Cisco 4200 系列运行带有单个公共 IP 地址和动态 NAT 的 IOS XE，运行良好。我正在尝试添加静态 NAT 以访问服务器（将外部端口映射XX到内部端口YY。下面GigabitEthernet0/0/0是 WAN 接口，a.b.c.d是我尝试从外界访问的服务器。

ip nat inside source route-map nat-internet interface GigabitEthernet0/0/0 overload

ip nat inside source static tcp a.b.c.d YY interface GigabitEthernet0/0/0 XX

ip access-list extended internet-acl
 permit ip a.b.c.0 0.0.0.255 any

route-map nat-internet permit 1
 match ip address internet-acl
 match interface GigabitEthernet0/0/0

此配置不起作用。我可以 ping 服务器a.b.c.d并从路由器的端口访问服务YY，但是从外部世界到端口的 WAN IP 的连接XX超时。端口扫描显示要关闭的端口。

这是输出sh ip nat translations

Pro  Inside global         Inside local          Outside local         Outside global
tcp  <WAN-IP>:XX           a.b.c.d:YY            ---                   ---

编辑：我看到动态 NAT 的 ACL 包含我尝试静态 NAT 的主机（现已修复）的错误。完整的配置是：

interface GigabitEthernet0/0/0
 ip address dhcp
 ip nat outside
 negotiation auto

interface GigabitEthernet0/0/1
 no ip address
 negotiation auto

interface GigabitEthernet0/0/1.2
 encapsulation dot1Q 2
 ip address 10.60.2.2 255.255.255.0

interface GigabitEthernet0/0/1.4
 encapsulation dot1Q 4
 ip address 10.60.4.2 255.255.255.0
 ip nat inside

interface GigabitEthernet0/0/1.9
 encapsulation dot1Q 9
 ip address 10.60.9.2 255.255.255.0
 ip nat inside

interface GigabitEthernet0/0/1.20
 encapsulation dot1Q 20
 ip address 10.60.20.2 255.255.255.0
 ip nat inside

ip nat inside source static tcp 10.60.9.31 <YY> interface GigabitEthernet0/0/0 <XX>
ip nat inside source route-map NAT-Internet interface GigabitEthernet0/0/0         overload
ip forward-protocol nd
ip route 10.60.6.0 255.255.255.0 10.60.4.1
ip route 10.60.8.0 255.255.255.0 10.60.4.1
ip route 10.60.10.0 255.255.255.0 10.60.4.1

ip access-list extended Internet-ACL
 permit ip 10.60.6.0 0.0.0.255 any
 permit ip 10.60.8.0 0.0.0.255 any
 permit ip 10.60.10.0 0.0.0.255 any


route-map NAT-Internet permit 10 
match ip address Internet-ACL
match interface GigabitEthernet0/0/0

任何想法这里可能有什么问题？