NAT caveats in IOS release 12.4T

If you have upgraded your router from any other IOS release to release 12.4T without changing the NAT configuration (or used NAT configuration known to work into a router running IOS release 12.4T), you might have encountered weird behavior due to the changes in NAT implementation. The unexpected behavior and configuration fixes needed to avoid the NAT-related problems are described in my new NAT Caveats in IOS release 12.4T article.


  1. Typo in outside interface IP address in the diagram. Last octet should be .1, not .2

  2. Ivan, i think that happens in other versions too:

  3. Well, the answer the link points to is a generic disclaimer :) The fact is, reading the documentation and not all the disclaimers, one could (and did :) come up with the match-any access-list (or route-map), test it and forget about it ... until the IOS behavior changes a few years down the road.

    As for the older versions, I tested the same configuration in 12.4(19) (mainstream) and it worked as I've expected it to work (= different from 12.4(15)T5).

  4. Maybe it's one of those "it may have worked in the past, but it shouldn't" things that Cisco puts up once in a while. ;)

    I'm 99% sure i have met the same problem in an old ios; that's why i had to search it and came up with the above "disclaimer".

  5. I am about to deploy BGP multihoming with two multiple service providers, i have a 3845 router with Cisco IOS Software, 3800 Software (C3845-SPSERVICESK9-M), Version 12.4(20)T5, RELEASE SOFTWARE (fc2).

    Please can you help me confirm which IOS will not give me problems with route-maps and BGP.


  6. The software you have should be OK in a multihoming scenario. It's hard to tell you more without knowing exactly which features you're going to use (which would require knowing your network design and router configurations). You can find some generic software selection guidelines in the following Packet Pushers Podcast:

    Alternatively, you should engage whoever is your support organization, be it Cisco or a reseller/system integrator. Last but not least, I'm always available for a half-day remote consulting.


You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.