I'm curious of something... When you use the Firewall Wizard on the web interface to set it up, the run config looks something like this:
ip access-list extended wizard-pfwd-1
remark Port 80 to doxer
permit tcp any host 150.150.150.150 eq www log
!
ip access-list extended wizard-pfwd-2
remark Port webmin to doxer
permit tcp any host 150.150.150.150 eq 10101 log
!
ip access-list extended wizard-pfwd-3
remark Port ssh to doxer
permit tcp any host 150.150.150.150 eq 2220 log
!
ip access-list extended wizard-pfwd-4
remark VNC to doxer
permit tcp any host 150.150.150.150 eq 5900 log
!
ip policy-class Public
nat destination list wizard-pfwd-1 address 10.0.1.20
nat destination list wizard-pfwd-2 address 10.0.1.20
nat destination list wizard-pfwd-3 address 10.0.1.20
nat destination list wizard-pfwd-4 address 10.0.1.20
I'm wondering if this would do the same thing:
ip access-list extended doxer-1
remark all to doxer
permit tcp any host 150.150.150.150 eq www log
permit tcp any host 150.150.150.150 eq 10101 log
permit tcp any host 150.150.150.150 eq 2220 log
permit tcp any host 150.150.150.150 eq 5900 log
ip policy-class Public
nat destination list doxer-1 address 10.0.1.20
Well, I tried it and it doesn't seem to work. Seems for every NAT destination, there has to be a separate ACL. Bummer. Sure clean up the config if you could.