SDN/SDDC Retreat in Miami, Florida (November 4th-6th)
Separate SDN hype from real life!

More NAT caveats

A month ago I wrote about NAT caveats in Cisco IOS release 12.4 that occur when the outside addresses match IP access list or route map used in ip nat inside command. I recently discovered more caveats: if you have an inbound access-list on the outside interface, the packets dropped by the access-list still generate NAT entries (and might result in a denial-of-service attack when the router runs out of port numbers). You can read the whole NAT caveats article in the CT3 wiki.


  1. Shouldn't this be a bug (and potential DoS security issue) to be filed with TAC, rather than just a "caveat" to be documented?

  2. Well, the configuration that permits outside addresses in the inside access-list or route-map has been unsupported "forever" (see the comments to the related post), it's just that with 12.4T we're gettting hit with the consequences of using unsupported configuration.


You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.