Building network automation solutions

9 module online course

Start now!

More NAT caveats

A month ago I wrote about NAT caveats in Cisco IOS release 12.4 that occur when the outside addresses match IP access list or route map used in ip nat inside command. I recently discovered more caveats: if you have an inbound access-list on the outside interface, the packets dropped by the access-list still generate NAT entries (and might result in a denial-of-service attack when the router runs out of port numbers). You can read the whole NAT caveats article in the CT3 wiki.


  1. Shouldn't this be a bug (and potential DoS security issue) to be filed with TAC, rather than just a "caveat" to be documented?
  2. Well, the configuration that permits outside addresses in the inside access-list or route-map has been unsupported "forever" (see the comments to the related post), it's just that with 12.4T we're gettting hit with the consequences of using unsupported configuration.
Add comment