More NAT caveats

A month ago I wrote about NAT caveats in Cisco IOS release 12.4 that occur when the outside addresses match IP access list or route map used in ip nat inside command. I recently discovered more caveats: if you have an inbound access-list on the outside interface, the packets dropped by the access-list still generate NAT entries (and might result in a denial-of-service attack when the router runs out of port numbers). You can read the whole NAT caveats article in the CT3 wiki.

2 comments:

  1. Shouldn't this be a bug (and potential DoS security issue) to be filed with TAC, rather than just a "caveat" to be documented?

    ReplyDelete
  2. Well, the configuration that permits outside addresses in the inside access-list or route-map has been unsupported "forever" (see the comments to the related post), it's just that with 12.4T we're gettting hit with the consequences of using unsupported configuration.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.