz help me



  • Why not simply port forward the ports to the service(s) on the internal host you want your WAN users to access?



  • we have many public ip and all of the use 1to1 nat.its wronge?
    20.20.20.1  nat 192.168.1.11
    20.20.20.2 nat 192.168.1.12
    .
    ..
    .
    .
    .
    20.20.20.100  nat 192.168.1.100
    whats the best parctice?
    we have many site


  • Rebel Alliance Global Moderator

    "whats the best parctice?"

    Well the best practice if you have large publiic netblock would be to not NAT at all, why is this 20.20.20 segment you have just not routed to you..  If you want to run with the big dogs you need to learn to piss in the tall weeds ;)

    Ie if you want to play like a service provider/ colo, etc.  Then why would you be natting this traffic?  If your going to nat an only want to allow specific ports then port forwarding would be the way to go..

    Are these boxes yours on the 192 address space, or are they paying customers of yours?



  • You don't want to block any specific ports inbound, you should only be allowing the minimal things on WAN that are required, and everything else hits the default deny. If you have any rules permissive enough to allow everything in on WAN, you're doing it wrong. Use a restrictive WAN ruleset.




  • we have same topology
    i nat1nat to all server .you say i find the sever need witch service need same http port 80
    and in portforwader write role?
    sorry for bad engishe